For good cyber hygiene, organizations must continuously monitor third-party risk

Original Source:

Listen to the Podcast:

Insurance, regulations, security experts are boosting awareness of the threat landscape

In the past cou­ple of years, third-par­ty risk has grown from a top­ic only dis­cussed by cyber­se­cu­ri­ty cir­cles to a com­pa­ny­wide con­cern. The tip­ping point may have been in 2014 when Target’s point-of-sale (POS) sys­tem was com­pro­mised, and the details of 110 mil­lion in-store cus­tomers were stolen.

How did the hack­ers do it? They were able to embed Black­POS mal­ware inside Target’s net­work by using log-in cre­den­tials hand­ed out to a third-par­ty heat­ing, ven­ti­la­tion and air con­di­tion­ing com­pa­ny.

Ear­li­er this year, third-par­ty risk came into play in Hol­ly­wood. A film pro­duc­tion com­pa­ny work­ing on the hit Net­flix show “Orange is the New Black” was breached. Access via a third-par­ty sup­pli­er is being wide­ly dis­cussed as a like­ly con­tribut­ing fac­tor. The stolen intel­lec­tu­al prop­er­ty sub­se­quent­ly has been lever­aged as part of a black­mail attempt.

Cur­rent­ly, between 60 per­cent and 70 per­cent of breach­es are attrib­uted to a third par­ty. For hack­ers, the eas­i­est path into a well-pro­tect­ed orga­ni­za­tion often is through busi­ness con­nec­tiv­i­ty. The more busi­ness­es con­nect with one anoth­er, share log-in cre­den­tials, and pro­vide remote access to servers, the more like­ly third-par­ty attacks will become.

Pete Agres­ta, Look­ing­Glass Cyber Solu­tions chief rev­enue offi­cer

Pete Agres­ta, Look­ing­Glass Cyber Solu­tions chief rev­enue offi­cer

I sat down with Pete Agres­ta, chief rev­enue offi­cer for Look­ing­Glass Cyber Solu­tions, at Black Hat 2017 in Las Vegas to dis­cuss ris­ing aware­ness of gap­ing third-par­ty expo­sures. Some take­aways from our talk:

Incen­tives are encour­ag­ing orga­ni­za­tions to imple­ment third-par­ty risk pro­grams. As the threat of third-par­ty attacks has spread, so has the aware­ness. Reg­u­la­to­ry require­ments are becom­ing much more com­mon. In New York state, for instance, every finance orga­ni­za­tion is required to have a third-par­ty risk pro­gram. Insur­ance com­pa­nies also are begin­ning to pro­vide a com­mer­cial incen­tive for orga­ni­za­tions to have the best third-par­ty hygiene pos­si­ble in the form a dif­fer­ent type of under­writ­ing.

One-time assess­ments of sup­pli­ers are not enough. Orga­ni­za­tions are begin­ning to car­ry out assess­ments of the state of their sup­pli­ers’ cyber­se­cu­ri­ty. But doing this once at the start of a rela­tion­ship isn’t enough. Con­tin­u­ous mon­i­tor­ing and a switch to a real-time approach where­by com­pa­nies can assess the health and hygiene of part­ners on the go is the future.

Hire a third-par­ty to help with assess­ments. It might seem counter-intu­itive, but the inno­va­tion and expert knowl­edge of out­side spe­cial­ists will help orga­ni­za­tions mit­i­gate third-par­ty risks. Com­pa­nies like Look­ing­Glass, for instance, can help orga­ni­za­tions under­stand what is dis­cov­er­able in their envi­ron­ment and how that might be exploit­ed.

Additional Posts

STIX and TAXII: Sharing cyber threat intelligence

LookingGlass Cyber’s CTO Allan Thomson presents an overview of STIX and TAXII standards and how ...

The Human Side of Cybersecurity

As the waves of ransomware attacks continue to hit the shores of companies around the world prove, ...