Speaking at Infosecurity Europe 2019 on 'Effective Steps to Reduce Third Party Risk,' Scott W. Coleman, director of product management at Owl Cyber Defense, said that the average number of connections to a facility is 583. “Most are legitimate, but how many are appropriate” he asked.
He said that there are “vendors and companies and entities who need access to your plant, enterprise or base” and while many have a good reason to have access, you need to be sure that they are not presenting a risk that you don’t need.
Coleman recommended determining what you need to protect, which connectors and disaster recovery systems you need to protect, and which vendor service level agreements you need to maintain “but be subversive on what needs to have access.”
He encouraged companies to focus on the following when evaluating a third party: which products and services require access; which companies have a higher level of personnel turnover; who have been involved in breaches themselves “as a lot of the time, a company has a third party connecting” so depending on their level of cybersecurity.
Looking at strategies for mitigation, Coleman asked if many people will know who the 583 people are, and what access they have if you have a good handle on what they are doing? “Understand and measure what they are doing as it is hard to protect against them,” he said.
Next, he recommended looking at what value and risk is presented and added to you by third party access, and apply resources to the highest risk and which assets are being touched. He said you should seek to reduce your footprint and the number of things you focus your resources on, and apply this posture to things the third parties affect.
“The bottom line is segmenting and least privilege,” he said. “The biggest problem is coming in laterally and if you put in segmentation and proper privilege, prevent movement and what all have access to. “
He said that the final way to mitigate is to use a zero trust approach, and the problem is that “trust but verify” is hard to achieve in practise. “The problem is when you take your eye off it, you no longer have the trust factor.”
He concluded by pointing to the Department of Homeland Security’s strategies for mitigating risk for third parties. These are recommend as:
- Reduce/eliminate connections in/out the network
- Convert two-way connections to one-way out of the plant
- Convert two-way connections to one-way into the plant
- Secure remaining two-way connections