It all starts with an innocent request: A vendor needs network connectivity to your environment, and quickly. Promises are made, typically by someone not in IT or security, and before you know it, a third party is on your network.
The vendor not only has access to some or all of your internal network resources, but its computer systems and user behaviors are likely creating untold risks in your environment. For example, when a third party has a connection to your environment, some — potentially all — of their users can access your systems. This is especially problematic if you haven’t implemented third-party risk management measures such as granular access management controls to keep outside users off your systems, which could be vulnerable to remote exploits, password attacks and malware.
Be it an always-on, site-to-site virtual private network (VPN), remote desktop connection or direct database link, chances are this new connection isn’t going away anytime soon. Whether or not anything can be done about these connections is often out of your control — which is not good if you’re responsible for security. When such connections exist, you’ve taken on an entirely new network threat that could exploit your existing vulnerabilities, and that’s not the direction you want to go in terms of risk mitigation.
Why You Need Visibility Into Vendor Connections to Your Network
The purpose of IT and security is to help leverage technology to meet business needs in a secure fashion — to take requests such as outside vendor connections and turn them into enablers that help rather than hinder. Sadly, these vendor connections are often ill-planned, have little to no oversight, and are often out of scope of security audits and assessments.
Recently, a client expressed concern regarding a breach at a related organization in his industry that occurred over a vendor’s network connection. He naturally wanted to know what he could do to strengthen his company’s third-party risk management strategy.
I advised him to start by compiling a list of all his vendors that have remote access so that he could further scrutinize the connections and associated credentials. I further recommended that the passwords for these accounts meet the minimum security standards already present on his internal domain. Finally, I suggested making multifactor authentication (MFA) a requirement and including vendor network connections in day-to-day security monitoring and alerting. My client took these recommendations to heart, and so far so good. These are good steps to take for any type of organization looking to shore up third-party risk management, regardless of the industry or size of the company.
In another engagement, I discovered that a client not only had an inbound third-party network connection, but that connection provided full access to every system inside the company’s network. It wasn’t just a few outside systems that had this access — it was literally thousands of computers that were woefully vulnerable to numerous security exploits, many of which had not been patched against EternalBlue ransomware.
I found out about these vulnerable third-party systems not because they were within the scope of the testing, but because the security tool I was using discovered the connection and crawled the client’s network environment. The company’s security team detected this network activity before both sides realized that full network access was open in both directions between my client and the third party. The connection was originally set up that way for simplicity’s sake; no one realized the extent of the exposures until I stumbled across it. Clearly, this organization could’ve used a more robust third-party risk management program.
Master the Basics to Strengthen Your Third-Party Risk Management Strategy
What can you do to minimize the risks associated with these types of inbound network connections? As I advised my clients in the examples above, go back to the basics.
1. Know What You’ve Got
In this case, inbound network connections of all types – from VPN to LogMeIn and everything in between. This will likely involve taking and network inventory of not only your systems but their systems as well. Like in my example above, vulnerability and penetration testing and often reveal parts of the network and connectivity that you didn’t know about otherwise. Fully understanding what’s where might require additional tools such as configuration management and SIEM.
2. Understand How It’s at Risk
This includes weaknesses around network perimeter and individual host authentication and access management controls, traffic flow, bandwidth consumption and more. What level of access do vendor systems have into your network? Can they see and touch known systems on your internal network and cloud environments? Will you recognize it when someone is poking around or an exploit occurs?
3. Do Something About It
Just because there is a tangible business need, that doesn’t mean you should accept unnecessary risks. What additional visibility and control do you need to minimize these risks? Simple firewall rules can solve most challenges. It might require data loss prevention (DLP), a cloud access security broker (CASB) or security information and event management (SIEM), perhaps even specific tools to combat insider threats. Grant the minimum level of access necessary to get the job done and nothing more.
Be Proactive to Protect Against Evolving Third-Party Risks
Sure, business needs should drive IT and security initiatives, but you can’t afford to let unknown and undersecured inbound network connections lead to an incident or breach. Contracts and policies aren’t enough. Acknowledge your vendor network connections and continue to be vigilant. Keep a close eye on existing connections and an even closer eye on new connections that can crop up without your knowledge.
There’s simply no excuse for having fully open vendor connections that provide unfettered access to your internal network resources. As with the internet of things (IoT), cloud computing and so on, modern-day networking and its associated risks are growing in complexity. It’s up to you to keep it all in check.
Independent Information Security Consultant