By Morey Haber, Chief Technology Officer & Chief Information Security Officer, BeyondTrust
Realizing that most large organizations today have sophisticated security defences, bad actors are beginning to target third-party vendors, as a means to gain access to an enterprises’ network. In fact, in 2018, over 11 significant breaches were caused by exploitation of third-party vendors and according to Carbon Black’s 2019 Global Incident Response Threat Report, 50% of today’s attacks leverage what they call, “island hopping”, where attackers are not only after an enterprises’ network, but all those along the supply chain as well.
IT admins, insiders, and third-party vendors need privileged access to perform their roles, but this shouldn’t mean ceding control of the IT environment to them. Organizations typically allow vendors to access their networks to perform a variety of different functions. However, this privileged access should be secured to the same (or higher) extent as the organization’s internal privileged users. Neglecting to do so will create a weak spot in your organization’s security that is ripe for exploit.
Because organizations typically use IT products and software solutions from a variety of vendors, IT is tasked with the enormous burden of having to secure remote access for these vendors, so that they may provide maintenance and troubleshooting for their products. As a consequence, organizations are faced with the dilemma of having to provide the needed access while also guarding against malware and bad actors entering through third-party connections.
Given that third-party vendors are an integral part of most organizations’ ecosystem―something that isn’t going to change anytime soon—there are seven steps you can take to exert better control over third-party vendor network connections and secure remote access.
Monitor & examine vendor activity
First, it’s imperative to scrutinize third-party vendor activity to enforce established policies for system access. You want to understand whether a policy violation was a simple mistake or an indication of malicious intent. You should implement a session recording to gain complete visibility over a given session. And finally, you should correlate information so that you have a holistic view that enables you to spot trends and patterns that are out of the ordinary.
Here are some ways to approach monitoring:
- Inventory your third-party vendor connections to understand where these connections come from, what they are connected to, and who has access to what
- Look for firewall rules that permit inbound connections for which you are unaware
- Perform vulnerability scans on your external-facing hosts to search for services that are listening for inbound connections
- Validate that your enterprise password security policies apply to accounts on inbound network connections
- Implement policies and standards specific to third-party issues, and use technical controls to enforce them
- Monitor for any security deficiencies and then address them
Limit network access
Most of your vendors only need access to very specific systems, so to better protect your organization, limit access using physical or logical network segmentation and channel access through known pathways. You can accomplish this by leveraging a privileged access management solution to restrict unapproved protocols and directly approved sessions to a predefined route.
Apply multiple robust internal safeguards
As with other types of threats, a multi-layered defense is a key to protecting against threats arising from third-party access. Apply encryption, multi-factor authentication (MFA), and a comprehensive data security policy, amongst other measures.
Educate your internal and external stakeholders
On average, it takes about 197 days for an organization to realize that it has been breached. A lot of damage can be done in 197 days. Educate across the enterprise and continually reinforce the message that the risks are real.
Conduct vendor assessments
Your service-level agreement (SLA) with third-party vendors should spell out the security standards you expect them to comply with, and you should routinely review compliance performance with your vendors. At a minimum, your vendors should implement the security basics, such as vulnerability management. You should also enforce strong controls over the use of credentials—always with a clear line-of-sight into who is using the credential, and for what purpose.
Authenticate user behavior
Vendor and partner credentials are often very weak and susceptible to inadvertent disclosure. Therefore, the best way to protect credentials is to proactively manage and control them. You can do this by eliminating shared accounts, enforcing onboarding, and using background checks to identity-proof third-party individuals that are accessing your systems.
Prevent unauthorized commands & mistakes
One step you want to take is to broker permissions to various target systems using different accounts, each with varying levels of permission. You should restrict the commands that a specific user can apply, via blacklists and whitelists, to provide a high degree of control and flexibility. To this end, use a privileged access management solution, enable fine-grained permission controls, and enforce the principle of least privilege (PoLP).
Vendor access is often inadequately controlled, making it a favored target of cyber attackers. By layering on these seven steps, you can exert better control over third-party access to your environment and make significant progress toward reducing cyber risk.
About the Author
With more than 20 years of IT industry experience and author of Privileged Attack Vectors and Asset Attack Vectors, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees the vision for BeyondTrust technology encompassing privileged access management, remote access, and vulnerability management solutions, and BeyondTrust’s own internal information security strategies. In 2004, Mr. Haber joined eEye as the Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. Mr. Haber began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor’s of Science in Electrical Engineering from the State University of New York at Stony Brook.