Addressing Third-Party Security Vulnerabilities

Third-Party Security Vulnerabilities

Organizations and businesses often spend a lot of time worrying about internal security, both online and off. Infrastructure is often put in place with security front and center, as a means to mitigate potential risks and data breaches.

Unfortunately, it doesn’t matter how secure a network or infrastructure is, because there are still ways companies can be attacked.

Third-party products and services are integral to a lot of businesses and are included in a wide variety of processes.

Auditing, compliance monitoring, vendor and partner support, hardware and software monitoring, maintenance and troubleshooting — all these applications may require the use of third-party tools and services. Unfortunately, every single one of them is vulnerable to an outside attack, which means companies involved with them are, too. That also extends to customers and clients.

With each organization or service provider that is involved with business operations, the risks grow exponentially. In many cases, however, companies have to rely on a third party as there’s no other option. That’s where the idea of a third-party risk mitigation strategy or approach comes into play.

It’s necessary to identify, assess and mitigate certain risks associated with third-party dealings and services.

Why Do Third-Party Breaches Matter?

During April and May in 2018, it was revealed that a small group of retailers was compromised by a massive breach, including Best Buy, Sears, Kmart and Delta Airlines. In terms of goods and services, these companies are hardly related. However, they all relied on a third-party brand called [24]7.ai, which offers chat and customer service tools.

It turned out that [24]7.ai had been compromised via a particularly nasty strand of malware resulting in the breach of incredibly sensitive customer information. Some of the stolen data included credit card numbers, expiration dates, CVV info, customer addresses, names and much more.

Thousands of customers from each of the different companies — and then some — were affected by the breach, which was essentially out of the hands of said retailers.

The company was a third-party vendor that all these retailers were doing business with, and yet the breach affected them as if their own systems or networks had been compromised. It shows that third-party breaches can be just as damaging for organizations as internal ones, if not worse.

The [24]7.ai breach wasn’t the only one that occurred last year, however. Additional high-profile attacks were carried out on brands like Saks Fifth Avenue, Lord & Taylor, MyFitnessPal, Universal Music Group, Applebee’s and many others.

Follow the Six-Step Plan

To mitigate the risks associated with third-party vendors and services, it’s always a good idea to follow a strict plan or strategy — ideally one that is set in place before striking up partnerships or signing contracts.

1) First, establish a vendor management or vetting program. Begin with an introductory assessment that reviews how secure a platform is and whether or not there has been a breach in the past. While looking at a new credit card processor, for example, it’s crucial to check if its systems were affected by a data breach before, and if it was, how things have been improved or updated since.

2) Rank all vendors and partners according to risk. Catalog them based not only on the risk they pose, but also the data they handle. If a vendor is riskier than the others on the list but does not deal in sensitive customer information, it may warrant ranking them higher. Furthermore, update this list regularly and often to ensure priorities remain in order.

3) When striking a new partnership or agreement, cover all the bases by ensuring the third party understands what security protocols should be followed, and what that means for general operations. Ultimately, a third party’s security solutions should be considered too, in order to get a grasp on how protected data will be after it’s exchanged.

4) Endpoint security is an absolute must when working with third parties. Ensure it’s been properly deployed and that core business systems are protected at all times.

5) Stay informed about industry events, especially third-party attacks and breaches. The National Vulnerability Database is an excellent resource for checking up on what’s happening.

6) Develop a plan for dealing with a potential breach or attack before something happens. Even if there are no sensitive details lost, it’s important to take proper action. Ensure that a network or access point is under control and no longer compromised. Secure existing data and any incoming information from further attacks. Lock down systems so any intruders who have yet to be identified cannot cause more damage. Watermark’s response to the infamous Spectre and Meltdown vulnerabilities has been exceptional and serves as an example of how to deal with third-party security vulnerabilities in the aftermath of discovery.

Organizations should always have a full understanding of the data available to them and within their reach. Where is it stored? Who has access to the systems and information? How is it protected, and are there ways around the security? How sensitive is the information and what kind of damage will occur if it’s stolen?

These are all critical components of understanding what, how and where certain data is being used, and how to better protect it.

By Kayla Matthews

Jim Fagan

Behind The Headlines: Capacity For The Rest Of Us

Capacity For The Rest Of Us We live in the connected age, and the rise of cloud computing that creates previously unheard of value in our professional and personal lives is at the very heart ...
Darach Beirne

Improve the Customer Experience by Connecting IT Silos

Connecting IT Silos Customer experience (CX) is a top priority for businesses across industries. The interactions and experiences customers have with a business throughout their entire journey – from first contact to becoming a happy ...
Fernando Castanheira

How the Shift to Hybrid Work Will Impact Digital Transformations

The Shift to Hybrid Work Before COVID-19, most enterprises had a digital transformation in flight, but the pandemic threw those programs into hyperdrive. Scrambling to accommodate workforces that were suddenly working online and mostly from ...
David Loo

The Long-term Costs of Data Debt: How Inaccurate, Incomplete, and Outdated Information Can Harm Your Business

The Long-term Costs of Data Debt It’s no secret that many of today’s enterprises are experiencing an extreme state of data overload. With the rapid adoption of new technologies to accommodate pandemic-induced shifts like remote ...
Brian Rue

What’s Holding DevOps Back

What’s Holding DevOps Back And How Developers and Businesses Can Vault Forward to Improve and Succeed Developers spend a lot of valuable time – sometimes after being woken up in the middle of the night ...

CLOUD MONITORING

The CloudTweaks technology lists will include updated resources to leading services from around the globe. Examples include leading IT Monitoring Services, Bootcamps, VPNs, CDNs, Reseller Programs and much more...

  • Opsview

    Opsview

    Opsview is a global privately held IT Systems Management software company whose core product, Opsview Enterprise was released in 2009. The company has offices in the UK and USA, boasting some 35,000 corporate clients. Their prominent clients include Cisco, MIT, Allianz, NewVoiceMedia, Active Network, and University of Surrey.

  • Nagios

    Nagios

    Nagios is one of the leading vendors of IT monitoring and management tools offering cloud monitoring capabilities for AWS, EC2 (Elastic Compute Cloud) and S3 (Simple Storage Service). Their products include infrastructure, server, and network monitoring solutions like Nagios XI, Nagios Log Server, and Nagios Network Analyzer.

  • Datadog

    DataDog

    DataDog is a startup based out of New York which secured $31 Million in series C funding. They are quickly making a name for themselves and have a truly impressive client list with the likes of Adobe, Salesforce, HP, Facebook and many others.

  • Sematext Logo

    Sematext

    Sematext bridges the gap between performance monitoring, real user monitoring, transaction tracing, and logs. Sematext all-in-one monitoring platform gives businesses full-stack visibility by exposing logs, metrics, and traces through a single Cloud or On-Premise solution. Sematext helps smart DevOps teams move faster.