Posted on May 9, 2018
We've compiled a checklist of items that your company can use to protect its infrastructure whenever it starts working with a new vendor, as part of routine vendor risk management processes. A vendor’s systems can be a threat to you when both parties’ systems are connected together. This can be via an application interface, a remote connection, or the vendor’s employees connecting to the customer’s network when its employees walk in the door.
A vendor’s systems can be the vector by which a company is hacked. Case in point: Target.
The details of the Target data breach have been relayed to security researchers and the media. It was determined that Target was attacked by computers at Fazion Mechnical, a company that maintains the refrigerators for the giant retailer. The two companies’ networks are connected, since Fazion Mechnical needs to monitor those refrigerators. This is precisely the type of breach that could have been avoided had they enforced a thorough vendor security risk assessment.
Before we provide due diligence and vetting steps that your company can take prior to working with a new vendor, a brief review of two often-overlooked aspects of IT security defense is in order.
Someone working on the inside can obviously steal or compromise data, but the main risk is lack of employee security awareness training. Phishing remains the most common attack vector. Therefore, your employees need to be reminded of the dangers of clicking on links in emails.
If the military and the world’s largest banks have been hacked, it is reasonable to assume that any company can be hacked. The harsh reality is that security software does not work all the time. Thus, a company must always work from the posture that it has already been attacked. This could mean having a cyber security management partner in place and being ready with a communication strategy to notify affected customers and partners when a data breach occurs.
Vetting means executing due diligence by checking a vendor’s systems, policies, and procedures for security weaknesses. This means running through a risk assessment checklist to make sure that the vendor adheres to the same security standards that protect your company from attack. You must ensure that security leaks are plugged in terms of both the vendor’s computers and its people.
Your company can adopt different standards and vendor risk management plans to help mitigate risk. Then there are OCC and HIPAA rules, if required by your industry. All of these plans and standards tend to be written at a high level. So, here are 11 rules that you can use as a vendor risk management checklist written in a simpler manner:
This means documenting access to machines. Procedures should exist for granting employees access and taking it away when their roles change or they leave the company. This can be done through the IAM system and workflow. The certification procedure needs to be connected to the log monitoring system so it knows when someone is using an expired account or when someone has been granted elevated privileges without proper certification.
Not every company is going to be sophisticated enough to use Splunk or ELK to monitor logs with advanced analytics to flag security incidents. In such cases, the vendor should ideally use a Managed Services Security Provider to monitor its logs and network traffic.
Companies should stop using password-only sign-ons and add Two-Factor Authentication (TFA). Companies that maintain that “this is too difficult” to implement for existing apps can use an app like OKTA to add TFA to their front-end systems.
A common problem with TFA is service accounts – shared logins used by multiple administrators or outsiders. It is usually not possible to use a token for those accounts since the systems that require tokens are started by others and then left alone. Yet service accounts, in particular those with default passwords, are a common way for hackers to gain access to a system. Their passwords must be changed frequently to decrease cyber security risk. Despite the inconveniences this poses, such as downtime and the risk that a system might not start up again when connecting to other systems after a password change, frequent changes are a very necessary security step.
Companies should train employees annually on security and provide training program for new hires. They should make their employees aware of cyber security risks and provide them with risk management best practices that they can follow.
Employee-owned smartphones and tablets pose less risk than laptops because they are less riddled with security weaknesses than Microsoft Windows. Still, some rules should be in place to protect even these company assets, like making sure that screens lock after a certain number of seconds of inactivity. One problem with Android, in particular, is that apps often request access to user contacts even when they do not need them. This is true for popular and supposedly honest apps like Twitter, so users become accustomed to it. However, in the case of hacker apps, that security weakness can be exploited to rob contacts for phishing purposes. Employees should be instructed to be careful about what they install on their own devices.
Remote access to your company’s network, apps and servers should be via VPN or Windows Remote Desktop. The connection from the vendor to the client company should be via IPsec VPN. Don’t just whitelist an IP range.
Your company needs to have some policies to prevent, for example, a hacker from simply walking into the data center and removing a drive from a storage array. Or walking into Accounting during lunch and walking out with a whole PC.
Since phishing is still the number one attack vector, every company needs reliable anti-spam software. Defense in depth is wise; you should scan at the mail server level as well as at endpoints.
Cyber security experts will tell you that antivirus is not as effective as it once was in the past. Still, any CIO would have a hard time explaining why his or her company does not use it. As with anti-phishing measures, defense in depth is the correct approach.
Your company must have a procedure for disconnecting old devices from the network when they are no longer needed.
Microsoft, Adobe, and other companies send out patches almost daily. So your vendor needs a risk management system to make sure these are applied daily to protect against zero-day attacks. The days of waiting for Patch Tuesday are behind us; continuous updates must be a priority.
These are only some of the items that your company can do to make sure that your vendors adhere to cyber security best practices. These practices will help keep your vendors from being the conduits through which your company gets hacked and suffers the loss of customer or company data.
Further Reading: Preserving the Cyber Health of the Vendor Ecosystem
Concerned about the frequency and timing of your vendors patching practices? Patching Cadence is one of ten security risk categories and factors included in SecurityScorecard's benchmarking platform.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of an IT risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 categories of risk. Answer a few simple questions and we'll instantly send your score to your business email.