October 17, 2017//Ellen NeveuxLast Updated: November 18, 2020
A recent study reports that “data breaches caused by third parties are on the rise.” In fact, the Opus Ponemon study saw 56% of respondants experienced a third party breach. That marks a 7% increase from 2016.
We continue to see evidence in the numbers and in the news that vendor risks are real and growing. In healthcare, after suffering one of the largest breaches in recent history, Anthem found itself in the headlines again this summer – and for all the wrong reasons. In July, the insurer investigated a breach that resulted in the stolen identities of 18,500 individuals – and this time it was at the hands of a third party contractor. This latest example underscores the increasing risk associated with third-party vendors, which to date comprise 63% of all data breaches.
Vendors are a likely source for cybercrime, due to their access to privileged network resources and tendency to share logins across multiple users and customers. Couple this with increased reliance on outsourced tech expertise, and one could be forgiven for feeling resigned to third-party security risk as an omnipresent, unsolvable issue.
An article by CIO Dive reflects this sentiment:
“Though the payer could have stringent cybersecurity policies and data best practices, it cannot always control the actions of third-party providers. Some of the most high-profile data breaches have come at the hands of third-party providers. In the Target breach, hackers broke into corporate systems using network credentials from the retailer’s refrigeration and HVAC provider. But the problem is companies can’t do away with the third party ecosystem. Organizations need external providers to help keep systems running, whether that’s building service providers or insurance coordination services.”
While third-party remote access security is an evolving and growing threat, there are practical steps one can take to minimize risk:
Eliminate shared accounts
Using a single maintenance account to authenticate an entire company greatly increases risk. Your vendor may have dozens or hundreds of individuals who require access to your network. Support technicians frequently switch companies, and if you use shared accounts, they might be taking powerful login access, frequently jotted down on a sticky note or an Excel spreadsheet, with them. If this credential falls into the wrong hands, it can be used to establish a beachhead into your network to probe for attack vectors. Experienced cybercriminals realize that it’s easier to find one weak vendor password, therefore gaining access into potentially hundreds of endpoints, than hack each one individually.
The Solution: Though it may seem like a large headache, take the time to mandate individual accounts for every vendor. For additional security, enforce logins from only approved networks and add a second factor that ties to the individual, such as a mobile device or corporate email. To ease administrative burden, consider a vendor management platform that allows self-registration of vendors.
Enforce least privilege
All too often, VPNs grant access to an entire network, even though the vendor in question may only require access to a handful of servers and protocols. This unfettered access increases the potential scope of any breach. Desktop sharing solutions, such as Web Ex, are a risky alternative because they can allow undetected network access, with no central audit or accountability.
The Solution: Segregate your network into trusted zones, which contain only the systems the vendor needs to do their work. Ideally, these zones are disabled by default and only enabled when specifically requested. This can be accomplished with virtualization, firewalls, or with a network-based remote access platform. For best practices, consider segmenting your applications even further, potentially separating your production environments from your test systems. Furthermore, create a policy to restrict the use of remote control solutions.
Maintain an audit
Experienced hackers know it can be difficult, to determine if someone is accessing a network for legitimate business purposes or for something more nefarious.
The Solution: A contextual audit, replete with user identity, company name, timestamps, network access information, and even custom information such as reason for connecting or case number can really help with the forensic effort of searching for anomalies. This information can be difficult to scrape together from various event logs; consider a dedicated portal that tracks and reports this information and assigns it to a particular user.
In terms of being regarded as a distinct form of network security risk policy, third-party access is still in its infancy. Certifications like the CTPRP and companies dedicated specifically to third-party remote security are helping to stem this knowledge divide. With the right mix of policy and technology, organizations can go a long way towards ensuring the right vendors have access to everything they need – and nothing else.
Justin Strackany is the Chief Customer Officer at SecureLink and a recognized leader in third-party remote access policy.
Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.