The rise of breaches caused by third-party vendors reached an all-time high in 2018. This has driven organizations to take a much closer look at supplier and contractor security controls, as well as risk exposure throughout the delivery supply chain.
According to a survey conducted last year by the Ponemon Institute, the average organization has 583 third-party vendors with access to sensitive data within their network. This level of interconnection resulted in 59 percent of organizations having experienced a breach caused by one of their vendors. Another 22 percent admitted that they couldn’t say for sure whether such a breach had occurred or not. Despite increased efforts to protect their kingdoms, there are too many unintended pathways being made available for attackers to exploit.
The Rise of Third-Party Attacks
Cybercriminals are crafty. They understand that while many companies have taken steps to better secure data within their own networks by bolstering their cybersecurity teams and adding new tools to their security stack, the same is not necessarily true of their vendors. Many attackers are actively seeking ways to circumvent these added corporate security measures by attacking them through outside parties. Anyone with physical or virtual access to IT systems, software code, company credentials, customer data, or other sensitive information presents a risk. To a potential intruder, this presents new opportunities to exploit, and may often be the path of least resistance.
Relatively few organizations truly understand the degree of risk they are exposed to. The same Ponemon survey revealed that just 34 percent of organizations keep a comprehensive inventory of vendors. Additionally, only 37 percent believe they have the resources necessary to effectively manage those outside relationships, and only 35 percent rate their third-party risk management capabilities as “highly effective.” Less than half felt their safeguards were even capable of preventing a vendor-driven breach.
This is a complex situation that has to balance the trade-offs for access versus the needs of security. Too often these decisions are made with a well-intended security framework, but without the checks and balances to continually assess compliance and reliability of controls. Too few organizations have put in minimum compliance requirements, and even fewer have the infrastructure in place to monitor whether standards are being met or if everything is working as it should.
Addressing Third-Party Threats
There are simple, foundational steps that organizations can take to reduce the threat posed by third parties to secure their supply chain.
The first involves properly vetting and setting security standards for the vendors that organizations plan to work with. For many companies, this will start with improving their partner management tracking, policies, and contracts. Organizations can start by implementing practices such as effectively cataloging what vendors they are working with, what their roles are, and what information they have access to. With just 37 percent of organizations reporting that they are capable of effectively managing those relationships, the policies put in place must also be ones that can be maintained with available resources.
These threats can come in both expected and unexpected forms. One may not expect the delivery person, the cleaner, or a plant watering service to be an imminent threat. But what if they installed an access point behind a filing cabinet, collected passwords that were written down, or simply had their organization spoofed to get confidential details through phishing? What if they simply shared access without thinking through the consequences?
When organizations allow a third-party vendor to have access to their networks or facilities, security teams should assess whether the external vendor meets acceptable security standards. For example, understanding what cybersecurity measures they employ and how many individuals will have access to the information will mitigate the risk of a compromise. Expectations on password and access sharing will also be critical. A policy alone is not enough, and requires management of vendor certification and the ongoing testing of compliance against those certifications.
Finally, it is important to have a safety net with strong in-network detection capabilities that will issue alerts for policy violations, misconfigurations, or credential exposures that create risk. Determined attackers will actively seek out third-party vendors if this provides easier access. Security scenarios should include detecting early reconnaissance, detonation of malware, credential harvesting, and the use of legitimate credentials in illegitimate ways.
Threat deception in particular has proven to be an invaluable resource for accurately detecting and responding to threats early in the attack lifecycle. Deception technology utilizes decoys that mirror-match production assets and lures that are designed to entice intruders into engaging, drawing them away from company assets. This is extremely effective for picking up policy violations committed by an individual scanning a network, unauthorized access or use of company resources, and any use of legitimate credentials being used to access decoy application or database servers.
There are also extensive deceptions available for cloud environments that give “tornado alerts” when they detect the exploitation of a variety of cloud functions. Organizations will also benefit from deception’s ability to gather critical intelligence that records where the attack started, the attacker’s tools, techniques, methods, and intent. This will aid in enforcing policies and in proving when they are violated. It is also a very effective method for mitigating risk during an M&A.
In addition to supplier risk, one must also factor in compromises in the supply chain. This can happen at the factory, in transit, or during the deployment process. It is important to put in safety controls regardless of whether these systems are Internet connected. The wily attacker may find it advantageous to make their mark in non-traditional ways knowing that once they have gained network access, many organizations lack the controls to detect this type of intrusion for extended periods of time.
A Comprehensive Approach to Supplier and Supply Chain Security
The prospect of using a third-party vendor to penetrate network defenses can be made substantially less inviting to attackers when they are faced with stringent compliance levels along with layered security models designed to detect unauthorized access quickly. Ultimately, making the attack harder and the economics less desirable will serve as a strong deterrent for many attackers.
When it comes to securing third-party relationships, there is no magic bullet—but by adhering to the steps outlined here, security teams can dramatically reduce their risk and improve their ability to prevent and detect potential attacks. Vetting, setting, and maintaining security standards for outside vendors when combined with effective in-network detection controls will improve an organization’s resiliency against the myriad of supplier and supply chain-based attacks that lie in wait for them.
Carolyn Crandall, Chief Deception Officer for Attivo Networks
