One of the most common challenges enterprises face in information security is dealing with third-party vulnerabilities. Whether it’s a security flaw located in a network appliance, a client/server program or a custom-developed application, you’re often the one on the hook to get things resolved.

Third-Party Problems Are Your Problems

I’m not talking about known security vulnerabilities that are easily fixed by applying an existing patch. Rather, I’m referring to unique security flaws that you or someone else uncovers in the process of doing business. Perhaps it’s a security flaw that is exclusive to your own environment or workflows. Such vulnerabilities include:

  • An access control setting in a website content management system that enables world-writable permissions to core Web server files;
  • A mobile app that doesn’t use Transport Layer Security (TLS) to transmit sensitive information across open wireless networks;
  • An operating system that uses weak storage methods and doesn’t encrypt sensitive information or leaves it sitting in log or temp files that any internal user can access;
  • A storage management system that improperly enforces its password policy and allows users to set weak or blank passwords;
  • A public-facing enterprise resource planning (ERP) application with SQL injection that permits anyone on the Internet to extract data from the database.

When these types of security vulnerabilities surface, they can create unnecessary risks for your organization.

Regardless of whether vendors ultimately resolve the known security flaws, you’re still going to be responsible for getting things settled or finding compensating controls — and sooner as opposed to later. Even when your hands are tied, such flaws can reflect poorly on the security posture of your environment and leave your business at risk. Many people reviewing vulnerability scans or security assessment reports often won’t know — or don’t care — that you are unable to resolve certain issues directly. All that matters is the fact that the vulnerability exists.

Finding Solutions

When you become aware of security vulnerabilities that can only be resolved by an outside party, the most obvious thing to do is to forward along the information to the vendor, get feedback and hope it will provide a fix. Based on my experience, however, outside parties can be reluctant to acknowledge the security concerns. Some who do listen are often not motivated to resolve the issues. This apathy may exist because you’re not a large enough customer, because they don’t fully understand the ramifications of the risks involved or because you’re speaking with the wrong person altogether.

One of the best things that you can do is provide tangible evidence of the security vulnerability, either from your own internal testing or, ideally, from an outside party. You’ll want to include the specific areas of the system that are affected, what information or systems are being put at risk and how the vulnerability can be exploited, along with proof including screenshots, HTTP requests and responses and the tools used so it can be replicated in the vendor’s environment.

If you cannot get any resolution directly from the vendor, there are often security controls you can put in place to reduce or eliminate the risks, such as an intrusion prevention system (IPS) or Web application firewall (WAF) rules, more stringent network segmentation and network share permissions. There are likely other vendors that take security more seriously that would love to have your business. Beyond acknowledging the risk, the most important thing is to remain diligent and ensure that a fix — regardless of where it comes from — is put in place. Otherwise, it’s a breach in the making, and you don’t want to have to take that on.

More from X-Force

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…