Managing the Risks of Third-Party Access
Recently some of the most catastrophic data breaches in history made US companies answerable to millions of customers whose data was compromised, as well as costing those companies millions in remediation and lost revenues. In the most notable cases, the theft of usernames and passwords from third-party vendors was to blame and was the entry point.
Many of today’s security solutions, even when used in combination, simply aren’t designed to mitigate the risks associated with third-party access. To address this, organizations must adopt a user-centric context-aware model that is built on the principle of least privilege and leverages the Software-Defined Perimeter model. An ideal solution effectively creates a dynamic, individualized perimeter for each user – a network ‘segment of one’ between the user and the network resources they are authorized to access and enables network access to change dynamically based on user context.
Third-Party Credentials: The Easy Way into Your Network
According to Benjamin M. Lawsky, Superintendent of Financial Services, New York State, “It is abundantly clear that, in many respects, a firm’s level of cyber security is only as good as the cyber security of its vendors.” This trend isn’t new by any means.
According to the Digital Guardian’s Nate Lord, “recent years have seen many examples of data breaches and other cybercrime being carried out via third-party compromises. High profile examples in 2015 included the PNI Photo hack that led to compromises of online photo services at CVS, Costco, Sam’s Club and more, as well as the data breach at Medical Informatics Engineering (MIE), provider of EHR software NoMoreClipboard, which made off with data on a targeted group of MIE clients.”
Attackers have discovered a ripe opportunity to attack some of the biggest companies in the world, and it might take nothing more than a user name and password pair from maintenance vendors with access to systems.
As recently as a few years ago, third-party credential theft was practically unheard of as a means to gain access to the most sensitive areas of a business network. Now, though, it’s one of the biggest threats out there. If you’re a large enterprise like Target or Home Depot, the easiest way for attackers to get into your network is likely to go through your third-party vendors. Your HVAC contractor, for example, will probably have a privileged user account in order to remotely push patches and updates to your systems. What it won’t have, however, is the security policy and culpability that would normally accompany this degree of access.
As your organization grows, you’ll start working with more and more of these vendors. And each could potentially offer attackers a direct route into your most sensitive network segments.
Think of how a third-party data breach is typically carried out:
- The attackers identify their target’s vendors. According to Brian Krebs, author of the blog, KrebsonSecurity, the perpetrators of retailer Target’s data breach may have learned about its facilities management partners – and the HVAC vendor’s whose credentials were used to perpetrate the breach – via a publicly accessible online portal.
- They use spear-phishing techniques to acquire those vendors’ credentials for access to the target company’s network.
- Once inside, the attackers can look for ways to widen their foothold in their target company’s systems by moving laterally across VLANs. If access is provisioned via VPNs, they may have direct access to the underlying network infrastructure and be able to start scanning for open ports and unsecured devices in seconds.
- The attackers might then spend weeks or months preparing to strike, studying the network’s weaknesses and installing sophisticated malware that could take just as long again to detect.
Looking at this attack pattern, it’s easy to understand how tens of millions of records are compromised in a single incident.
How, then, can you mitigate the impact of third-party credential theft? Working alongside each of your business partners to strengthen their individual security profiles is a noble goal, but not a practical one. What’s needed is a better way to manage the risks of third-party access to your networks and applications.
Unfortunately, most organizations are relying on old technologies.
Download our latest whitepaper on Managing the Risks of Third-Party Access to learn more about the problems with old security solutions and new alternatives to mitigating the damage potential of third party-related breaches.