When Third Party Network Access Compromises Security

Almost every organisation encounters situations where there is a need to provide third parties with access to the enterprise network. These external users include hardware or software vendors that deliver remote service and maintenance. Supply chain vendors may seek network access to fulfil orders or monitor inventory. Web services companies need access to build and maintain the company website. The list of people who want to stay close is big and growing.

In the course of their work, many of these partners have the ability to make changes to your data, applications or systems. But what happens if the third party's systems are not secure? What if by facilitating remote access for these partners, you inadvertently open the door to malicious activity on your network?

Analysis of cyber-attacks reveals that malicious attackers are increasingly targeting third-party vendors and supply chain partners. Why? Because third parties often have less sophisticated security policies and controls than the actual target companies. In fact, research shows that 63 percent of data breaches are caused by security vulnerabilities introduced by third parties.

The nature of the risks

When organisations consider the security of remote, external users accessing the network, they often prioritise securing the connection using Virtual Private Networks (VPN) or Virtual Desktop Infrastructure (VDI). While these are a good idea, problems arise when account credentials for the VPN or VDI are put in the hands of the external user. With no central control over the credentials or governing policies, organisations leave themselves vulnerable to their partners' potentially poor credential management tactics, such as storing passwords in a file (or on paper) or sharing credentials.

Lack of security on the third party user’s endpoint is another source of risk. The security of the originating endpoint remains unknown if it is not under the management of the organisation’s IT team. Similarly, there is risk when accounts created by the third party are unknown to the organisation. This leads to an impossible situation. How can the enterprise secure what it doesn't know exists?

Staying safe

Attackers' methods are usually direct: compromise the third party's access points, steal and exploit privileged credentials and gain access to targeted networks. Along their journey they elevate privileges, which allows them to move further through the network and execute attack plans. All this activity falls under the radar, unseen by the company's security systems. Despite this, with appropriate controls and monitoring, there are ways organisations can provide third party access without compromising the security of their networks.

The first requirement is to manage and secure credentials. This means finding all accounts provisioned by your organisation as well as those created by vendors. Included in this discovery process should be all accounts and credentials assigned to users as well as application-to-application accounts accessed using passwords embedded in the application or SSH keys locally stored in the server. For speed and ease, this task is best carried out using a tool designed to scan the network and identify privileged accounts.

Next, it’s time to shore-up any areas of potential compromise by putting the privileged accounts and credentials used by third parties under the full control of IT. An effective approach is to centrally store the credentials in a secure digital vault. Once safely stored and managed, regular, automated rotation of credentials by the system reduces the risks associated with stale credentials.

Isolate and monitor

Other risks arise when unmanaged endpoints accessing the network provide an opportunity for attackers to install and use malware such as key logging software to obtain direct access to sensitive assets. The primary mitigation tactic is to isolate all sessions originating outside the network and from unmanaged devices. This is achieved by requiring connections go through a jump server, which can provide added security by monitoring and recording privileged sessions.

The jump server protects the target asset in three key ways. It blocks the spread of desktop malware, mitigates the risk of credential theft, and monitors and records every session.

Remote, external users accessing your network from third-party organisations is often a business necessity. While that access can introduce risk, it can be mitigated with the proper privileged credential protection, account controls and detection capabilities, including the ability to isolate and contain potential threats. Implementing these controls enables the business to partner effectively with outside parties and still maintain consistent security standards and trust across the enterprise.

Want to know more?

Why not become a CSO member and subscribe to CSO's mailing list. 

Get newsletters, updates, events and more right here

Read more: Australia's ad fraud drops but so do ad-quality metrics

Join the CSO newsletter!

Error: Please check your email address.

Tags network securityVirtual Private Networks (VPN)cyber-attacksThird Party Network AccessVirtual Desktop Infrastructure (VDI)CSO Australiaenterprise network

More about CSOSSH

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sam Ghebranious

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts