It is well known that the 2013 Target data breach was the result of a compromised third-party vendor. Attackers sent a phishing email to a refrigeration company that did business with Target and had access to some of Target’s computer systems. At least one user fell for the phishing email, causing malware to be installed on the company’s systems. The attackers used the malware to steal credentials for Target’s vendor portal, ultimately gaining access to Target’s point-of-sale system.
This attack might seem like an isolated incident, but data breaches involving business partners and suppliers are alarmingly common and on the rise. In the 2017 Third-Party Data Risk Study by the Ponemon Institute, at least 56 percent of respondents said they had experienced a third-party data breach, and 73 percent said cybersecurity incidents involving vendors and partners are increasing.
The risk is particularly acute when it comes to privileged access. A trusted third party can create a serious security threat by revealing privileged credentials. This can open the door to an attack coming over a trusted connection with legitimate access, which can be difficult to detect. And the risk doesn’t go away when a business relationship ends. Very few organizations have adequate cybersecurity controls incorporated in their contract management and vendor termination processes.
Part of the problem is a lack of visibility into the cybersecurity practices of business partners. More than half (57 percent) of survey respondents said they don’t know if their business partners could prevent or even detect a security breach. Yet only 43 percent have a list of third parties with whom they’ve shared sensitive information, a number that drops to just 18 percent for nth-party relationships.
While you have little control over the security practices of outsiders, there are steps you can take to mitigate the risks. First, you should develop an onboarding process for all partners and suppliers who need access to internal systems. This should involve an evaluation of their current cybersecurity practices and stipulation of minimum requirements for security controls. (Note that the malware used in the Target breach could have been detected by enterprise-class antimalware solutions, but the refrigeration vendor was using only a free version of antimalware software that provided no real-time protection.)
You should also have ongoing monitoring processes to ensure partners continue to meet cybersecurity standards. This can be accomplished through an annual audit process or by having partners and vendors fill out self-assessment questionnaires.
Privileged account credentials deserve special consideration. Credentials for third-party privileged access should be governed by the same or higher standards as internal privileged access. The CyberArk Privileged Account Security platform safely stores all passwords and SSH keys in a vault, giving your in-house IT team complete control over remote access. Passwords don’t have to be revealed to the third-party user, so credentials are protected from compromise by malware or risky behavior.
The CyberArk solution can identify the use of privileged accounts by third parties and monitor all privileged account sessions. Real-time alerting speeds incident response, while session isolation can prevent malware on remote endpoints from infecting the network.
Many organizations need to provide business partners and suppliers with some level of network access in order to do business effectively. Unfortunately, there is mounting evidence that these third-party connections create substantial cybersecurity risks. The CyberArk-certified engineers at Clango can help you implement policies, processes, and technologies to prevent third-party access from causing what could turn out to be the next infamous data breach.
For more information about CyberArk, please send us an email at (firstname.lastname@example.org).