Data breaches grow more expensive with each passing year. The IBM/Ponemon Cost of a Data Breach Report 2021 indicates that the average total cost of a breach has risen to $4.24 million — an increase of nearly 10% over 2020 — but individual breaches can cost far more. Third-party breaches have proven particularly costly, with the massive SolarWinds breach incurring a price tag of approximately $18 million. And while estimates vary on the dollar cost, camera maker Verkada suffered significant reputational damage when 150,000 of its camera feeds were compromised. These incidents have put the need for greater third-party security in the spotlight.
One of the dangers of working with vendors, suppliers and partners is that they often require access to your network. Unfortunately, this creates risk. Organizations can control their own cybersecurity stance, but they cannot control the way their vendors approach VPN security, password management, legacy system retirement and other practices. But that doesn’t mean there aren’t ways for organizations to effectively gauge the level of third-party risk and try to influence their cyber hygiene. With that in mind, are third parties worth the risk — and if so, how can security professionals tell? There are a few simple factors that lead to breaches, and this piece will explore the most pressing threats associated with third-party vendors.
Poor network security has been the culprit for a significant number of major breaches over the past several years — at least, the ones that aren’t due to social engineering. Network protocols simply aren’t updated frequently enough, and ports are left open, misconfigured or unauthenticated. Attackers can easily scan the open internet for exposed ports until they find one that doesn’t ask for a password, and then they’ll dump connected databases until their hard drives are full and sell off anything “valuable.”
Gauging a vendor’s network security might start with checking for the presence of open databases on the network. If there are accessible databases on their network, there is probably customer data to be stolen. It might also make sense to check for the availability of remote desktop protocol (RDP) and secure messaging protocol (SMB) ports, both of which are commonly exploited. Organizations should explore external monitoring services capable of providing this information during the vetting process.
The majority of hackers — and even advanced persistent threat (APT) groups — are using publicly available attack scripts. Zero-day exploits are rare, and attackers usually leverage the delay in patching that the updates are designed to address. These less sophisticated “spray and pray” attacks tend to use older and more commonly known vulnerabilities on open ports, and they will use weaponized public attack scripts against all versions of exploitable discovered software. Unfortunately, it can take a long time for organizations to patch issues, which means an attacker’s odds of finding at least one victim are high.
This window between when a vulnerability is identified to when it is weaponized and becomes public knowledge is important, and keeping that window small is critical. The Equifax breach from 2017 exploited a vulnerability from 2016 — though some estimate that it was even older. Ransomware is commonly deployed through old versions of Windows using outdated RDP. If exploits are out there, attackers will attempt to use them, which means patching systems quickly is essential.
Age of vulnerabilities
Similar to patch cadence, it is important to understand the age of vulnerabilities. That doesn’t just mean modern systems that have gone a while between patches — it means paying attention to legacy systems as well. Knowing whether potential vendors are running aging legacy systems can provide an organization with insight into that vendor’s entire network infrastructure. Legacy systems are one of the first things attackers look for — especially “retired” legacy systems that haven’t been taken offline, and which chief information security officers (CISOs) and InfoSec teams may not even know exist thanks to out-of-date asset lists.
Fortunately, external monitoring tools can be used to gauge both patch cadence and the age of potential vulnerabilities. Whether through in-house tools or third-party services, this information is easily obtainable for today’s organizations and can provide critical context as they undertake risk evaluations.
Once an attacker has conducted reconnaissance, done their scans and found their targets, they will often try default credentials before even attempting to launch exploits. Unfortunately, these work a surprising amount of the time (just ask victims of the Mirai Botnet). And if default credentials don’t work, attackers will obtain usernames and passwords from the trillions of records compromised in previous breaches and widely available on underground forums. Any company is likely to have thousands of leaked credentials, and a good number of those users probably reuse their passwords across multiple platforms. The odds of crossover between a company and its third-party vendors are, unfortunately, quite high.
Organizations should keep an eye on the leaked credentials circulating on the internet. From a vetting standpoint, a vendor with a lot of leaked credentials doesn’t necessarily mean that they will be used to hack their network, but it does mean that certain questions should be asked about that vendor’s password reset, MFA policies and other security measures that can prevent these credentials from becoming a problem. It’s also never a bad idea to keep an ear to the ground for hacker chatter — an organization that is frequently mentioned on underground forums is likely either a target or already a victim.
Third-party security is essential
With incidents like the Verkada breach dominating the headlines this year, the need for third-party security has never been clearer. Organizations should know that when it comes to vetting potential partners and vendors, they don’t need to leave things to guesswork. Widely available external monitoring tools can provide insights into key areas of vulnerability, including patch cadence, credential management and network security. For organizations looking to avoid becoming the next SolarWinds, cybersecurity posture must be a critical factor in any potential partnership or vendor relationship.
This article originally ran in Security, a twice-monthly security-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.