5 Best Practices for Reducing Vendor & Third-Party Security Risks
Vendors and other third-party partners have caused some big data breaches. Here is how to keep it from happening to you.
By Jeff Goldman | Posted February 08, 2016
With security breaches now a regular fixture in the news, it’s an increasing cause for concern that many — including major breaches at Target and Goodwill — are caused not by attacks on the companies themselves, but by breaches at third-party vendors.
PWC’s 2015 U.S. State of Cybercrime Survey found that 62 percent of companies evaluate the security risks of third-party vendors, 57 percent do so for contractors, and 42 percent consider supplier risks. Only 23 percent don’t evaluate third-party security at all.
In general, Veracode co-founder and CTO Chris Wysopal said, enterprises are determining that a significant portion of their risk is coming externally and they’re demanding more from vendors as a result.
“I’ve seen a change happen where in the beginning, the vendors would say, ‘No, we’re secure, trust us. We don’t have to show you our security process, we don’t have to show you the results of testing,’ to today we’re seeing vendors having to provide assurances to their customers about their security programs,” Wysopal said.
Here are five steps you can take to help reduce security threats coming from your relationships with third-party vendors.
Joe Schorr, director of advanced security solutions at Bomgar, said the first step should be to focus on yourself: Get a better understanding of which vendors have access to your system, where they’re connecting and what they’re doing. “A lot of the third-party access seems to be kind of ‘fire and forget.’ ‘We decided to outsource this function, so let’s nail up the VPN, get these guys in, get them working’ — and then people tend to walk away from it,” Schorr said.
Instead, take the time to reassess everything that’s currently in place, including access you may have set up a while ago. “Go back, do a good internal audit of who’s accessing what at the very least, and then get a little bit deeper: why are they accessing that, who gave them that, who’s the internal sponsor for this activity?” Schorr said. “Start peeling that onion a little bit.”
Look at everyone who has privileged access — especially, Schorr said, anyone who has over-privileged access.
“That janitorial service, if all they’re doing is logging in to talk to accounts receivable and make sure they get paid every two weeks as a contractor, why do they have access to the same type of vendor portal that your third-party development team is logging in through to get to an application database?” he said. “Don’t treat vendors as one big blanket entity.”
Audit Your Vendors
Schorr previously led BT’s Ethical Hacking Team, and he said a few of the big banks his team worked with gave BT an extremely onerous security audit once a year. “They didn’t just audit themselves to see who was logging in. They said, ‘BT, do you guys meet the criteria on these five tabs on this extensive spreadsheet? Prove to us you’re doing all these different things,'” he said.
Those requirements, he said, were likely more strict than the banks’ own internal policies and procedures. “That obviously is not always practical and there are business considerations,but I tell clients all the time, ‘Look, you’re the customer. You should have a little bit more say in what’s going on.'”
At a basic level, that can mean asking questions of everyone who connects to your systems. “You can start off low-level, like, “Here’s a self-service questionnaire ‘how do you do these different things?’ And then all the way to, ‘Are you audited quarterly? Do you do code reviews on applications that touch our applications?'” Schorr suggested.
Any vendor should be capable of providing you with that kind of information, Wysopal said. “If they say, ‘No, we don’t do that,’ or ‘We don’t share results on our internal security,’ they probably do, and they’re just trying to make you go away,” he said. “One of the things we’ve learned is that if you push hard enough, they say, ‘Yeah, you’re right. We have had a third party audit, and we can show you the results.'”
Audit Again (and Again)
Too many companies, Schorr said, examine these issues, both internally and externally, once in detail — but fail to follow up on a regular basis.
“Even when they do it right, they tend to leave those activities in the dust and just hope they’re good for another 11 months and three weeks until they launch that audit again,” he said. “The most effective thing I’ve seen is to do it quarterly.”
It can be tough to do more than that, Schorr said, but for crucial assets, it’s worth taking the time to do a quarterly assessment. “If you’re trying to guard that Kentucky Fried Chicken recipe at the core of your information security network, then at least every three months, you should be checking in with people that have access to it, internally and externally,” he said.
Leverage Encryption and Other Technologies
Ultimately, Schorr said, you need to control the access itself, control the assets and control the accounts that touch those assets. “There are perfectly good, mature technologies out there that meet all those needs,” he said. “The trick is putting them where they need to be, identifying exactly where that point of ingress is and exactly what they’re trying to touch on the inside.”
Every company, Schorr said, has something that somebody wants to steal.
“I call it the three Ps: Property, something that’s Profitable or something that’s Personal,” he said. “When you need to protect that, you should probably be talking about encryption. I’m not a fan of encrypting everything on network — I think that’s crazy — but the stuff that keeps you awake at night that you’re trying to protect, that’s the stuff for which you should be looking at some kind of an encryption scheme.”
In general, Wysopal said it’s best to ensure that whatever technologies you’re using for internal security are also applied to vendors with privileged access.
“If you’ve implemented two-factor authentication for remote access to your company, why aren’t you implementing two-factor authentication with all the services you’re using that also have access to your company’s data?” he said. “Try to keep parity with what you already thought was a good idea to do to yourself.”
If possible, Schorr said, it’s best to monitor all sensitive connections on an ongoing basis.
“The ability to record what’s going on and watch over someone’s shoulder while they’re working in your environment is really, really big and an emerging tool for people defending networks,” he said. From an attacker’s perspective, accessing a company’s network through a third-party vendor’s VPN connection, only to discover that the company is recording whatever their third parties are doing can be pretty scary — and an effective deterrent.
Get It in Writing
However you decide to secure your connection with a given vendor, Schorr said, get it in writing. “Make it contractual, put some teeth behind it because that’s really the only thing that people understand,” he said. “Companies are starting to fall into litigation from missing things on audits — and when companies are getting breached, they’re starting to look at their security companies and vendors, and starting to point fingers, because it’s costing money.”
Getting lawyers involved can be a good move. “I’m no more of a fan of litigation than anybody else, but sometimes the only thing that people listen to is a carrot and a stick — and sometimes you need the stick,” Schorr said.
Contracts do not need to be complex, he said. “It can be something as simple as ‘Here’s what your system should look like to connect to us, you’re going to have to go through this special connection we’ve set up, you’re going to be recorded while you’re doing all of that, and here’s our recourse if something bad happens and we find out it came through you,'” Schorr said. “That may be just enough to get people to take the extra couple of steps to do some basic security stuff on their end.”
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at firstname.lastname@example.org.