Remember the disastrous data breach suffered by Target in 2013? You may recall that the cause was the theft of credentials from an HVAC vendor with access to Target’s payment systems. The incident could have been avoided if Target had had policies in place to manage secure access privileges, as the vendor’s network access would have been limited to only those resources necessary to do the job.

Beware insider threat from outsiders

Third-party access can lead to several risk scenarios. If the vendor has weak security, outside attackers might exploit it to tunnel through to your systems. Additionally, malware could be introduced and spread from the vendor’s network to yours.

Another insider threat that is often overlooked is rogue and dishonest vendor staff.  These employees can abuse their access to your systems figuring they’re less likely to get caught than if they were to break into their own employers’ systems. This is a very real scenario, with Verizon reporting in its 2017 Data Breach Investigations Report that 25% of data breaches involve internal actors.

Steps to limit exposure to third-party cybersecurity risks

A good rule of thumb is to ask your vendors to meet your own internal cybersecurity standards. If they are a critical or sensitive vendor, this is certainly a good place to start. You can require vendors to complete a detailed questionnaire about their security practices and potentially request an audit depending on how critical their access is. Lastly, a logical request is to have your vendor provide proof that they take security seriously. They should be able to provide a summary of the security testing they’ve completed, which should include at least external penetration testing, and possibly internal penetration testing as well.

According to our partner, Rebyc Security, an external penetration test should identify gaps and vulnerabilities within your security program that could result in unnecessary risks. This starts with identifying vulnerabilities with protocols, services or applications and then working to exploit those while going undetected.  Rebyc Security provides a report to all their clients detailing all findings supplemented with observation, impact and recommendations to mitigate the risk, an executive summary of the organization’s security posture and an overall risk rating.

An internal penetration test makes an assumption that the attacker or rogue employee has already gained logical access to your organizations network.  These are typically highly customized to meet client specific requirements.  Some of the more likely areas to test include passive network sniffing, gathering and cracking passwords, escalating privileges and data exfiltration.

Other recommendations to limit your exposure to your vendors’ cybersecurity vulnerabilities include:

• Perform thorough due diligence, including reviewing the vendor’s SSAE-16/SOC reports and penetration test
  results
• Securing access privileges and using network segmentation to limit your vendors access to critical data
• Performing ‘round-the-clock network monitoring to alert system managers to unexpected levels of activity
• Developing and testing a detailed incident response plan to mitigate damage in the aftermath of a security event including keeping vendor contact information up-to-date
• Utilizing strong passwords for all vendor accounts.  Rebyc Security recommends at least 15-character passwords for all external vendor accounts
• Understanding main areas of potential vulnerability such as IoT devices and cloud systems. Devices on the IoT often have weak security and could be an easy point of attack. Cloud systems can be very secure, but if a vendor is negligent or misconfigures access, it could put your data at risk. Even networked printers can be weak points
• Consider implementing a multi-factor authentication solution for all vendor accounts that have internal network access
• Performing patch management to keep your system software up-to-date at all times, and if possible, contractually requiring vendors with access to your sensitive data to do the same

There’s no one-size-fits-all-approach to cybersecurity

It’s important to keep in mind: There’s no one-size-fits-all approach to penetration testing, patch management or cybersecurity in general; which is why at neteffect, we tailor our managed security services to your specific requirements.

neteffect technologies partners with Rebyc Security, a leading provider of proactive security consulting services including penetration testing, vulnerability assessments, social engineering and web application security testing. Contact us at 704-688-7170 to find out how neteffect technologies can make your network safer.