Third parties leave your network open to attacks

With the Target example as the high-water mark, enterprises need to worry about the lack of security on the part of third-party providers that have access to internal systems.

1 2 Page 2
Page 2 of 2

What’s the solution?

Third-party access requires a layered security approach with dynamic contextual access control applied throughout, said Gerry Gebel, vice president of business development at Axiomatics. For example, one layer of security is to dynamically control who can access your network. Another layer would be to control access to APIs, data and other assets once these third parties are on the network.

Caccia advises that third-party access to assets is a perfect scenario for behavioral analytics, where the system baselines normal behavior of users on the network, even with limited knowledge of who those users actually are. “User behavior analytics (UBA) should be table stakes for any firm that works with partners extensively; it’s the best – perhaps only – way to understand and control what once-removed users are doing on your network and with your data,” he said.

Henderson recommended that companies make sure governance policies around vendor management are bolstered and reinforced. This should include policies around regular and random audits of those vendors. Those audits should have the ability to return quantifiable and definable metrics.

Also when it comes to creating and drafting contracts with these vendors, it’s critical that the appropriate sections clearly define the security and privacy obligations expected of the vendor are included.

“I like the idea of inserting data canaries into the record sets that are shared with third parties and then watching for those canaries to pop up in dumps online. You would be amazed at how often data leaks onto the web and shows up in places like pastebin,” Henderson said. “Other things that make me nervous about this problem are quite simply the fact that all the staff, resources, tools and technologies can often be defeated by nothing more than some middle manager somewhere dumping a huge amount of customer data into a spreadsheet then sending it off via email to some previously unknown third party contracted by a business unit to run a bulk email campaign.”

For other enterprises an important lesson is to ensure that third parties have no way to reach those portions of the network, he advised. “Microsegmentation of your environment, as well as many other tools designed to keep traffic from co-mingling, can stop or at the very least, slow down an attacker, giving your security teams valuable time to detect and respond to an incident,” he said.

While it’s not possible to avoid third parties, Javvad Malik, security advocate at AlienVault, said there are many fundamental security practices that can help mitigate the risks. Examples of such would include:

  • Knowing your assets – by understanding your assets, particularly critical ones, it can be easier to determine effectively what systems third parties should have access to and restricting it to those. 
  • Monitoring controls – having in place effective monitoring to determine whether third parties are only accessing systems they should and in a manner they should. Behavioral monitoring can help in this regard by highlighting where activity falls outside of normal parameters.
  • Segregation – by segregating networks and assets, one can contain any breaches to one specific area.
  • Assurance – proactively seek out regular assurance that the security controls implemented are working as intended.

Jeremy Koppen, FireEye principal consultant, said there are four security controls that should be discussed regarding third-party access:

  • Assign a unique user account to each vendor user to better monitor each account and identify abnormal activity.
  • Require two-factor authentication for access to applications and resources that could provide direct or indirect access to the internal network. This protects an organization in case the vendor's user credentials are compromised.  
  • Restrict all third-party accounts to only allow access to systems and networks required. 
  • Disable all accounts within the environment upon termination of third-party relationship.  

In the enterprise application development world, Jerbi sees many companies being caught off guard by third-party use of emerging technologies such as virtual containers. If a company is using containerized applications from a third party, that application should be vetted for container-specific security risks such as vulnerabilities in container images, hard–coded secrets and configuration flaws.

Baker said there are plenty of best practices to look for when choosing a vendor: how transparent is their security? Do they have third-party security testing? Do they share the results of that testing? “In the end, choosing a secure vendor alone won’t necessarily prevent another Target, but it will prevent the third-party firms you work with from being the weak link,” he said.

This story, "Third parties leave your network open to attacks" was originally published by CSO.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2017 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2