With much publicity focused on the risk of confidential data breaches, the risk associated with the actual connection to and from a third party to your organization is often overlooked. Customers, partners, vendors, regulatory agencies, and other types of third parties often need a connection to your organization, and the type of connection varies based on the complexity of business relationships, which can present challenges in due diligence. However, there are a variety of ways to reduce this risk, from stricter contracts to continuous monitoring.
It’s All About the Relationship
The Office for the Comptroller of Currency (OCC) defines a third-party relationship as, “… any business arrangement between a bank and another entity, by contract or otherwise.” This definition includes not just vendors, but others who need connections to your organization. Vendors are often held to a tougher standard contractually than a customer or a regulatory agency, and you can stipulate the terms necessary to do business with your organization.
But a partner or customer will not allow this type of agreement for control validation. For this type of relationship, you’ll need to implement a modified approach that focuses on critical controls, such as ensuring encryption, requiring that their hardware be kept up to date according to the manufacturer, and that access is effectively managed and reviewed periodically.
Regulatory agencies or government organizations may require different connections depending on your industry. These are almost impossible to govern. To reduce risk, place the connection under heavy monitoring and reporting using the tools available to your organization.
The Great Connection
Connection types are more than a leased line, such as an MPLS or T-1. These lines are easy to manage if there is a process to capture the installation, monitoring, and termination. Other communications are relayed via APIs and HTTPs, where connections are intermittent and not a fixed, dedicated line. These types of connections are tougher to manage as they can be set up sometimes without knowledge of your security team. In this case, scanning tools that monitor egress points and watch cross-traffic within your network will help discover these.
In some industries, there are “screen scrapers” or data aggregators that can pull data down in unstructured forms from your websites. These types of connections are regulatory required, so your best bet is to ensure the connection is encrypted and if not, reject the connection.
Regardless of which type of connection is used, continuous monitoring of your organization is critical. Your security team should set up thresholds to check for anomalous behavior. And while the connections to your organization should be encrypted, making packet inspection challenging, your team should be able to identify normal behavior for each connection (size of data transfers, normal activity hours, typical traffic routes, etc.). Once that known behavior is cataloged, then continuous monitoring tools can be used to look for behaviors that need investigating.
Reducing Connection Risks
Update your security protocols to include the following ways to address connection risks and minimize the potential impact on your organization:
- Contractual controls. Include terms and conditions to dictate third-party connections. For vendors, include a longer list of requirements, such as a security program, encryption, access controls, incident management, vulnerability management, and most other NIST-CSF domains.
- Continuous Monitoring. Ensure there are tools deployed by your network team to check for traffic going outbound or inbound from the egress and ingress points to your network.
- Use Bastions. Setup bastions in a DMZ based upon the type of supplier. For example, an offshore vendor bastion would have access to data and networks different than your sales partners. As you add another offshore vendor, placing them into this bastion ensures they have only the access typical of that type of work.
- Documented Processes. Ensure you have a well-documented and tested process for onboarding, monitoring, and offboarding connections. In particular, the offboarding of connections often gets overlooked and this can lead to elevated risk when a third party has connectivity after a relationship has ended.
Connectivity is unavoidable in today’s business world, and everyone is someone else’s vendor, highlighting that interconnectedness. However, there needs to be due diligence and due care for these connections to lower the risk to your organization.
__________
About the Author: Gregory Rasner is the author of “Cybersecurity & Third-Party Risk: Third-Party Threat Hunting” (Wiley, 2021) and has been a leader in cybersecurity for over 20 years in industries from biotech and finance to software development and telecommunications. Gregory teaches cybersecurity at local community colleges and is a frequent keynote speaker on these topics.