The recent SolarWinds breach has brought vendor risk management into the spotlight. With 59% of data breaches being traced to third-party vendors and the average enterprise having 67 vendors with privileged access, managing third party risk is no longer optional, says Tony Howlett, Chief Information Security Officer (CISO) of SecureLink. Here, we speak to Howlett about why security and risk professionals need to take control of their third-party exposure and implement safeguards and processes to reduce their vulnerability.
Security: What is your background, current role and responsibilities?
I am currently the CISO of SecureLink, based in Austin, Texas. SecureLink aims to solve third-party security for businesses that need it most - making it easy for companies to connect with their suppliers and vendors, while maintaining the highest levels of security and compliance.
In my current role, I keep the corporate infrastructure of the company secure, while also making sure SecureLink’s product is secure, complies with regulatory standards, and has cutting-edge features that customers need. In terms of my broader experience, I’m a published author and speaker on various security, compliance, and technology topics. I serve as President of (ISC)2 Austin Chapter and am an Advisory Board Member of GIAC/SANS. I’m also a certified AWS Solutions Architect and hold the CISSP, GNSA certifications, and a B.B.A in Management Information Systems.
Security: Why does vendor risk management need to be a top priority for organizations in 2021 and beyond? What should this look like?
Howlett: Today the average enterprise has 67 vendors requiring access to an enterprise’s internal network. That can be thousands of users connecting. And with 59% of data breaches traced to third-party vendors, these statistics highlight that supply chain and third party risk management needs to be a top security priority for organizations. Best practices include identifying and authenticating users, controlling vendors’ level of access, and recording and auditing vendor activity:
- Identify and authenticate - One of the fundamental best practices for managing your vendors is: know who they are. 37% of companies are unsure of the total number of vendors accessing their networks. This is a huge part of starting up an official Vendor Risk Assessment program, where your Vendor Assessments are made and vendors are scored by risk. You’ll also want to avoid allowing generic accounts, so make sure every individual on your network is identified, and be sure to enforce Multi-Factor Authentication for your vendors.
- Control and access - Once vendors are property identified, the next step is to control their access using the principle of “least privilege access”. This means only giving the rights and level of access to the vendor that they require to do their job; no more, no less. The more granular you can get with this, the better - down to specific service ports and times of access. Additionally, make sure the remote access you are providing is secure and it’s recommended to tier or group your vendors and document access policies and workflow per group. Not only should vendors not be treated like internal users, but they also shouldn’t all be treated the same.
- Record and audit - You will want to apply a different level of monitoring to external parties accessing your network and systems than internal employees. Ideally, you are recording specific action via screen captures or key-stroke logging, especially for privileged access. And have regular review processes with alerts and notifications sent when certain thresholds are triggered. All the granular logs in the world are no good if no one views them.
Security: How did the SolarWinds hack bring this issue into the spotlight?
Howlett: The sophistication and use of a variety of attack vectors is what makes the SolarWinds, to me, the ultimate example of a perfectly executed supply chain attack. It is estimated that over 1000 developers worked on this malware, making it one of the largest efforts in cybercrime ever. And the sheer number of victims, including a number of large US Federal agencies handling highly sensitive information and operations like the Pentagon, Homeland Security and the State Department, not to mention major corporations such as Microsoft and Cisco that have software and hardware in almost every enterprise in the world. I predict that the SolarWinds breach will finally lead to much needed funding, reforms and possibly legislation that will force companies to more closely examine the software update process, vendor relationships and other vectors for supply chain attacks.
Security: What are other major hacks that have been traced back to third-party vendors?
Howlett: The last decade has been littered with high profile third party breaches which led up to this event. Despite these warnings, organizations (boards and upper management in particular) are still not prioritizing third party risk management. SolarWinds is another reminder to the typical enterprise or government CISO that third party access can’t be treated like internal employee access. Third parties are a clear and present danger to every organization’s security and compliance.
Target was the first mega third party breach in 2013, when 40 million customer credit card records were stolen. From there the trend continued: JP Morgan and Boston Medical in 2014. T-Mobile, Sam’s Club, Costco, CVS, Rite Aid Walmart Canada, and Tesco in 2015. Kroger, Stanford University, and Northwestern University in 2016. 2017 was a particularly bad year in terms of volume (Equifax, Verizon, Hard Rock Hotel, The RNC, Uber, Hyatt Hotels), and 2018 had some of the largest third party hacks yet (Under Armor and Marriott being the most public). These years were just getting us warmed up for SolarWinds in 2020. And this year has shown that hacking groups have not slowed down with the massive attack with Sandworm malware on French companies via network software provider Centreon and the Accellion hack that infiltrated many big customers like Kroger and the Jones Day firm via their supposed secure file transfer service.
And the year isn’t even half way over yet. Expect more.
Security: What are some lessons learned and best practices from these breaches/hacks?
Howlett: There are three key lessons:
- The key lesson SolarWinds has taught us is that anyone can be hacked no matter how sophisticated or big an organization is. Over 18,000 customers use the affected Orion software, with many of them considered large US Federal agencies, including Homeland Security, Commerce Department, and The Pentagon. SolarWinds is also used by 70% of Fortune 500 companies. Even FireEye, one of the top cybersecurity consulting firms, was successfully attacked.
- Software often occupies a very trusted place in your network. This attack highlights the danger from third parties and particularly from trusted software that can reside on our networks and servers often without as much scrutiny as incoming emails, attachments and other outside data.
- Given how successful the Solar Winds breach was, it won’t be the last. Serious hacking groups like the nation state Advanced Persistent Threats (APTs) and organized crime groups (recent reports show that South American drug cartels are turning to cybercrime with the impacts to their business of drug legalization efforts and COVID restrictions on movement and border movements). To increase the impact and profitability of their efforts, these groups will increasingly look to “Hack once, breach many” by infiltrating supply chain vendors to spread their wares. To address this growing issue, organizations must take third party risk management seriously and tightly secure access they are granted.
CISOs need to focus on buying the right tools rather than trying to make things work with legacy or inadequate platforms to protect themselves from this kind of risk. Use of standard VPNs with no additional controls is the most common mistake. It’s a great tool for employee network access but is not appropriate for vendor users, especially ones working with privileged credentials. Additionally, having many different solutions and processes for vendor management makes it impossible to standardize across the organization and orchestrate security policy.
Essentially CISOs need to get into the mindset that vendors are not internal users. This simple axiom and the best practices that come out of it can help CISOs get on the right path to mitigating this growing and serious risk.