Today, organizations work with third parties for a variety of reasons. External vendors, outsourcers, and contractors play a vital and growing role within an organization, but when given access to an institution’s network and systems, they can be difficult to monitor and manage.
Third parties have been identified as the source of several significant cyber breaches and are a major target for attackers, introducing additional risks and vulnerabilities into an organization’s environment. You needn’t look far for real-life examples demonstrating the threat they pose.
Take the Target breach for instance, in which cyber-criminals gained access through a third party heating, ventilation, and air conditioning (HVAC) vendor, reaching the retailer’s point-of-sale (POS) payment card readers and collecting millions of credit and debit card numbers, affecting 110 million customers.
Ticketmaster fell victim to a similar attack, when a third party customer support system was compromised, potentially giving cyber-criminals access to personal information and the payment details of two million customers.
Despite the growing number of cyber-attacks, IT professionals are showing worrying levels of uncertainty around the amount of control and visibility they have over their own network. As revealed in our research gathered from IT professionals at Infosecurity Europe 2019, only a quarter (25%) are confident in having visibility of all third parties accessing their network.
With the severity of breaches clearly demonstrated, as well as an apparent lack of visibility among IT professionals’ respective organizations, it’s essential that organizations know how to gain visibility of third parties operating across their network. Here’s how.
Phase 1: Discovery
You can’t manage what you can’t measure. The first priority for an organization is to conduct a discovery exercise, whereby they understand their relationship with their existing partners and suppliers and assign policies that suit each type of external party.
Once the organization understands who's connecting to what, they can assign different levels of access based on their responsibility. For instance, if an institution has a permanent contractor, they may require a different level of accessing controls put in place for them, versus someone who comes into the network once or twice a year to check whether a service is still operational, or collect usage statistics.
Furthermore, organizations need to ensure that operations, HR departments and IT teams are integrated across the joiners, movers and leavers process with contractual obligations, to understand whether each person should or should not be allowed access to the infrastructure. Often a change in role or service is overlooked, and can inadvertently grant too much access by accumulating permissions.
Upon gaining visibility of how third parties are interacting on the environment and categorizing different levels of controls are based on their risk to the organization, they then need to separate the authentication and access controls.
Phase 2: Clarifying authentication
For phase 2, institutions need to ensure they are implementing secure authentication processes to confirm people are who they say they are, and then control their access by reducing internet-facing services for third parties.
Regarding authentication, organizations need to ensure they are moving away from the ‘shared account model’ for third parties as this is a poor security practice. This model is where teams will commonly share highly-privileged accounts such as root, Windows Administrators, domain administrators and many other privileged credentials for convenience.
However, with multiple people sharing an account password, it may be impossible to tie actions performed through an account to a single individual. As a result, this creates security, auditability, and compliance issues
Phase 3: Controlling access
Concerning access, IT teams have often relied upon some form of Virtual Private Network (VPN) to establish remote connections to enable users and third parties to interact with their systems. However, VPNs present problems for securing remote access, as they act as both a front door and backdoor to organization’s critical data and applications. As a result, VPNs attract significant attention from threat actors because they can easily be used to gain unauthorized access to an institution’s systems.
The security posture of a third party’s endpoint can be a risk to an organization. More often than not, the system connecting to a network is not managed by the internal IT team. This creates a significant level of risk – potentially opening up the door to malware propagation across the network.
Because of this, organizations should look to bring third parties in using tools that isolates or brokers the connection. This will ensure there is a logical separation of network connectivity between the third party and the corporate network, similar to the concept of an electronic ‘air-gap’.
To aid securing authentication and control access, investing in robust privileged access management (PAM) tools is the solution for properly managing these areas. PAM is a collection of technologies (privileged credential management, session monitoring, privilege elevation and delegation, among others) and practices that allow organizations to monitor and manage privileged or administrative access to their critical systems.
With a PAM solution in place, varying levels of authentication are granted solely to users who require it. Furthermore, access is provided only through known pathways so that institutions can monitor, approve and revoke access quickly, thus reducing the attack surface.
The list of third parties that may have access to an organization’s network at any given time is endless. Many of these vendors and workers will continue to connect to an organization’s systems remotely to go about their daily business in supporting them.
While closing the gaps in security is no easy task, it is essential that institutions are aware of the threat they pose, in order to take preventative action and gain visibility into their network, and avoid the risk of becoming the next headline breach.