April 29, 2020//Tony HowlettLast Updated: April 30, 2021
In these strange times, companies face increased and expanded cybersecurity threats. Enterprise security perimeters expanded exponentially almost overnight as both employees and vendor reps work from their homes. Threat actors are using the pandemic to create new devious phishing and social engineering campaigns with which to lure your staff. And during extreme events such as a pandemic, it is more likely that employees or former employees could go rogue because of financial distress. This oversized, increased threat is even more magnified for third parties accessing your network.
With the uncertainty that the COVID-19 pandemic has brought into the world, it’s likely that some internal employees may think to sell their login credentials. Values of credentials of all kinds have been rising every year, with healthcare logins topping the list at $500 per record according to a VMware study. However, if an internal employee only has one to sell, this would provide external hackers with little value unless they were able to go lateral and infect other machines. Additionally, they’d have to have the technical knowledge on how to go on the Dark Web, navigate the depths of its many murky marketplaces, and be able to take payment in Bitcoin.
Even internal administrators have only one credential to sell. Hackers like to buy wholesale and in bulk. Think about it — they take the same risk in making a transaction to buy one credential versus 1,000, except that the latter is infinitely more valuable to them.
This is why your vendors, particularly technology vendors, represent the greatest risk in terms of credential theft and sale. A vendor rep for those companies may have access to hundreds or even thousands of companies, often at a privileged level. This means that a technical rep has a very valuable asset and might be tempted to monetize that asset in these scary times. And the damage that one person can do with this power to each of his or her enterprise customers is immense.
Now, the vast majority of technology vendors and their employees are never going to violate their customers’ trust, in good times or bad. But the fact remains that in desperate times, some people do desperate things, including your vendor’s employees.
Having your vendors credentialed through a single sign-on (SSO) system makes removing them quickly when they are terminated much easier. Typically, this requires having them in your internal credential directory services which can require additional management overhead in onboarding them. You can add an additional level of protection and streamline the process by federating the authentication process down to your vendor’s directory system. This has the added benefit of making the removal of terminated vendor reps almost in real-time because companies typically remove employees from their directory service immediately upon the end of employment.
Credential vaulting, such as that available in vendor privileged access management (VPAM) systems, can provide a key roadblock for users of stolen credentials. [Editor’s note: The author’s company is one of a number of vendors that sell VPAM systems.] These systems basically keep all privilege credentials in an encrypted vault, never allowing users to see the actual login information. It allows them to check out the right to use it, which is logged and then passes the encrypted credential to the appropriate system, initiating the login for the user automatically.
This can keep a key credential from being stolen because they never had the login information in the first place. They also provide valuable usage and tracking information for all your privileged logins for use in monitoring and audit efforts.
A strong defense against third-party credential abuse is an integrated vendor management system that provides controls and protections at each step of the process. VPAM is designed to treat vendors differently than internal users at each stage of access; identification, onboarding, authentication (credential vaulting), authorization (granular least privilege), monitoring (detailed logs with video capture and keystrokes of vendor sessions), and instant offboarding. These systems provide all the key controls you need to limit vendor and third-party risk from credential abuse and theft, both during crisis times and normal operations, all in a single platform.
Whichever strategy and tool set you choose, make sure you also tweak your key policies such as your incident response and business continuity plans, your education programs, and other communications in order to integrate your new efforts with your existing programs and controls for third-party risk management.