It all starts with an innocent request: A vendor needs network connectivity to your environment, and quickly. Promises are made, typically by someone not in IT or security, and before you know it, a third party is on your network.

The vendor not only has access to some or all of your internal network resources, but its computer systems and user behaviors are likely creating untold risks in your environment. For example, when a third party has a connection to your environment, some — potentially all — of their users can access your systems. This is especially problematic if you haven’t implemented third-party risk management measures such as granular access management controls to keep outside users off your systems, which could be vulnerable to remote exploits, password attacks and malware.

Be it an always-on, site-to-site virtual private network (VPN), remote desktop connection or direct database link, chances are this new connection isn’t going away anytime soon. Whether or not anything can be done about these connections is often out of your control — which is not good if you’re responsible for security. When such connections exist, you’ve taken on an entirely new network threat that could exploit your existing vulnerabilities, and that’s not the direction you want to go in terms of risk mitigation.

Why You Need Visibility Into Vendor Connections to Your Network

The purpose of IT and security is to help leverage technology to meet business needs in a secure fashion — to take requests such as outside vendor connections and turn them into enablers that help rather than hinder. Sadly, these vendor connections are often ill-planned, have little to no oversight, and are often out of scope of security audits and assessments.

Recently, a client expressed concern regarding a breach at a related organization in his industry that occurred over a vendor’s network connection. He naturally wanted to know what he could do to strengthen his company’s third-party risk management strategy.

I advised him to start by compiling a list of all his vendors that have remote access so that he could further scrutinize the connections and associated credentials. I further recommended that the passwords for these accounts meet the minimum security standards already present on his internal domain. Finally, I suggested making multifactor authentication (MFA) a requirement and including vendor network connections in day-to-day security monitoring and alerting. My client took these recommendations to heart, and so far so good. These are good steps to take for any type of organization looking to shore up third-party risk management, regardless of the industry or size of the company.

In another engagement, I discovered that a client not only had an inbound third-party network connection, but that connection provided full access to every system inside the company’s network. It wasn’t just a few outside systems that had this access — it was literally thousands of computers that were woefully vulnerable to numerous security exploits, many of which had not been patched against EternalBlue ransomware.

I found out about these vulnerable third-party systems not because they were within the scope of the testing, but because the security tool I was using discovered the connection and crawled the client’s network environment. The company’s security team detected this network activity before both sides realized that full network access was open in both directions between my client and the third party. The connection was originally set up that way for simplicity’s sake; no one realized the extent of the exposures until I stumbled across it. Clearly, this organization could’ve used a more robust third-party risk management program.

Master the Basics to Strengthen Your Third-Party Risk Management Strategy

What can you do to minimize the risks associated with these types of inbound network connections? As I advised my clients in the examples above, go back to the basics.

1. Know What You’ve Got

In this case, inbound network connections of all types – from VPN to LogMeIn and everything in between. This will likely involve taking and network inventory of not only your systems but their systems as well. Like in my example above, vulnerability and penetration testing and often reveal parts of the network and connectivity that you didn’t know about otherwise. Fully understanding what’s where might require additional tools such as configuration management and SIEM.

2. Understand How It’s at Risk

This includes weaknesses around network perimeter and individual host authentication and access management controls, traffic flow, bandwidth consumption and more. What level of access do vendor systems have into your network? Can they see and touch known systems on your internal network and cloud environments? Will you recognize it when someone is poking around or an exploit occurs?

3. Do Something About It

Just because there is a tangible business need, that doesn’t mean you should accept unnecessary risks. What additional visibility and control do you need to minimize these risks? Simple firewall rules can solve most challenges. It might require data loss prevention (DLP), a cloud access security broker (CASB) or security information and event management (SIEM), perhaps even specific tools to combat insider threats. Grant the minimum level of access necessary to get the job done and nothing more.

Be Proactive to Protect Against Evolving Third-Party Risks

Sure, business needs should drive IT and security initiatives, but you can’t afford to let unknown and undersecured inbound network connections lead to an incident or breach. Contracts and policies aren’t enough. Acknowledge your vendor network connections and continue to be vigilant. Keep a close eye on existing connections and an even closer eye on new connections that can crop up without your knowledge.

There’s simply no excuse for having fully open vendor connections that provide unfettered access to your internal network resources. As with the internet of things (IoT), cloud computing and so on, modern-day networking and its associated risks are growing in complexity. It’s up to you to keep it all in check.

More from Identity & Access

CISA, NSA Issue New IAM Best Practice Guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…

4 min read

The Importance of Accessible and Inclusive Cybersecurity

4 min read - As the digital world continues to dominate our personal and work lives, it’s no surprise that cybersecurity has become critical for individuals and organizations. But society is racing toward “digital by default”, which can be a hardship for individuals unable to access digital services. People depend on these digital services for essential online services, including financial, housing, welfare, healthcare and educational services. Inclusive security ensures that such services are as widely accessible as possible and provides digital protections to users…

4 min read

What’s Going On With LastPass, and is it Safe to Use?

4 min read - When it comes to password managers, LastPass has been one of the most prominent players in the market. Since 2008, the company has focused on providing secure and convenient solutions to consumers and businesses. Or so it seemed. LastPass has been in the news recently for all the wrong reasons, with multiple reports of data breaches resulting from failed security measures. To make matters worse, many have viewed LastPass's response to these incidents as less than adequate. The company seemed…

4 min read

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

8 min read - View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

8 min read