COVID-19 has exposed new levels of third-party security risk for enterprises. Many companies now use outside service providers to manage essential operations or house sensitive information. Data centers host company data, including the personal information of employees and customers. Corporate administration and other business functions are handled by SaaS platforms. Payment processes are handled by outside providers. These are just a few examples.
Many third-party service providers have been forced to furlough employees, sell off a division of the company, or shut down operations altogether in the wake of COVID's economic toll. In consequence, their ability to maintain the security of processes and data has been compromised.
Meanwhile, a widespread set of vulnerabilities named Ripple20 could make enterprises and third-party partners even more exposed. The vulnerable code was built to connect devices to enterprise networks and the Internet and has been found in devices of at least 50 manufacturers. Supply chains that rely on connected devices with extended usage periods of five or more years to support critical operations could be the most impacted.
Enterprises must be aware of the heightened security risks posed by third parties and take steps to both gain visibility into the problem and address it quickly.
High Stakes for a Third-Party Breach
The heightened risk to third-party service providers navigating COVID-19 spans multiple areas, and the consequences could be severe. Laid off or furloughed employees could exfiltrate enterprise documents or emails with sensitive customer information such as inappropriately embedded passwords. Employees often send documents to personal emails to help them find or succeed in a new job. Even when not done maliciously, these actions leave sensitive information on home networks and personal accounts, which are more easily compromised by bad actors.
Service providers that are forced to close unexpectedly may not take continued precautions to protect customer data or ensure it is securely deleted. Meanwhile, backdoor configurations, accounts, and hardware used by a third party can remain in place even after an enterprise customer ends a contract. If companies cannot identify and monitor these backdoors, or eliminate them when a contract has ended, they risk exploitation by bad actors.
Enterprises must take a proactive approach to assess and respond to these threats. There are four important steps that security leaders can take.
Identify the Most Critical or At-Risk Vendors
An important first step is to create a shortlist of which third-party providers have the greatest impact on a business or could be most at risk, and then validate them before other partners. For example, if a third party was experiencing financial challenges prior to this crisis or has access to either sensitive data or critical assets, it should be considered high risk. This list will help focus mitigation efforts going forward.
Take Action Quickly Where Possible
There are a few immediate steps enterprises can take while they plan and budget for larger risk reduction opportunities. For example, have a plan in place for how and when a service provider will notify the enterprise when a staff member leaves the company or changes their position. Gain a clear understanding of how these notifications are received and processed. Optimize this process to ensure that when a user leaves the company, the enterprise will be notified quickly and their account will be eliminated immediately.
Another quick step is to enforce the use of multi-factor authentication for all third parties connecting to enterprise networks, apps, and services. From there, monitor authentication services and pull corresponding logs into a SIEM or comparable solution. Look for instances where users attempt to perform actions or access assets for the first time. Monitor user accounts that are being accessed by multiple geographies, or assets that have not been previously used to access the accounts.
Finally, safeguard the privileged permissions used by third parties (through both interactive and service accounts) using a privileged access management solution, also protected by multi-factor authentication.
Gain Visibility Into All Network Devices
Connected devices like printers, HVAC controllers, manufacturing equipment, or industrial refrigerators are essential to business operations and are often introduced or managed by third parties. These devices are difficult to track or monitor, making it hard to identify when a device has been compromised or is being misused. Enterprises must continually identify, profile, and assess the vulnerability of every device connected to its network.
The newly discovered Ripple20 vulnerabilities make this need more urgent than ever. Essential devices that are used in data centers, manufacturing, and other third-party environments are among the millions impacted. The flawed code was deployed so widely by vendors and manufacturers that many companies may not be aware they're exposed. This makes continuous visibility and risk assessment an imperative.
Implement Secure Access Broker Technology
Secure, transparent, and enforceable remote access for third parties is important for mitigating these risks. Enterprises should consider choosing a secure access broker over a VPN.
Many third parties connect to enterprise networks through dedicated VPN connections or user-specific VPN connections to what are often highly flat networks. This means that gaining access to the third party environment and customer credentials could provide widespread access to other assets in the environment.
By comparison, access brokers exist between a remote user and enterprise services, apps, and servers. Users never connect to the enterprise network but rather to the hardened broker, which interacts with the enterprise apps, services, and systems on the user's behalf through a secure channel. Brokers can provide visibility into all remote access and can contain any suspicious or malicious behavior.
Now is the time to focus attention and resources on developing short and long-term plans to mitigate third-party risk. As with most enterprise risks, the cost, effort, and impact associated with managing the risk proactively will typically pale in comparison to responding to an attack that occurred through the use of third-party privileged accounts or devices. By using both tactical and strategic efforts to assess and manage these vulnerabilities, enterprises can significantly alleviate both current and long-standing third-party risk.As the CISO at Armis, Curtis Simpson is responsible for ensuring that the Armis product continues to maintain its high standard and vigilant focus on platform and customer security and privacy. Prior to Armis, he was the CISO at Sysco, a Fortune 54 corporation. ... View Full Bio