In today’s interconnected business environment, organizations maintain close collaboration with trusted third parties, whether they are vendors, service providers, customers, or partners. While this has enhanced business processes, it has also introduced potential security vulnerabilities that can be manipulated and exploited by hostile actors. In order to reduce this threat, it is incumbent upon all organizations to understand the risks posed by the third-party connections to their networks, as well as conduct self-examinations to determine where they may be connecting to other larger organizations as well. Third-party risk management will help proactively identify potential threats, thereby reducing an organization’s exposure and increasing its capabilities to mitigate damage.
Target and Beyond
The 2013 Target breach highlighted the serious threat that seemingly innocuous third-party network access can pose to the cybersecurity posture of an organization. In the case of Target, hackers stole the login credentials belonging to a company that provided HVAC services to Target and used that access to gain a foothold on the retailer’s payment systems, compromising approximately 40 million customer credit cards.
The potential risk posed by third parties has garnered significant attention in the wake of the Target breach and justifiably so, particularly as partnerships and outsourcing are increasingly relied upon to support business operations. The banking sector has immediately recognized the need for improvement in this area. In 2013, the Department of the Treasury’s Office of the Comptroller of the Currency issued guidance on third-party relationships to all national banks, federal savings associations, technology service providers, and other interested parties on adopting risk management processes commensurate with the level of risk of their third-party relationships. The Federal Deposit Insurance Corp. issued similar guidance regarding third-party risk in its January 2014 Compliance Manual. However, this is representative of just one sector. A recent study revealed that one-third of U.S. retailers that experienced a data breach within the past year were compromised via third-party vendors. There is still much to do across all sectors.
The exploitation of third parties is not the tactic of a particular actor or group. The Target breach highlights just one incident where third-party access was compromised in the course of the fulfillment of cybercriminal pursuits. Other categories of hostile actors have targeted third parties for the purpose of finding information and/or access to their real objectives. For example, teams believed to be sponsored by the Chinese government have conducted cyber espionage operations against law firms in order to gather information on major U.S. companies. One Chinese APT (advanced persistent threat) group has been known to target trusted third-party relationships in order to gain access to their primary target. And in July 2013, the hacktivist group Syrian Electronic Army compromised a third-party to facilitate the takeover of the Twitter feed of the Reuters news agency. The SEA was able to redirect visitors to its own content, despite enhanced security, by going through a third-party advertising network instead.
What Can Organizations Do?
In this time where adversaries enjoy a marked operational advantage over network defenders, it is essential for organizations to look beyond their network perimeters in safeguarding the confidentiality, integrity, and availability of their information systems, the information on them, and the accesses in and out of their network.
The following is a list, although not exhaustive, of initiatives that organizations can undertake in order to minimize the risk of third-party access.
- Continuously Monitor Third-Party Access. By robustly monitoring the activity of third-party users, organizations are able to engage in content and network monitoring for malware, command-and-control activity, and anomalous activity.
- Set Strict Permission Levels for Third-party Users.Not all third parties require the same level of access into the network. Organizations should set strict permission settings for each individual third party based on the type of information or service to which they require access. This empowers organizations to be able to immediately sever access at any time.
- Establish Security Compliance Standards. Third parties connecting to an organization’s network need to adhere to established security policies and security guidelines as set forth by the organization. Implementing these standards and verifying their compliance through frequent oversight will greatly minimize the risk. After the Target breach, a cloud security provider discovered that most of the 55,000 HVAC systems connected to the Internet had flaws that could be exploited. Customers of these HVAC systems and other similarly insecure third parties are invariably at risk if they haven’t imposed and enforced security standards.
- Implement Multi-Factor Authorization. Passwords remain the first line of defense for many systems. In addition to using unique, strong password strings that are changed frequently, the implementation of multi-factor authorization will reduce risk posed by third parties, even if their credentials are compromised.
- Evaluate Third Parties. Prior to engaging in a formal business relationship, an organization may want to evaluate the security processes and procedures of potential third parties to determine the robustness and resiliency of their cybersecurity postures.
It’s important to understand that no company -- regardless of its size or global footprint -- is immune to this risk. A rigorous risk management approach will help organizations understand the potential risks posed by these partners, which will aid them in addressing their own security shortcomings. Third parties need to be held to high standards, particularly if they are accessing sensitive information, services, or operations. Monitoring third-party connections for compliance infractions or indicators of compromise via an endpoint solution is one way to maintain situation awareness over trusted partners. Analyzing real-time traffic ensures the detection of potentially malicious activity that can be blocked before the session completes.