In 2013, hackers using a phishing campaign and a piece of malware known as Citadel broke into the systems of an HVAC company that happened to be a vendor for the retail chain Target. The attackers stole the vendor’s credentials for an internal Target webserver (thought to be used for outside vendors). From there, the attackers leveraged a vulnerability on the internal server and conducted reconnaissance – ultimately identifying point-of-sales devices that were liable to the use of an exploit the attackers had at their disposal. So, goes the story of the famed Target breach.
The Target breach is a good example of how a threat to a third party can affect a company. Last week we discussed some basics about third party risk – focusing on the “who,” “what” and “where.” In the Target example, the HVAC company is clearly the “who” and the phishing attack characterizes “what” risk they could pose. Perhaps most importantly is “where” and in this case, it is the access to the internal Target web server – the key touchpoint that enabled the attack.
In this article, we will make these concepts a bit more concrete by describing some of the common facets of a third-party risk program. This builds on the first part in this blog series I posted last week. Ultimately, the goal of any successful risk management program is to drive better decisions. So, the mechanisms a company uses to stay on top of the “who,” “what,” and “where” should help a chief security officer or chief risk officer implement policies that can mitigate risk. For example, consider the following actions could have all mitigated the effects of the target breach:
• Segment the internal web server from the rest of the Target network
• Aggressively scan and patch the internal web server
• Require two-factor authentication for the internal web server
Note that the above items may not have stopped the attack from happening – for instance if a hacker used a zero-day, then patching would not have stopped the attack. However, the chances of using a zero day on the web server are much lower than a standard exploit. But the idea is this: security personnel have limited resources, and decisions driving the use of those resources should be driven by well-informed risk-reduction analysis.
Now, there are several companies that propose frameworks for analyzing third party risk including the “big four” accounting firms as well as newer cybersecurity companies. However, there are several common facets that are sensible to include:
Inventory of third parties. Clearly, to answer the “who” question, an inventory of third parties must be kept and maintained.
Assessment procedures. Many firms will conduct some sort of assessment on associated third parties. At a basic level, these center around surveys, but also can include certain certifications and audits. Assessments can even include evaluations of externally-facing computing infrastructure or threat intelligence.
Monitoring and updates. As cyber threats are constantly evolving, it is also important to further one’s picture of relevant third parties. Hence, assessments and audits should become periodic and third-party intelligence monitoring should be fairly constant.
Threat-focused. As assessment requirements of a third party inevitably become intertwined with contracts, it becomes easy for a firm to overlook the threats affecting a third party. Additionally, there may be certain threats that affect multiple third parties. Hence, ignoring threats does not provide a full picture. Understanding which third parties are routinely targeted allows one to better focus resources.
Next week we will take a closer look at the “threat-focused” aspect of third party risk management and examine how threat intelligence can enhance a risk management strategy and lead to better decisions.
Disclosure: the author is CEO of CYR3CON, a cybersecurity company that specializes in identifying cyber-threats in their earliest stages, leveraging both human analysts and advanced machine learning capabilities. In 2017, CYR3CON was named finalist in PwC’s Cybersecurity Day, the Arizona Technology Council’s “Startup of the year”, and MD5 Starts Austin in addition to winning a Defense Innovation Challenge award.