Cyberattacks targeting the IT monitoring software provider SolarWinds led to one of the highest-profile breaches of the past decade, if not all time. Though the SolarWinds breach was initially disclosed late in 2020, security researchers are still trying to assess its full extent. Known victims include multiple U.S. government agencies such as the Energy Department (DOE) and National Nuclear Security Administration (NNSA), entities responsible for maintaining the national nuclear weapons stockpile, as well as major technology companies like Microsoft and cybersecurity firm FireEye, and more than 18,000 other SolarWinds customers.
Industry experts continue to deconstruct what happened, but there’s widespread agreement that the breach’s severity highlights the need for both public and private sector organizations to adopt a more proactive approach to managing cybersecurity risk.
Of course, third-party and supply chain-based risks aren’t a new phenomenon. But today’s business computing ecosystems are far more complex and interconnected than they were even a few years ago. The average organization now gives 182 different vendors some type of access to its IT environment on a weekly basis. Worryingly, however, 58% of security leaders believe their organization has suffered a vendor-related breach at some point in the past.
Thinking critically about vendor-related data security and supply chain risks.
The chain of events leading up to the SolarWinds incident likely began sometime in mid-2019 if not earlier. By this time, the situation that SolarWinds customers found themselves in — having granted access to their organizations’ private internal networks to many more people, services, and other entities than they were aware of — was commonplace. Many security leaders and other business stakeholders don’t know exactly who all their partners are, how much privileged access they possess, or which resources they can access on the company’s behalf.
For all of us who are concerned with mitigating cybersecurity risks, the SolarWinds breach can and should serve as a valuable wake-up call. Although vendors and partners have provided entry points that were exploited in some of the biggest breaches in history (the origins of the 2013 Target breach were traced back to network credentials stolen from an HVAC subcontractor, for instance), these kinds of attacks will only become more prevalent in the future. It’s incumbent upon all of us to set strong policies, follow cybersecurity best practices, and share threat intelligence openly. After all, these days, we’re all in this together.
In particular, here at BTB Security, we recommend that organizations:
#1: Adhere to the law of least privilege at all times.
When granting IT resource access to third-party suppliers and contractors, you’ll need to balance security with perceived efficiency and speed. But no one should ever have more privileges or more access than the bare minimum that they need to do their job. You’ll need to think carefully about the role that each third party plays within your organization and ensure that you’re restricting user rights appropriately.
#2: Segment your network, just in case.
Dividing your network into multiple smaller subnets and ensuring that individuals only have access to the areas of the network that they really need is another version of the law of least privilege. Network segmentation has the added benefit of ensuring that vulnerabilities posed by unpatched software or devices won’t become an open doorway to the rest of the environment and that one employee’s accidental click on a link in a phishing email won’t result in malware spreading unchecked across the organization’s network.
In particular, you can create a separate network segment for vendors and partners who need access. This area can have its own firewall and be monitored for suspicious traffic or anomalous user behaviors. It’s also a good idea to monitor third-party user accounts — especially those with elevated privilege — for signs of trouble or abuse.
#3: An active third-party management program can dramatically reduce supply chain risk.
Who’s watching the watchers? If you’re looking to simplify IT operations and eliminate infrastructure by moving applications to the cloud, you’ll no longer be responsible for the security (or compliance) of the physical infrastructure, but you’ll still be responsible for making sure that your cloud provider is doing what they’ve promised to do. You remain the steward of your own data, and you’ll still need to oversee your vendors and service providers.
Regardless of who your third-party partners are, you should establish consistent requirements and policies that you can assess your vendors against. These policies should be written on the basis of your individual organization’s real-world risks as well as your risk tolerance. While there’s a great deal of variation in the questions that you might want to ask, the general idea is to validate their security posture and understand how seriously they take risk reduction and how many resources they are devoting to it.
Different vendors bring different levels of risk, so you’ll likely vet a prospective janitorial service provider differently from a managed detection and response (MDR) provider or other cybersecurity partners.
Conducting third-party assessments can be a complex and time-consuming process, but it’s a worthwhile endeavor. If you’re looking for guidance along the way, check out our CISO Advisory practice. We routinely conduct third-party assessments on behalf of our clients, and a member of our expert team would be happy to tell you more about what the process entails. For more information on this and other cybersecurity best practices, visit www.btbsecurity.com.