In 2018, over eleven significant breaches were caused by exploitation of third-party vendors. And, third-party breaches (Target, Saks 5th Avenue, Universal Music Group, Applebee’s, etc.) rank amongst the costliest and most damaging of all security incidents.
While IT administrators, insiders, and third-party vendors need privileged access to do their jobs effectively, this shouldn’t mean relinquishing control of your IT environment to them. Organizations allow third parties access to their networks for them to change or otherwise impact the operational service of these organizations. This privileged access needs to be protected to the same (or higher) extent as your organization’s internal privileged users. Failing to do so leaves your organization with a very weak link in its security, which can easily be exploited by cyberattackers.
To address third-party vendor cyber risk, you need to have a good understanding of remote access so you can implement the proper controls to help secure their access to your privileged accounts.
The challenge is that your organization uses IT products and software from a variety of vendors to enhance your core business, and this places demands on you to have secured remote access for those vendors so they can provide maintenance for and troubleshooting of those products.
So, you are stuck with the dilemma of how to provide the needed access while also guarding your organization against malware and bad actors entering through third-party connections. Cyber threat actors will take advantage of any weak points they can find in your infrastructure to discover and exploit your critical information assets.
Attackers continually exploited traditional remote access pathways, and securing this access is a uniquely tricky challenge. Your third-party users might not employ the same level of security protocols you do. Their password policy may not be as strong, and they might even share a single set of credentials among numerous people. Even if they do use the proper security protocols, traditional remote connectivity methods (e.g. VPNs) are easily hacked through pilfered user credentials and session hijacking.
As I noted earlier, some of the most devastating breaches in the past few years have been directly atttributed to third-party security weaknesses. Hackers have even stated that they specifically target vendors. A recent study found that 63 percent of data breaches were linked to a third-party vendor that was responsible for system support, development, and/or maintenance.
8 Steps to Reduce Remote Access Security Risks
With all of the above in mind, I want provide some tips on how you can gain some semblance of control over third-party vendor network connections and tighten your remote access security.
Step 1 - Monitoring Third-Party Vendor Connections is Key
First, it is essential that you monitor the activity of your third-party vendors. You want to monitor and investigate third-party activities to enforce established policies for system access. Your intent is to capture basic activity to determine if a policy violation was a simple mistake or an indication of malicious behavior. You should conduct session recordings to provide complete information about a given session and examine the session for known policy violations or problems. And finally, you should correlate information to review all the data from a single point-of-view to spot trends and patterns that are out of the ordinary.
Here are some steps to take for monitoring:
- Perform an inventory of your third-party vendor connections to help you determine where these connections come from, what they are connected to, and who has access to what
- Analyze your firewall rules to look for rules allowing inbound connections that you are not aware of
- Run vulnerability scans on your external-facing hosts to look for services that are listening for inbound connections
- Make sure your enterprise password security policies apply to accounts on inbound network connections
- Establish security standards specifically to deal with third-party issues, and enforce them using technical controls
- Monitor for any security gaps and then mitigate them
Through diligently monitoring, you can do a better job of containing third-party risks through prudent planning and diligence.
Step 2 - Implement Internal Safeguards and Multiple Layers of Protection
The best way to protect your organization from security threats arising from third-party vendors is to enact a multi-layered defense strategy that covers your entire enterprise--all endpoints, all mobile devices, all applications, and all data. Apply encryption, multi-factor authentication, and a comprehensive data security policy, amongst other measures.
Step 3- Teach Prevention
Teaching your organization and your customers and vendors about prevention is essential. Educate across the enterprise and continually reinforce the reality that the risks are real.
Step 4 - Conduct Third-Party Vendor Assessments
The reality is that even your most trusted business partners can pose a security threat if they don’t enforce best practices. Regularly review the use of credentials with your third parties, understand who is using them, and limit temporary access, as it potentially opens the door to increased vulnerability.
Also continuously assess the vendor’s security standards and best practices to make sure they meet those of your organization and require them to perform up-to-date patching and vulnerability scanning. Trust, but verify that their contractual obligations are being followed to the letter.
Step 5 - Have a Service-Level Agreement
Create a service-level agreement (SLA) with third-party vendors that mandates that the vendors comply with your company’s security policies.
Step 6 - Authenticate User Behavior
Vendor and partner credentials are often very weak and susceptible to inadvertent disclosure. Therefore, the best way to protect credentials is to proactively manage and control them. You do this by eliminating shared accounts, enforcing onboarding, and using background checks to identity-proof third-party individuals accessing your systems.
Step 7 - Separate Authentication from Access Control
Most of your vendors only need access to very specific systems, so to better protect your organization, limit access using physical or logical network segmentation and channel access through known pathways by leveraging a privileged access management solution to restrict unapproved protocols and direct approved sessions to a predefined route.
Step 8 - Prevent Unauthorized Commands and Mistakes
Using a privileged access management solution, enable fine-grained permission controls and enforce the principle of least privilege (PoLP). One step you want to take is to broker permissions to various target systems using different accounts, each with varying levels of permission. You also should limit commands a specific user can apply via blacklists and whitelists to provide a high degree of control and flexibility.
Closing Thoughts on Better Vendor Access Risk Management
The risk of security and data breaches caused by third-party vendors is just far too great for you to ignore. This 8-step list is just a starting point—it’s up to you to holistically address security vulnerabilities that may arise from your vendor relationships as a key part of your IT risk management policies.
For a deeper dive into improving remote access security and dialing in privileged access, check out my recent on-demand webinar: How to Securely Control Access for Your Vendors & Protect Privileged Accounts.
Related Resources
The Perils of VPNs, & How to minimize Remote Access Threats with PAM (blog)
Modernizing Your Privileged Password Security (blog)
Top 10 Expert Tips for Securing Vendor & Remote Employee Access (webinar)
Derek A. Smith, Founder, National Cybersecurity Education Center
Derek A. Smith is an expert at cybersecurity, cyber forensics, healthcare IT, SCADA security, physical security, investigations, organizational leadership and training. He is currently an IT Supervisor at the Internal Revenue Service. He is also owner of The Intercessors Investigative and Training Group (www.theintercessorgroup.com). Formerly, Derek worked for several IT companies including Computer Sciences Corporation and Booz Allen Hamilton. Derek spent 18 years as a special agent for various government agencies and the military. He is also a cyber security professor at the University of Maryland, University College and Virginia University of Science and Technology and has taught for over 25 years. Derek is retired from the US Army and also served in the US Navy, and Air Force for a total of 24 years. He is completing his Doctorate Degree in Organizational Leadership and has completed an MBA, MS in IT Information Assurance, Masters in IT Project Management, and a BS in Education. Derek has written several books including Cybersense: The Leaders Guide to Protecting Critical Information, and its companion workbook, and he has contributed to several other books as an author and technical adviser.