3rd Party and Vendor Lack of Security Still is Creating Vulnerabilities

By Charles Parker II

No business is an island. At times, they require outside services from vendors to complete their mission. An organization, as a rule of thumb, is not able to have every employee available that is a subject matter expert (SME) on everything that affects a business. The networks and systems are simply too complex with too many parts moving in tandem to have a labor force of experts. It is just not a viable endeavor. To secure third parties who have their expertise in these areas tend to be much more cost effective.

Although this is a positive aspect and assists the business in improving their income statement, this also has the potential for a significant issue. When the vendors plug into the client’s network, any malware or issues on their system have the opportunity to cross onto the clients with the connection. If the vendor’s laptop was connected to local coffee shop’s free and open Wi Fi, a thumb drive that was used at the employee’s high school is plugged later into the laptop, or if this was connected to the airport’s free and open Wi Fi, any malware encountered, including ransomware, would be available for the client’s system.

With most breaches and compromises, there tends to be a lesson to be learned and applied to other circumstances and business. Although each incident is different, there are still the same issues encountered and seen repeatedly. Although these seemingly re-appear frequently, there are still the lessons to apply with the new environments.

There are many actions to be taken to harden your system from the application to the hardware. These are applied based on the requirements and needs of the business and users. There is a balancing act between the confidentiality, integrity, and accessibility (CIA). One aspect though that continues to plague business that is not still addressed are the risks from the third parties.

Granted the third parties are separate entities standing along, with unique ownership. With certain third parties and projects, they require access to the client’s network, system, and nodes. If the third party does not have an adequate cyber/InfoSec program to ensure as much as possible their systems are without malware, each and every time the third party vendor’s representative connects to the system there is the distinct opportunity for malware to cross onto the client’s enterprise. The client may attempt to push the liability for any breach or compromise to the vendors, however this act may not be that easily accomplished.

There are opportunities to defend against this. One step used is to require vendors and contractors to complete a cyber/InfoSec questionnaire. Although this is a questionnaire, it provides insight into their practices that may have been previously unknown. It also provides the opportunity to ask follow-up questions and possibly ask for their latest pen test or vulnerability assessment. With this data in hand, it would be possible to gauge better their focus, or lack thereof, on security, which may act as guidance for the client when working through the contracts.

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.