Gregory C. Rasner

Cybersecurity and Third-Party Risk


Скачать книгу

investment that CISOs and cybersecurity professionals have made in the last 20 years has been proven effective in many ways. Most companies and governments that know they will be a target (due to size, money, power) have beefed up their own cybersecurity. But behind these medium and large organizations are thousands or millions of smaller companies that are focused on selling, not securing, their data. Cybersecurity can lean into this area more forcefully, trying and implementing new capabilities learned from other cyber domains and leadership. The need is to take Cybersecurity Third‐Party Risk from a compliance‐driven effort to an active always learning, always searching for risk approach in order to lower risk from vendors.

      Cybersecurity has three main pillars: Confidentiality, Integrity and Availability (CIA):

       Confidentiality: Prescribes only authorized users and systems should be able to access or modify data.

       Integrity: Data should be maintained in a correct state and cannot be improperly modified.

       Availability: Authorized users should be able to access data when needed.

       Does the vendor store our data in ways that make it more secure?

       Will this product ensure the integrity of our data in the cloud?

       Can the vendor ensure that the data will be available when required to those who need it?

      Because this book is mainly focused on third parties, references will be aligned with that focus in mind. It is not about what security your organization is performing, but what is going on at the third party, both with the specific services they provide and also how they secure their own enterprise. We include several examples of how a vendor's connection is used to target a company, and how their company‐wide cyber controls directly impact the ability to protect a company's data and any connection to your network (both intermittent and persistent).

      Some terminology and a few foundational cybersecurity principles are required for a discussion on vendor risk management. Many of these concepts and components of cybersecurity are reviewed throughout this book. The reader isn't expected to be a cybersecurity expert; however, it's easier to grasp risk, priority, and actions if you have a basic understanding of them. You should keep the following bolded terms, which have simplified explanations, in mind.

      Another area of encryption to focus on is the three states of encryption. Data consists of three states: at‐rest, in‐motion, and in‐use. At‐rest is as it sounds, meaning when the data is in a database or file. In‐motion refers to when data is traveling over a network or the internet. When a process is using the data, as in the CPU or memory, it is considered to be in‐use. In all three states, it is important to have the data encrypted. As you engage vendors on how they protect the data, ensure that your discussion involves all three states.

      In recent years, a new mantra has been born: “Identity is the new perimeter.” This statement refers to how millions of people, especially after the rush to remote work during the COVID‐19 pandemic, are now connecting to work and school away from those places. Their identities, which are used to connect users to organizations, work, or school, and how that access is managed, which is known as access management, is very important when protecting the enterprise (and the data that resides internally at the vendor). It requires entities to focus on several areas for third‐party risk.

      The most common type of access in corporate environments, role‐based access (RBAC), includes predefined job roles with a specific set of access privileges. This implementation is demonstrated by the difference between two examples of types of roles. For example, a human resources (HR) manager will likely have access to payroll and personnel files. However, if they try to log in to a finance server, it will not permit them to connect because they do not have a role in the finance department. If the HR manager requires entry into that server, they must submit a business reason to the access management team for needing access to that server.

      Exposed Credentials

      The ongoing explosion of exposed credentials makes understanding and prioritizing risk difficult. In 2020, Digital Shadows published a study with some illustrative statistics:

       Over 15 billion credentials have been exposed and are for sale on the internet.

       The number of credentials for sale has increased by 300 percent since 2018.

       Normal consumer accounts are sold for an average of $15/account.

       Financial accounts are valued at $70/account.

       Domain administrator accounts are sold for a premium of $3,149/account.

      The differences in cost and the number of accounts are part of the problem. As the study states, there are more accounts for sale than people on Earth. The vast majority of accounts for sale are normal user accounts. However, so many of them are for sale that it is difficult to defend against them. Multi‐factor authentication (MFA) and other services are the best defense for this type of standard user account. MFA is explained in more detail later.

      Administrator or elevated account access is where the money and the risk is at its highest. The challenge there is determining from the Dark Web which are valid privileged accounts and which are actually standard user accounts. Again, MFA and Privileged Access Manager (PAM) systems are the best defense.