Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/18/2020
02:00 PM
Curtis Simpson
Curtis Simpson
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Four Ways to Mitigate Supply Chain Security Risks From Ripple20

Enterprises can significantly alleviate current and long-standing third-party risk by using tactical and strategic efforts to assess and manage them.

COVID-19 has exposed new levels of third-party security risk for enterprises. Many companies now use outside service providers to manage essential operations or house sensitive information. Data centers host company data, including the personal information of employees and customers. Corporate administration and other business functions are handled by SaaS platforms. Payment processes are handled by outside providers. These are just a few examples. 

Many third-party service providers have been forced to furlough employees, sell off a division of the company, or shut down operations altogether in the wake of COVID's economic toll. In consequence, their ability to maintain the security of processes and data has been compromised. 

Meanwhile, a widespread set of vulnerabilities named Ripple20 could make enterprises and third-party partners even more exposed. The vulnerable code was built to connect devices to enterprise networks and the Internet and has been found in devices of at least 50 manufacturers. Supply chains that rely on connected devices with extended usage periods of five or more years to support critical operations could be the most impacted. 

Enterprises must be aware of the heightened security risks posed by third parties and take steps to both gain visibility into the problem and address it quickly. 

High Stakes for a Third-Party Breach
The heightened risk to third-party service providers navigating COVID-19 spans multiple areas, and the consequences could be severe. Laid off or furloughed employees could exfiltrate enterprise documents or emails with sensitive customer information such as inappropriately embedded passwords. Employees often send documents to personal emails to help them find or succeed in a new job. Even when not done maliciously, these actions leave sensitive information on home networks and personal accounts, which are more easily compromised by bad actors.

Service providers that are forced to close unexpectedly may not take continued precautions to protect customer data or ensure it is securely deleted. Meanwhile, backdoor configurations, accounts, and hardware used by a third party can remain in place even after an enterprise customer ends a contract. If companies cannot identify and monitor these backdoors, or eliminate them when a contract has ended, they risk exploitation by bad actors.

Enterprises must take a proactive approach to assess and respond to these threats. There are four important steps that security leaders can take. 

Identify the Most Critical or At-Risk Vendors
An important first step is to create a shortlist of which third-party providers have the greatest impact on a business or could be most at risk, and then validate them before other partners. For example, if a third party was experiencing financial challenges prior to this crisis or has access to either sensitive data or critical assets, it should be considered high risk. This list will help focus mitigation efforts going forward.

Take Action Quickly Where Possible
There are a few immediate steps enterprises can take while they plan and budget for larger risk reduction opportunities. For example, have a plan in place for how and when a service provider will notify the enterprise when a staff member leaves the company or changes their position. Gain a clear understanding of how these notifications are received and processed. Optimize this process to ensure that when a user leaves the company, the enterprise will be notified quickly and their account will be eliminated immediately. 

Another quick step is to enforce the use of multi-factor authentication for all third parties connecting to enterprise networks, apps, and services. From there, monitor authentication services and pull corresponding logs into a SIEM or comparable solution. Look for instances where users attempt to perform actions or access assets for the first time. Monitor user accounts that are being accessed by multiple geographies, or assets that have not been previously used to access the accounts.

Finally, safeguard the privileged permissions used by third parties (through both interactive and service accounts) using a privileged access management solution, also protected by multi-factor authentication.

Gain Visibility Into All Network Devices
Connected devices like printers, HVAC controllers, manufacturing equipment, or industrial refrigerators are essential to business operations and are often introduced or managed by third parties. These devices are difficult to track or monitor, making it hard to identify when a device has been compromised or is being misused. Enterprises must continually identify, profile, and assess the vulnerability of every device connected to its network. 

The newly discovered Ripple20 vulnerabilities make this need more urgent than ever. Essential devices that are used in data centers, manufacturing, and other third-party environments are among the millions impacted. The flawed code was deployed so widely by vendors and manufacturers that many companies may not be aware they're exposed. This makes continuous visibility and risk assessment an imperative.

Implement Secure Access Broker Technology
Secure, transparent, and enforceable remote access for third parties is important for mitigating these risks. Enterprises should consider choosing a secure access broker over a VPN.

Many third parties connect to enterprise networks through dedicated VPN connections or user-specific VPN connections to what are often highly flat networks. This means that gaining access to the third party environment and customer credentials could provide widespread access to other assets in the environment.

By comparison, access brokers exist between a remote user and enterprise services, apps, and servers. Users never connect to the enterprise network but rather to the hardened broker, which interacts with the enterprise apps, services, and systems on the user's behalf through a secure channel. Brokers can provide visibility into all remote access and can contain any suspicious or malicious behavior. 

Now is the time to focus attention and resources on developing short and long-term plans to mitigate third-party risk. As with most enterprise risks, the cost, effort, and impact associated with managing the risk proactively will typically pale in comparison to responding to an attack that occurred through the use of third-party privileged accounts or devices. By using both tactical and strategic efforts to assess and manage these vulnerabilities, enterprises can significantly alleviate both current and long-standing third-party risk.

As the CISO at Armis, Curtis Simpson is responsible for ensuring that the Armis product continues to maintain its high standard and vigilant focus on platform and customer security and privacy. Prior to Armis, he was the CISO at Sysco, a Fortune 54 corporation. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.