Can a third-party supplier bring down an organisation

Morey Haber, Chief Technology Officer and Chief Information Security Officer, BeyondTrust.
5 years ago

Realising that most large organisations today have sophisticated security defenses, bad actors are beginning to target third-party vendors, as a means to gain access to an enterprises’ network. In fact, in 2018, over 11 significant breaches were caused by exploitation of third-party vendors and according to Carbon Black’s 2019 Global Incident Response Threat Report, 50% of today’s attacks leverage what they call, island hopping, where attackers are not only after an enterprises’ network, but all those along the supply chain as well.

IT administrators, insiders, and third-party vendors need privileged access to perform their roles, but this should not mean ceding control of the IT environment to them. Organisations typically allow vendors to access their networks to perform a variety of different functions. However, this privileged access should be secured to the same or higher extent as the organisation’s internal privileged users. Neglecting to do so will create a weak spot in your organisation’s security that is ripe for exploit.

Because organisations typically use IT products and software solutions from a variety of vendors, IT is tasked with the enormous burden of having to secure remote access for these vendors, so that they may provide maintenance and troubleshooting for their products. As a consequence, organisations are faced with the dilemma of having to provide the needed access while also guarding against malware and bad actors entering through third-party connections.

Given that third-party vendors are an integral part of most organisations’ ecosystem, something that is not going to change anytime soon, there are seven steps you can take to exert better control over third-party vendor network connections and secure remote access.

#1 Monitor and examine vendor activity

First, it is imperative to scrutinise third-party vendor activity to enforce established policies for system access. You want to understand whether a policy violation was a simple mistake, or an indication of malicious intent. You should implement session recording to gain complete visibility over a given session. And finally, you should correlate information so that you have a holistic view that enables you to spot trends and patterns that are out of the ordinary.

Here are some ways to approach monitoring:

  • Inventory your third-party connections to understand where these connections come from
  • Look for firewall rules that permit inbound connections for which you are unaware
  • Perform vulnerability scans on your external-facing hosts to search for services that are listening
  • Validate your enterprise password security policies apply to accounts on inbound network connections
  • Implement policies and standards specific to third-party issues, and use technical controls to enforce them
  • Monitor for security deficiencies and then address them

#2 Limit network access

Most of your vendors only need access to very specific systems, so to better protect your organisation, limit access using physical or logical network segmentation and channel access through known pathways. You can accomplish this by leveraging a privileged access management solution to restrict unapproved protocols and direct approved sessions to a predefined route.

#3 Apply multiple internal safeguards

As with other types of threats, a multi-layered defense is key to protecting against threats arising from third-party access. Apply encryption, multi-factor authentication, and a comprehensive data security policy, amongst other measures.

#4 Educate your internal and external stakeholders

On average, it takes about 197 days for an organisation to realise that it has been breached. A lot of damage can be done in 197 days. Educate across the enterprise and continually reinforce the message that the risks are real.

#5 Conduct vendor assessments

Your service-level agreement with third-party vendors should spell out the security standards you expect them to comply with, and you should routinely review compliance performance with your vendors. At a minimum, your vendors should implement the security basics, such as vulnerability management. You should also enforce strong controls over the use of credentials, always with a clear line-of-sight into who is using the credential, and for what purpose.

#6 Authenticate user behavior

Vendor and partner credentials are often very weak and susceptible to inadvertent disclosure. Therefore, the best way to protect credentials is to proactively manage and control them. You can do this by eliminating shared accounts, enforcing onboarding, and using background checks to identity-proof third-party individuals that are accessing your systems.

#7 Prevent unauthorised commands

One step you want to take is to broker permissions to various target systems using different accounts, each with varying levels of permission. You should restrict the commands that a specific user can apply, via blacklists and whitelists, to provide a high degree of control and flexibility. To this end, use a privileged access management solution, enable fine-grained permission controls, and enforce the principle of least privilege.

Vendor access is often inadequately controlled, making it a favored target of cyberattackers. By layering on these seven steps, you can exert better control over third-party access to your environment and make significant progress toward reducing cyber risk.


Key takeaways

  • 50% of today’s attacks leverage island hopping, where attackers are targeting those along the chain.
  • Broker permissions to various target systems using different accounts, each with varying levels of permission.
  • You want to understand whether a policy violation was a simple mistake, or an indication of malicious intent.
  • You should implement session recording to gain visibility over a given session.
  • Correlate information so that you have a holistic view that enables you to spot trends and patterns.

Yes, says BeyondTrust’s Morey Haber, since suppliers of vendors have privileged security access to the IT organisation and can be compromised.

Don't Miss

Rob Spee, SVP of Global Channels & Alliances, BeyondTrust.

3 trends set to shape the regional cybersecurity channel in the year ahead

As we enter 2024, the GCC channel must shake off the lingering
Marc Maiffret, Chief Technology Officer, BeyondTrust

BeyondTrust announced availability of Identity Security Insights to manage human, non-human identities

BeyondTrust announced the general availability of its groundbreaking Identity Security Insights solution.