The hidden security risk inside the IT infrastructures of unassessed third-party suppliers and vendors poses a serious challenge for many companies. Looking at individual technical and security risk elements in isolation leaves the vendee (the company that hires the vendors) at risk. The security postures of third parties need to be assessed using a holistic methodology.
Let’s look at the top elements of third-party risk, explore their value, and understand how they can be used individually to manage the vendor lifecycle…and then used together to mitigate risk across your overall vendor landscape.
External Reputation: If the IP addresses used by a vendor are reported on an IP block list, then the machines used by a vendor are likely infected by malware and used by attackers to send out spam. Or perhaps they may be part of a bot. If a third-party vendor is compromised often or for a long period of time, then a third-party vendor’s security posture is poor. Any information shared with this third-party vendor is subject to compromise, even information contained in emails.
Attestation (Questionnaire): Inevitably, all third-party vendor assessments will ask about that third-party vendor's security policy. Consistent execution of any policy—especially security policies—requires diligence and discipline even for companies with well-funded security departments. The challenge is exponentially more difficult at smaller third-party vendors with less security awareness and limited security spend. While it is important to capture this information since it can be used (or rather, should be used) to compare their responses to reality, only by inspection can execution against policy be ensured.
System Assessments: Most experts agree that keeping systems up-to-date, installing anti-virus software, and applying basic security settings are all fundamental first steps for a good reason. There are generally few side effects for these security controls. And their necessity is demonstrated on a daily basis by the number of threats trying to take advantage of known, reported and patched vulnerabilities and by the number of new malware for which update to do date anti-virus definitions already protects against.
Directory Assessments: With the sheer number of social networks and other data available on the Internet along with credential reuse, it takes little effort for an attacker to find current and previous employees of a third-party vendor. If a current or former employee reused their credentials at another site that’s been compromised, these compromised credentials are inexpensive for an attacker to harvest and try. Making sure old accounts are disabled and passwords are rotated prevents an easy entry for an attacker.
Connecting the Elements to Set a Baseline: While ensuring the level of security matches the value of the data shared with all third-party vendors is quite involved, inspecting the elements that demonstrate a security baseline is much more straightforward and easier to achieve. Because of this, ensuring this baseline across nearly all third-party vendors should be part of every third-party agreement in the form of an enforceable right-to-audit clause.
Analyzing Third-Party Risk Using 5 Key Elements
IP Reputation Score: The reputation of an IP address is the measurement of the amount of “bad” traffic originating from an IP address. “Bad” traffic includes SPAM (unsolicited bulk email), devices attempting to connect to IP addresses that are associated with malware command-and-control servers, and unusual traffic that might be associated with a distributed denial of service.
When accurately associated with a third-party vendor, IP reputation can give an indication of a third-party vendor’s de facto cyber security policy. When used on an ongoing basis, IP reputation can help determine a new risk level for an existing client.
For example, malware and attacks are constantly evolving as well as efforts to detect and mitigate those attacks. Where possible, mitigations will result in updating blacklist techniques. This is what happened with black holing techniques, which caused many bots to move from Internet Relay Chat (IRC) to peer-to-peer (P2P) communication. By constantly measuring a third-party vendor’s IP reputation, a new risk level may be assigned based on updated blacklist techniques.
Policy Score: The policy score is the result of applying a scoring algorithm to the individual answers regarding a third-party vendor’s security policy. By using an algorithm that weighs both averages and thresholds (or minimums) and reporting that as a single number, this allows an easy way to inspect a large number of third-party vendors against a set of known standards. If a self-reported policy score is low, it’s likely that the actual security posture is low. This can help prioritize which vendor to focus improvement efforts on.
Measured Score: The measured score is the result applying a scoring algorithm to security controls data collected from a third-party vendor. Ideally, a third-party vendor’s measured score and policy score should be similar. When the measured score is lower than the policy score, further investigation is warranted. Given that the measured score is an indication of the actual security posture, it can be used independently to determine whether a third-party vendor poses risk to the information shared with the third-party vendor.
Confidence Score: The confidence score is a measure of how complete the measurement is for a third-party vendor. For example, if measuring endpoint vulnerabilities and collecting data only from 10% of the third-party vendor's endpoints, then the confidence of this security control is low. By correlating security controls data—such as directory services data with endpoint vulnerability data—a sense of just how much of a third-party vendor’s infrastructure is measured can be determined. This can be presented as a “confidence score.”
Setting and Utilizing Baselines: To set a baseline, a company should determine which security controls must be in place for all third-party vendors. This baseline should reflect the current consensus of the security community as to the basic and must-do security best practices. As both services and threats evolve, this baseline should be periodically reviewed and updated to ensure new best practices are incorporated into the entire extended enterprise.
Take Action Against Third Party Risk
A relatively easy way to get started is to assess new third-party vendors as you being to work with them. Assessments should be performed before the third-party vendor is brought on board. If they are already an approved vendor, they should be assessed as soon as possible.
Once they have their initial assessment (baseline) in place, the assessments should be run quarterly—perhaps even monthly—to see how they are doing: getting better/worse or staying the same.
Occasionally, third-party vendors should be viewed collectively to see how they compare to their peers; have there been any triggers that require immediate attention?
This information can be extremely valuable. For example, it could be used to help negotiate a deal. A third-party vendor with a poor security posture may lose a deal to a competitor that possesses a better security posture. A viable third-party vendor with a poor security posture may have to remediate their vulnerabilities before they get the job. Or, a viable third-party vendor with a poor security posture could earn less as the company contracting with them for their products and/or services will have to cover the risk through other financial means.
For more information on how to set baselines for third-party vendors at your organization, visit http://www.datumsec.com/product/