Cybersecurity is only as strong as the weakest link, with professionals always keen to identify and minimize the risk of any vulnerabilities. However, could the weak link in your enterprise lie with a partner or supplier?
Within most organisations there is a variety of reasons for third parties to be given access to the environment. Whether it is a service provider, partner or independent contractor - each will have specific requirements. Such parties provide specialist expertise and resources, reducing the cost of having to find an internal solution.
However, this does create a dependency on the security of other organizations, which has a large impact on the attack surface of the typical enterprise. Due to the nature of work carried out by these types of third party, I often speak with organizations who are providing suppliers with administrative access to their server estate.
This highlights the risk posed by third parties. Breaches originating from suppliers are becoming more widespread and occurring more frequently. The Target breach was a result of a HVAC vendors account being compromised, and the breach cost an estimated $162m.
Target were victims of the largest ever third party breach, as 41 million customers were affected.
The Paradise and Panama Papers breaches resulted in the exposure of roughly 25 million confidential documents. A common theme across both breaches is that law firms were the weak link. Law firms have often been described as the soft underbelly of business security. In a recent Accenture Cyber Round Table, Rick Hemsley (Managing Director for Accenture Security Practise) advised “ultimately we look at the supply chain: the ecosystem around organisations become the root in to attack. If I wanted to attack an oil giant or a drug company to get market sensitive data I would attack the law firm because it will typically be far simpler than attacking the organisation itself.”
Finally, Ticketmaster UK provided a recent warning earlier this year. They have advised that over a five month period, from February to June, a third party customer support system was compromised, potentially giving attackers access to personal information and payment details of 2 million customers.
“Breaches originating from suppliers are becoming more widespread and occurring more frequently.”
It is critical to understand what third parties are connecting to within your environment and the level of access they require. The nature of the third party and the sensitivity of the system they access can vary greatly, understanding the risk associated with each supplier can help organisations to take some proactive steps to addressing these issues. The NCSC advise that, until a clear picture of the supply chain is established, it is impossible to establish any meaningful control over it.
Industry guidance often highlights foundation security controls as a way of minimizing this type of risk. Gartner VP, Neil MacDonald, recently shared his Top 10 Security Projects to reduce risk and make a large impact on business. Top of MacDonald’s list is Privileged Account Management, this is an essential first step in improving an organisations security posture. Many organisations are in the uncomfortable position of having to provide suppliers with administrative accounts but, as we have established, this is a commonly targeted attack vector.
Ticketmaster suffered a third party breach which exposed sensitive information of over 2 million customers.
Removing privileged accounts mitigates 74% of critical Windows Server vulnerabilities, as per Avecto’s Microsoft Vulnerabilities Report 2017. Privilege Elevation and Delegation Management (PEDM) tools like Avecto’s Defendpoint assign privileges directly to applications at the process level, allowing suppliers to perform privileged tasks specific to their role, from a non-privileged account.
Application control consistently features as one of the most effective controls in malware mitigation and MacDonald also recommends Application Control on Server Workloads. Through this mechanism, organisations can provide suppliers with the correct level of trust, no more no less.
Ensuring that suppliers are able to work with applications specific to their purpose with granular control applied to anything outside the norm. This flexible solution ensures that different suppliers have a tailored level of access even when connecting to the same server estate, which can be based on our understanding of the risk previously applied to each third party.
Are you comfortable with the current level of risk posed by your suppliers? Could more effective controls be put in place to minimize risk across the server estate? Defendpoint can help to minimize these types of risks, while ensuring that suppliers are still able to provide value and expertise. To see this in action, request a Defendpoint demonstration today.