Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

09:00 AM
Tony Howlett, CISO at SecureLink
Tony Howlett, CISO at SecureLink
Sponsored Article

Third-Party Remote Access Is Your Network's Weakest Link

Learn how you can keep your company's data safe and what role VPNs, phishing attacks, and privileged credentials play in relation to vendor access management.

Third parties, contractors, and vendors play a dangerous role when it comes to data breaches. These types of breaches can cost your organization millions of dollars and will only continue to become larger and more frequent. In fact, research shows that nearly half of all data breaches involve a third party or vendor. Many organizations are implementing different solutions trying to protect against third-party cyber-risk, but most fall short, aren't efficient, and end up giving third parties too much access. In order to protect your data against the risks that come with third-party access, you should invest in a vendor access management solution.

Hackers often infiltrate companies through third-party access because this can be the weakest link in the network. What makes this even more attractive is that vendors often have access to multiple customer networks so hackers can get a lot of data for the effort of a single hack. Organizations need to be vigilant with the access they give to third parties and watch out for the most common paths hackers take to gain access.

VPNs — Nothing but Access
Virtual private networks (VPNs) are used by nearly every organization, especially as we see an increase in the need for remote access. VPNs are great when providing a connection to internal yet remote employees accessing internal resources, but this is where the functionality of VPNs stops. VPNs provide nothing beyond encrypting data between two points of access.

Organizations need to ensure that all external third parties have secure access to only the networks, systems, and information they need. With a vendor access management solution, users are given access only to resources they need to get their job done while being compliant with necessary regulations and industry requirements. Vendor-specific solutions allow for secure access to only what matters, rather than full access to your entire network.

Phishing Attacks From the Outside
Phishing has become extremely sophisticated and research shows that, on average, 90% of data breaches stem from a phishing attack. Organizations may conduct internal phishing tests to help educate employees on how to outsmart a phishing attack, but this doesn't account for the people you don't directly hire. Your third parties could be untrained and susceptible to a phishing attack that could inadvertently compromise your network, especially if it's through a VPN or another tool that wasn't specifically made for vendor connections. In order to protect against phishing attacks, it's important that all parties involved are educated with regular phishing simulation tests and security awareness training to ensure nothing is compromised.

The Dangers of Ransomware
Ransomware is another common danger that insecure third-party access can bring. The cost of ransomware attacks surpassed $7.5 billion in 2019 with downtime costs increasing 200% year-over-year. Ransomware attacks have caused severe downtime across many industries that provide critical infrastructure.

Beyond being expensive, ransomware attacks can be a danger to public safety, and organizations need to be prepared so that their information security systems are able to handle these attacks. Organizations should implement a well-rounded cybersecurity strategy that can keep track of third-party activity and reveal signs of a breach before they happen.

Privileged Credentials Are a Threat
Credentials are not, and should not be, created equally. Privileged or administrative credentials have access to vastly greater resources than regular users and can unlock further privileges for other employees when necessary. External third parties should almost never be given this level of access. Even though a third-party vendor rep may not have bad intentions, a bad actor can co-opt their machine via phishing or other attack and take advantage of their credentials to gain access into your network and systems. Thus, it's critically important for organizations to oversee and regularly audit all third-party activity.

Organizations need a vendor access management solution in order to control the access a vendor needs in a secure way to avoid any compromises. Credentials being written on a sticky note or, worse, sent via plaintext email to your vendor don't cut it anymore and open up your organization to countless security vulnerabilities. Organizations need to invest in a solution specifically for managing vendors in order to have full visibility into vendor access and have centralized software to manage secure access.

Whether it is an outside vendor or contractor, taking the security of any third party with access to your network credentials seriously is of the utmost importance. Organizations need to critically think of their data governance in a holistic manner and take responsibility for the protection of its data wherever it resides. If a company is not diligent in putting in place solid, ongoing third-party and vendor management programs to secure vendor access, and following it up with good oversight and audit, then the sins of the third party may become the sins of the company.

About the Author
Tony Howlett is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds the CISSP, GNSA certifications, and a B.B.A. in Management Information Systems. Currently, Tony is the CISO at SecureLink, a vendor privileged access management company based out of Austin, Texas.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...