Service Providers: a Weak Link in an Organization’s Cyber Security Program?
Vendor-related IT security is a well-documented concern within the cyber security industry. In exploring the main cyber security challenges with third-party vendors, a recent Mandiant report highlights several issues associated with attacks stemming from IT outsourcing (ITO).
According to the report, a compromised ITO service provider can enable an attacker to shortcut the Targeted Attack Lifecycle and execute an advanced attack. When an attacker infiltrates a targeted company’s network using the compromised ITO infrastructure, they have essentially skipped the first three phases of the lifecycle including the need to craft an exploit, like a spear phishing email.
“This shortcut allows the attackers to scale, improving efficiency and reducing efforts required to complete their missions…We expect this trend to continue until the cost of operating through outsourced service providers becomes too great for the attack groups to bear.”
– M-Trends 2016
The Mandiant report also noted organizations are frequently in the dark with regard to the security capabilities of a vendor’s network. Often organizations struggle to answer the basic questions of a vendor’s security posture:
- Do they have a security operations center?
- Do they have encryption?
- Have they ever experienced a breach?
Ideally, organizations should understand these and other questions before letting their vendors within their firewalls.
The problem of vendor security is so serious that the New York State Department of Financial Services (NYDFS) released a report focusing on potential cyber security vulnerabilities with banks’ third-party vendors.
According to the NYDFS, banks that rely on third-party vendors for a broad-range of services don’t often realize or account for the fact that those third-party firms often have access to a financial institution’s information technology systems, providing a potential point of entry for hackers.
Among other findings the NYDFS report uncovered that nearly 1 in 3 banks surveyed do not require their third-party vendors to notify them of cyber security breaches. NYDFS expects to move forward on regulations to strengthen cyber security standards for banks’ third-party vendors, but vendors and service providers across all industries need to do more to address the issues.
Despite these vendor-related cyber security issues, companies can mitigate the risks associated with a breach in a proactive and effective manner. Taking basic steps to protect and manage credentials used by third parties, and securing and monitoring remote vendor sessions, can go a long way in protecting target organizations without inconveniencing vendors. By implementing such controls, organizations will have better oversight of security and avoid slipshod or ineffective security practices associated with their service providers.
One key tip that the M-Trends 2016 report recommends with vendor security is to monitor the use of privileged accounts.
“Monitor the use of privileged accounts, including those associated with outsourced service providers. Attackers target privileged accounts such as local administrator, domain administrator, and service accounts.”
The bottom line for taking control of security within a vendor relationship is to avoid leaving the credentials under full control of the vendor or your own internal users for that matter.
Cyber Security as a Feature
Forward-looking service providers need to start thinking about security from a community perspective. Ideally, they will integrate a strong cyber security posture as a feature that is highlighted within their value proposition.
Cyber security is not traditionally at the core of vendor management and third-party offerings. However, there will be a tipping point where it’s expected that third-party organizations are more security focused. Ultimately they will prioritize security and highlight it as a key part of their service.
From the vendor’s perspective what does it mean to place value on cyber security? Vendors should, for example, start to focus on internal capabilities including Multi-Factor Authentication (MFA), data encryption, insider threat detection, and a cyber education and awareness platform to help thwart phishing and data breaches.
One way for vendors to integrate cyber security as a core competency is to partner with a security firm to improve their offering. Additionally, they can continue to educate their staff on the nuances of cyber security including common vulnerabilities and methods for defending data and networks.
Remote vendors and outsourced service providers are core to most businesses. From CRM systems and payment solutions, to hardware and operational technology, vendors impact or have access, whether direct or indirect, to systems that run businesses.
In order to mitigate the risks vendors introduce, these companies need to take the lead by offering cyber security programs at the core of their key features. In the meantime, organizations can also mitigate the risk by closely managing and securing vendor credentials, isolating and monitoring vendor sessions, and continuing to watch for and alert on suspicious activity.