Uber is back in the spotlight, this time for a breach involving a third-party vendor. According to reports, an attacker accessed the vendor organization’s public cloud backup server, obtaining and then leaking sensitive Uber data, including information on more than 77,000 employees. Just days later, a large cryptocurrency exchange disclosed a data leak of over 5.7 million emails that stemmed from an attack on a third party.
Such stories are unsettling – sober reminders that any weakness in any third-party vendor could make your organization the next big headline. While “who done it” and “how” questions swirl about these high-profile incidents, many security teams are contemplating how to protect their critical systems and data from attacks involving third-party vendors.
While I wish I could give them a simple checklist, there is no easy way to erase third-party risk. However, I can offer seven observations and best practices based on our CyberArk Remediation Services team’s work in helping organizations recover from some of the world’s largest breaches:
- The buck stops with you. A vendor supply chain is a lot like an assembly line. Organizations bring on third parties to perform certain tasks because it’s cheaper or easier for them to do so. It’s also a way to circumvent regulatory hurdles since smaller third-party organizations aren’t beholden to the same compliance regulations. But the buck ultimately stops with your organization. Your third-party vendors become an extension of your organization, and you are only as strong as your weakest link. As such, your vendor selection choices matter, and trust – building it and keeping it – is the foundation of everything.
- EXCEPT when it comes to security controls. Here, it’s best to remove trust from the equation entirely by enforcing Zero Trust access principles with zero exceptions. Authenticate your third-party users (and their devices) each time they require privileged access to your corporate systems. Bonus points if you can do so in a way that’s both secure and minimally bothersome for the end-user, like using biometrics.
- Separate, separate, separate. Many organizations struggle with network topology. Just because a third-party vendor requires access to sensitive data and systems doesn’t mean they should get access to everything, which is something we see all too often. For this, network separation is the name of the game.
- Don’t assume your internal controls match your third-party controls. For instance, your existing privileged access management solution may isolate and monitor employees’ privileged user sessions, but what about those of third-party staff and outside devices? Ensuring strong privileged access practices and policies extend across your supplier ecosystem isn’t just about risk reduction. FIPS 200, HIPAA, PCI DSS and many industry regulations require them.
- Third-party vendor audits are important, but not fail-safe. Validating your vendors’ own internal security controls regularly is important for understanding whether their VPN system is up to date, if they’re using rogue IoT devices, how they’re securing their cloud environments and so on. But just because a company scores an A+ on a security assessment today doesn’t mean their security controls won’t slip tomorrow.
- Consistency is key. To combat security controls erosion, promote consistency in your vendors’ security practices. For example, automated dynamic or per-session controls can help them eliminate long-standing access and validate least privilege enforcement continuously to reduce risk (along with headaches associated with manual provisioning).
- Show me the data. Penetration testing and Red Team exercises reveal all kinds of issues you didn’t know you had. Your organization should conduct them, and your vendors should too. Ask third-party vendors to share their test results so you can address gaps in a collaborative, transparent manner.
As an organization, there is only so much you can do to mitigate third-party breaches like those seen this week. You cannot assume equivalent controls exist at your third-party organizations – another reason why assume breach is the logical cybersecurity approach. With this mindset, your priority shifts from preventing attacks to stopping them before they stop business. Embracing a proactive Identity Security strategy – which calls for defense-in-depth and paves the way for Zero Trust – and holding your third-party partners to the same standards, is critical to strengthening vendor supply chain security and measurably reducing risk.
Interested in learning more? See how your organization can secure third-party access to critical internal resources with full session isolation, monitoring and audit capabilities without the need for VPNs, passwords or agents.