TechInsight: Protection Tips for Third Party Vendor Access
The security of third party vendor relationships is coming under increased scrutiny as the source of the Target breach has been identified as a HVAC service provider who had remote access into the Target network. While details are still scarce, it’s clear that a connection used to allow access for billing can be all that’s needed for an attacker to turn that innocuous entry into a data breach that is costing Target untold millions.
As businesses grow, they are forced to rely on third parties to provide services that require a trust in the provider to protect their networks and data at the same or greater level. Unfortunately, this is rarely the case. Security firm Trustwave analyzed 450 data breaches in 2013 that showed nearly two thirds were related to third party IT providers.
With the increasing reliance on business-to-business connections, companies must protect themselves from the threats posed by allowing “trusted” third parties access to areas of their network. While trust can be made in a vendor to provide the services they’re committing to, it’s a blind leap of faith to assume they will take the same precautions in protecting the information and the access to your network they’re trusted with.
Businesses need to protect themselves and treat the vendors accessing their network as untrusted entities and put in the controls to protect themselves and monitor all activity sourced from the vendors. The following are tips that have come from my experience as a security consultant and countless conversations with companies who must allow access to third party vendors and the vendors themselves.
The first is that all vendors who require access must have detailed security policies that are regularly reviewed, updated, and enforced. A policy is nothing but a useless piece of paper (or wasted electrons) if it isn’t maintained and enforced. The policies need to be readily available for review and supporting documentation of the security controls should be available to the contracting business.
Policies aren’t enough by themselves. Validation of the effectiveness of those policies and security controls must be performed on a regular basis. A combination of penetration testing and risk assessment needs to be performed at least annually, if not more often. If the third party vendor is not already doing part of this, a business may consider including part of it in their regular testing. As a security consultant, I regularly find myself testing a network or web application at the request of the organization that is going to be using it as part of their business with a particular vendor.
When remote access is required for business partners, vendors, and consultants, that access needs to be tightly segmented and isolated as much as possible from the rest of the production network. Granular controls should be in place that restricts third party access to only those resources that absolutely need to be accessed to conduct business.
In the case of web applications, they need to be locked down, isolated, and monitored. Web applications, in particular, are a common weak link when the expectation is that they’re only to be accessed internally. A thorough security review should test to ensure the applications do not suffer from common injection flaws and other issues that could allow a malicious attacker to gain deeper access into the network.
Corporate security teams have gotten excellent at locking down their perimeter but too often the internal network is ripe for exploitation. Third party access into the network is an almost immediate win for an attacker who can breach the vendor’s network or steal its credentials. VPNs, web applications, and remote desktop (i.e. Citrix, MS-RDP) must be monitored rigorously to identify anomalies that could indicate an attacker has gained access. This monitoring needs to extend down into the Web and remote desktop applications that are being accessed by the vendor.
In addition to policies and controls, businesses need to have an agreement in writing that states any breach will result in immediate notification to its partners. This will put the business on notice to be extra vigilant in monitoring for suspicious activity. Assistance can be provided, if needed, and information should be shared to help other partners identify potential indicators of compromise. A post-mortem should also be required to help all parties understand where the initial vector of attack occurred, the techniques used during the breach, and ensure that the issue and any similar ones are taken care of quickly.
At the end of the day, it’s important to remember that your data is your responsibility. Connections from third parties should be considered untrusted and appropriate security controls and monitoring need to be in place to protect your data. Signed service level agreements and “cyber” insurance aren’t going to keep you out of the headlines when a breach occurs and it’s not going to help the individuals whose data was lost and sold in the underground carding market.
Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.