Why You Need to Address the Risk of Third-Party Credential Theft
“It is abundantly clear that, in many respects, a firm’s level of cyber security is only as good as the cyber security of its vendors,” stated Benjamin M Lawsky, the superintendent of financial services for New York State, in a letter to banks seen by the New York Times last October. He was writing in reference to an alarming and fast-growing trend in the way that cyber criminals are gaining access to their targets’ networks: via usernames and passwords belonging not to those companies’ employees, but to their third-party contractors.
And this isn’t limited to the financial services sector. While we’re all aware of the increase in point-of-sale malware in the retail industry in 2014, it’s surprising just how many mega breaches started with the theft of third-party credentials: Target, Home Depot, Goodwill, Dairy Queen, Jimmy John’s and Lowes, and recent government agency breaches including OPM and IRS to name a few. Hackers have discovered a ripe opportunity to attack some of the biggest companies in the world, and it might take nothing more than a username and password pair from maintenance vendors with access to systems.
Is it really “abundantly clear” as Lawsky suggests that firms are being let down by sub-par cyber security procedures at their vendors? Arguably, No. What’s needed is a better way to manage the risks of third-party access to your networks and applications.
Think of how a third-party data breach is typically carried out:
- The hackers identify their target’s vendors. According to Brian Krebs, the perpetrators of retailer Target’s data breach may have learned about its facilities management partners – and the HVAC vendor’s whose credentials were used to perpetrate the breach – via a publicly accessible online portal.
- Secondly, they use spear-phishing techniques to acquire those vendors’ credentials for access to the target company’s network.
- Once inside, the hackers can look for ways to widen their foothold in their target company’s systems. If access is provisioned via VPNs, they may have direct access to the underlying network infrastructure and be able to start scanning for open ports and unsecured devices in seconds.
- The hackers might then spend weeks or months preparing to strike, studying the network’s weaknesses and installing sophisticated malware that could take just as long again to detect.
Looking at this attack pattern, it’s easy to understand how tens of millions of records have been compromised in a single incident.
Mitigating the damage potential of third party-related breaches
With this anatomy in mind, there are a number of ways that organizations can better manage the risks of third-party access and decrease the chances that hackers are able to penetrate through each of their defense layers.
An effective security solution should be able to tell if the context of a remote connection is suspicious, such as if it originates from an unusual location or time of day, or from a device with no antivirus software installed. And it should be able to ask for additional authentication steps like one-time passwords (OTP), adjust user permissions on the fly, and ultimately block access according to this level of risk.
Equally important is micro-segmentation to limit what users can access when they are authenticated, rather than using open, departmental VPNs as are so common today. No one should have open access to systems and applications. Users should only be able to access the resources necessary to perform their job. By obfuscating all other resources it also limits damage in case of credential theft by preventing malicious users from exploring parts of the environment.
Comprehensive logging and reporting also play a key role. Organizations should strive for complete visibility of how every employee and contractor account is used, and be able to respond to suspicious activity at the earliest convenience.
Chances are we’ve yet to hear the last of breaches tied to credential theft – whether it’s third party or employee credentials. Organizations need to change their security practices to not only better secure access, but also limit damage if bad actors find their way it into your networks. And remember – even if your vendors are to blame, it’s your customers whose data is being compromised, and your reputation that will suffer.
Learn more about managing the risks of third-party access.