The rise of breaches caused by third-party vendors reached
an all-time high in 2018. This has driven organizations to take a much closer
look at supplier and contractor security controls, as well as risk exposure
throughout the delivery supply chain.According to a survey conducted last year by the Ponemon
Institute, the average organization has 583 third-party vendors with access
to sensitive data within their network. This level of interconnection resulted
in 59 percent of organizations having experienced a breach caused by one of
their vendors. Another 22 percent admitted that they couldn’t say for sure
whether such a breach had occurred or not. Despite increased efforts to protect
their kingdoms, there are too many unintended pathways being made available for
attackers to exploit. The Rise of
Third-Party AttacksCybercriminals are crafty. They understand that while many companies
have taken steps to better secure data within their own networks by bolstering their
cybersecurity teams and adding new tools to their security stack, the same is
not necessarily true of their vendors. Many attackers are actively seeking ways
to circumvent these added corporate security measures by attacking them through
outside parties. Anyone with physical or virtual access to IT systems, software
code, company credentials, customer data, or other sensitive information
presents a risk. To a potential intruder, this presents new opportunities to
exploit, and may often be the path of least resistance.Relatively few organizations truly understand the degree of
risk they are exposed to. The same
Ponemon survey revealed that just 34
percent of organizations keep a comprehensive inventory of vendors. Additionally,
only 37 percent believe they have the resources necessary to effectively manage
those outside relationships, and only 35 percent rate their third-party risk
management capabilities as “highly effective.” Less than half felt their
safeguards were even capable of preventing a vendor-driven breach.This is a complex situation that has to balance the trade-offs
for access versus the needs of security. Too often these decisions are made
with a well-intended security framework, but without the checks and balances to
continually assess compliance and reliability of controls. Too few organizations
have put in minimum compliance requirements, and even fewer have the
infrastructure in place to monitor whether standards are being met or if everything
is working as it should.Addressing
Third-Party ThreatsThere are simple, foundational steps that organizations can
take to reduce the threat posed by third parties to secure their supply chain.The first involves properly vetting and setting security
standards for the vendors that organizations plan to work with. For many
companies, this will start with improving their partner management tracking, policies,
and contracts. Organizations can start by implementing practices such as effectively
cataloging what vendors they are working with, what their roles are, and what
information they have access to. With just 37 percent of organizations
reporting that they are capable of effectively managing those relationships,
the policies put in place must also be ones that can be maintained with
available resources.These threats can come in both expected and unexpected
forms. One may not expect the delivery person, the cleaner, or a plant watering
service to be an imminent threat. But what if they installed an access point
behind a filing cabinet, collected passwords that were written down, or simply
had their organization spoofed to get confidential details through phishing?
What if they simply shared access without thinking through the consequences?When organizations allow a third-party vendor to have access
to their networks or facilities, security teams should assess whether the
external vendor meets acceptable security standards. For example, understanding
what cybersecurity measures they employ and how many individuals will have
access to the information will mitigate the risk of a compromise. Expectations
on password and access sharing will also be critical. A policy alone is not
enough, and requires management of vendor certification and the ongoing testing
of compliance against those certifications.Finally, it is important to have a safety net with strong
in-network detection capabilities that will issue alerts for policy violations,
misconfigurations, or credential exposures that create risk. Determined
attackers will actively seek out third-party vendors if this provides easier
access. Security scenarios should include detecting early reconnaissance,
detonation of malware, credential harvesting, and the use of legitimate
credentials in illegitimate ways.Threat deception in particular has proven to be an
invaluable resource for accurately detecting and responding to threats early in
the attack lifecycle. Deception technology utilizes decoys that mirror-match
production assets and lures that are designed to entice intruders into engaging,
drawing them away from company assets. This is extremely effective for picking
up policy violations committed by an individual scanning a network,
unauthorized access or use of company resources, and any use of legitimate
credentials being used to access decoy application or database servers.There are also extensive deceptions available for cloud
environments that give “tornado alerts” when they detect the exploitation of a
variety of cloud functions. Organizations will also benefit from deception’s
ability to gather critical intelligence that records where the attack started,
the attacker’s tools, techniques, methods, and intent. This will aid in
enforcing policies and in proving when they are violated. It is also a very
effective method for mitigating risk during an M&A.In addition to supplier risk, one must also factor in
compromises in the supply chain. This can happen at the factory, in transit, or
during the deployment process. It is important to put in safety controls
regardless of whether these systems are Internet connected. The wily attacker
may find it advantageous to make their mark in non-traditional ways knowing
that once they have gained network access, many organizations lack the controls
to detect this type of intrusion for extended periods of time.A Comprehensive
Approach to Supplier and Supply Chain Security The prospect of using a third-party vendor to penetrate
network defenses can be made substantially less inviting to attackers when they
are faced with stringent compliance levels along with layered security models
designed to detect unauthorized access quickly. Ultimately, making the attack
harder and the economics less desirable will serve as a strong deterrent for
many attackers.When it comes to securing third-party relationships, there
is no magic bullet—but by adhering to the steps outlined here, security teams can
dramatically reduce their risk and improve their ability to prevent and detect potential
attacks. Vetting, setting, and maintaining security standards for outside vendors
when combined with effective in-network detection controls will improve an
organization’s resiliency against the myriad of supplier and supply chain-based
attacks that lie in wait for them.Carolyn Crandall, Chief Deception
Officer for Attivo
Networks
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds