Third-party or supply chain attacks are breaches that occur when an attacker takes advantage of a third party vulnerability and exploits it to access your systems and applications. The SolarWinds attack was one of the most high-profile third-party attacks, risking their customers that include Fortune 500 companies, top US accounting firms, the US Military, and more.
Most organizations consume deliverables and services from third party vendors, from deliveries to development to marketing. To collaborate, both businesses need to share information, systems and network access. These partnerships have a positive impact on the company’s ability to grow and deliver. However, they also pose a security risk. This blog post will detail how partners and other third parties make corporate networks vulnerable to perpetrators and how to overcome this issue by enforcing zero trust access.
Businesses connect with external vendors for a number of very legitimate reasons, including:
Leveraging external talent
Executing temporary projects
Examining directions and possibilities
Being unable to recruit talent
However, third parties are usually not subject to the same security policies a company has. The company’s IT team cannot instruct the vendor to use certain devices, authentication services, or encryptions, for example. There is also the risk that a disgruntled employee might deliberately steal data or create some form of sabotage. In addition, vendors are not a part of their network, so they cannot monitor malware and attackers.
Yet, third parties need access to the company’s systems to be able to work together efficiently. As a result, many IT teams choose to provide vendors access via a corporate VPN or collaborate through a third (fourth) party like Dropbox or Google Drive.
Relying on an external party is risky because you have to trust them and their security policies. But what about VPNs? Let’s look at the security challenges it poses to cybersecurity posture.
Agility - connecting vendors to third parties is a bulky and difficult process. Some companies may need to give the vendors a hard token, which requires logistical effort and counteracts agility. Some might even decide not to invest the effort in small vendors for this reason.
Security - VPNs are not a secure method. Built-in vulnerabilities can be identified by automated internet scanners and exploited by hackers. In addition, VPNs grant excessive trust. They connect the user directly to the network, without layer 7 visibility or accountability.
Trusting the Vendor’s Clients - When your vendor has network access, your vendor’s customers have network access, your vendor’s customers’ vendors have network access, your vendor’s customers’ vendors’ customers have network access… and one of them could be attacked or malicious.
Here are five methods to enable third party network access while protecting the network.
Give vendors access only to the systems and micro segments they must have access to to complete their tasks. If you’re using a VPN, connect it to a micro-segmentation of the network. Zero Trust enables giving users access per system, application or asset, even to third parties and vendors.
Incorporate authentication methods like multi-factor authentication (MFA) to reduce the risk of malicious bots or brute force attacks gaining access to your system through vendors. Zero Trust authentication validates each user and device any time they attempt to gain access to systems and apps.
Regularly update systems and programs to their latest versions. Patch systems to prevent security vulnerabilities.
Validate each device with a digital certificate. Require certificate identification from each device and ensure validity through a different server. Cyolo uses digital certificates to authenticate third party devices.
Log and record all user sessions. This will enable you to review and audit user actions and identify suspicious behavior that could signal an attack. VPNs do not provide visibility into the system’s packets. Zero trust networks enable monitoring all devices. Cyolo also enables real-time user session monitoring.
Zero Trust enables secure third-party access to organizational systems by protecting the crown jewels from attackers even if they are in the network.
Zero trust enables IT managers to manage third party access by:
Granting specific user/device access
Limiting the access time frame
Limiting access rights
Recording and auditing user sessions
Therefore, Zero Trust is recommended for organizations who work with third parties. Zero trust can replace or complement VPNs for better security and performance.
Eran Shmuely is the Chief Architect and Co-Founder of Cyolo. Prior to Cyolo, Eran was the Senior Security Engineer at Salesforce and the Open-Source Security Research Leader at GE Digital.