A critical component of an organization’s security is monitoring and managing third-party vendors and associated devices. While not uncommon for organizations to utilize many outside vendors, it is important to include any processes or services they provide into your overall risk management program.
Vendor services can differ depending upon organizational needs. There are a number of different types of vendors, including but not limited to:
- Those who manage services and/or devices within your environment,
- Those to which you send either your or your customers’ data, and
- Data centers or cloud providers that may provide infrastructure for a specific application or environment.
While vendor access and services can introduce risk, the exact nature of that risk will vary depending on with what services and access a vendor is involved. Vendor access, permissions, systems and processes can provide an attacker with an additional attack surface beyond your own environment, systems and processes that may be more susceptible to attacks, as suggested by Verizon’s Data Breach Investigations Reports from recent years. The 2016 report stated that, “97% of breaches featuring stolen credentials leveraged legitimate partner access.” The 2017 report similarly concluded that, “Use of stolen credentials and backdoor/C2 [command-and-control server] were the most prominent hacking varieties… Many of these attacks involved actors using valid partner credentials and backdoors, while a third of them represented desktop sharing as the hacking vector.”
There are some basic actions that your organization should carry out as part of a vendor management program to identify and reduce the risk associated with your vendors.
Conduct a Risk Assessment
Risk assessments identify the potential risks and threats faced by your organization. A risk assessment should encompass your entire organization (including technologies, employees and processes) as well as third-party vendors, as focusing on too narrow of a scope may lead to potential risks being missed or scored inappropriately. At the conclusion of the risk assessment, results should be made known to leadership, and the organization should design and implement mitigation strategies within your vendor management program to reduce identified risks.
Include Contractual Obligations
At the management level, organizations should define each vendor’s responsibilities within the vendor’s contract. By clearly stating in writing what is the vendor’s responsibility, and what is still your responsibility, you and the vendor are able to better manage your environment with a mutual understanding. This prevents potential critical tasks from slipping through the cracks with each party thinking the other was handling it. Once agreed upon, management should work with technical staff on at least an annual basis to make sure that these expectations are being met. For example, if a contract requires that a vendor keep your systems up to date, your organization may choose to audit the vendor’s patching of those systems to validate they are up to date according to the contracted schedule. Choosing high quality vendors will obviously make this process easier on you. The best vendors will provide regular ongoing reporting of their activities in relation to your contracted services to show clear evidence of their work and value.
Identify Data Sharing
There may be a number of business reasons to share data (belonging to either customers or the organization) with a third party. Organizations should work to identify what data they currently share with third parties and limit the data shared to that which is required to be shared for either business or legal reasons (this is an especially critical step for organizations with General Data Protection Regulation (GDPR) compliance obligations).
Isolate Devices
When your organization requires vendor devices (e.g., a managed security service, an Internet-connected device) to be used on your network, at a minimum, your organization should isolate these devices from your internal devices that store, process or transmit sensitive data. This can be accomplished by either implementing network segmentation or providing the vendor their own cable/fiber channel.
The goal of isolating vendor devices is to minimize the threat of an attacker being able to use such devices to move laterally within your network. A simple way to envision this is to ask, “If <device> were to be compromised, what systems would be exposed to it? Where could an attacker get to from <device>?” Permitting excessive communication between vendor devices and your systems may provide an attacker with a platform to gain either complete network access or access to sensitive data and systems. To validate that vendor devices are sufficiently isolated from their systems, organizations should perform internal network scanning and review segmentation rules often.
Perform Penetration Testing
An option for implementing due diligence beyond conducting internal scanning, and a requirement of several major compliance mandates across industries, is to perform penetration testing that includes any vendor systems that provide access into your environment. Performing this testing will best simulate an attacker’s path to compromising your systems, since all potential avenues into the environment should be included within the test. Good penetration testing vendors will actually be able to provide you with a “permission slip” for you to give to your vendors, where relevant, so that their systems that are critical to your business can also be included in your regular testing process. If the vendor is fully supporting your environment, perhaps in a fully managed services role, full penetration testing of that vendor may not be practical. In situations like these, perform your due-diligence by asking your managed service provider for proof that they are performing regular penetration testing on the services that could impact your organization.
Monitor Accounts
A vendor’s level of access, and the accounts used by a vendor, should also be closely scrutinized. Vendor accounts should always be unique. Should your organization discover default or shared accounts being used, you should feel compelled to investigate further and remediate this very critical security issue.
Limit Network Traffic
Additionally, any network ingress or egress rules required by a vendor should be explicitly documented. The vendor should be able to provide justifications for any required traffic. Traffic permitted should have its ‘source’ and ‘destination’ addresses restricted to only what is necessary. Rules with “any” for a source or destination address should not be permitted.
Vendor support and products should not be treated as a “black box,” with optimistic assumptions being made regarding the security of these offerings. Organizations are best served by treating vendor devices as potentially hostile systems and vendor accounts as privileged accounts requiring extensive monitoring. Technical staff should audit and monitor vendor devices placed within their environment as well as their access to identify and address any significant risks they may present to the environment. Additionally, organizations should be able to readily identify the types of data that they are sharing with vendors and with which vendors they are sharing the data.
By understanding and acknowledging the risks that third-party vendors can present to your organization, your organization can work to proactively address, reduce and/or eliminate those risks to realize not only a more beneficial relationship with your vendors, but also a more secure one.
Have questions about the security of your business? Contact Sikich. We’re here to help.