Martin Cannard, BeyondTrust product manager, recently posted about third-party access. I’d like to expand on that topic a bit.
Third-party systems, applications and network connectivity continue to plague security professionals. In the last several years, we have seen numerous high-profile breaches related to third-party access. In late 2013, the retailer Target experienced a significant breach that was later tied to a connected HVAC vendor. Home Depot, another large retailer, also claims that its credit card breach in 2014 was initially due to stolen credentials from a third-party vendor they worked with. In 2015, the US Office of Personnel Management (OPM) revealed a significant breach of sensitive data that originated with stolen credentials from a background check provider that worked with OPM, KeyPoint Government Solutions.
These types of breaches and issues continue to plague us today. Also in late 2015, California State University had almost 80,000 students’ personal data exposed through a third-party breach. Restaurant chain Jimmy John’s had payment card data captured from 216 stores through a breach in their Point-of-Sale (PoS) software vendor. In April of 2017, Scottrade Bank acknowledged that a Microsoft SQL Server managed by a third-party vendor had exposed at least 20,000 customer’s data, including plaintext passwords and personal information. In May 2017, Gmail users were targeted in a sophisticated phishing scam that was seeking to gain access to accounts through a third-party app, which may have affected up to one million users. The Bronx Lebanon Hospital Center lost thousands of HIPAA-protected medical records due to a misconfigured third-party server in the same month.
How big of a problem is this? According to a Soha Systems (now Akamai) survey on third party risk management, 63% of all data breaches are linked in some way to third parties. It’s time we do a better job at securing our networks and assets from organizations who, while trusted to some extent, may still represent a significant risk to our organizations just by virtue of being connected. First, we need to do a better job of segmenting networks and connectivity points for any associated third parties to better prevent attacker ingress and lateral movement. Some remote access scenarios for “trusted” associates allow almost total access to systems once connections have been properly authenticated. All third-parties should be granted access only to assets that they need, following a classic “need to know” philosophy. Network segments (VLANs or subnets) should be set up based on data types and access models, with proper controls like firewalls and intrusion detection to control all the traffic into and out of the environment.
Secure connection gateways and proxied third-party access to secure environments can help to control who gains access, using strong multi-factor authentication. This alone won’t solve the problem altogether, however, as stolen credentials could potentially allow sophisticated attackers to get in nonetheless. These attackers may not know what types of behavior users typically exhibit, however, which is an argument for enabling rigorous monitoring and audit trails for all third-party access. Developing behavioral baselines for all traffic, user logins, and activities once logged in should be a major priority for all organizations looking to gain control over incident detection and response for all third parties connected to their networks.
With more organizations focusing on the supply chain than ever before, it’s time to take a hard look at where third-party users connect, what they can get to, and what types of behaviors they exhibit during the course of business day-to-day. This is one risk that we need to get a handle on, and fast.
Watch this on-demand webinar, “Strategies for Controlling Third-Party Access to Internal Systems,” to dig into more details on this issue and learn how to monitor and control third-party access.
Dave Shackleford, Cybersecurity Expert and Founder of Voodoo Security
Dave Shackleford is the owner and principal consultant of Voodoo Security and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies.