In today’s cyber world, business is done digitally. Trusted cyber relationships between partners must be formed to effectively conduct business and stay at the forefront of innovation and customer service. Having these trusted partnerships comes with a major drawback, however.
Look at it from this perspective: If your organization is the target of a malicious actor, yet they find your defenses too difficult to penetrate, the attacker can use a partner company to find a way in. Depending on the difficulty, the attackers could target multiple third parties in an attempt to gain access to your network.
The important factor to keep in mind here is that just because your organization may have top-notch security practices in place, it does not mean your partners do, and they can be targeted for their valuable insider access to your systems.
Related story: Third-party vendors are the weak links in cybersecurity
Third-party companies, no matter how trivial they may seem to your everyday operations, need to be thoroughly vetted. If they are given secure insider access as part of doing business with your organization, their systems must be reviewed and assessed for security vulnerabilities. The adage, “you’re only as strong as your weakest link,” could not be more true when it comes to third-party vulnerabilities.
Coming to grips with risk
Partners may think of themselves as unlikely targets, but even your HVAC vendor could be creating a gaping hole in your security network that malicious actors may use to gain access to your sensitive information.
For example, financial enterprises have extremely large networks of third-party vendors and partners, from payment processors and auditors to Internet providers and other financial institutions. Being able to map your third parties’ public Internet space and network presence allows you to identify indicators of compromise and risk that paint an accurate depiction of your partners’ potential attack surface.
When we think of potential targets for hacking, we naturally think of big companies or government agencies-organizations that have large volumes of critical and sensitive data. But because these organizations typically have the funds and resources to implement sophisticated security, they are usually not the weak link when it comes to an attack.
Because these organizations cannot be easily accessed, malicious actors adjust their attack strategies to use alternate paths to their desired goal-less secured partners with privileged access. Once a vulnerable company is compromised, its trusted access into other partners allows malicious actors to bypass security controls with exploits that didn’t work previously. Adversaries now are free to roam the connected partner networks, essentially undetected.
Dealing with the problem
The moral here is that insider threats don’t necessarily have to come from within an organization. Trusted third parties, once compromised, create significant security risks to sensitive data. Organizations must look beyond their own defensive perimeters and consider monitoring their partners to better understand their complete attack surface-especially large and complex organizations in which new services are frequently delivered on outward-facing infrastructures.
Understanding the complete attack surface not only provides the intelligence to prevent abuse, but it provides insight into how an attacker may view a path of attack. Additionally, gaining insight into third-party partners, vendors and suppliers is crucial in creating an informed and dynamic risk management program.
Most organizations are busy enough dealing with their own IT infrastructure, so double-checking the risks associated with their partners may not be at the top of their priority list. However, in today’s cyber threat landscape, if you don’t take into account the security posture of your partners, you will never be able to truly mitigate your risk and are leaving gaps in your defenses for anyone to access your critical information.
This article was written by Jason Lewis. Lewis is the chief collection and intelligence officer at LookingGlass. Lewis is a network analyst who has technology initiatives in the private and public sectors.