Almost every organisation encounters situations where there is a need to provide third parties with access to the enterprise network. These external users include hardware or software vendors that deliver remote service and maintenance. Supply chain vendors may seek network access to fulfil orders or monitor inventory. Web services companies need access to build and maintain the company website. The list of people who want to stay close is big and growing.
In the course of their work, many of these partners have the ability to make changes to your data, applications or systems. But what happens if the third party's systems are not secure? What if by facilitating remote access for these partners, you inadvertently open the door to malicious activity on your network?
Analysis of cyber-attacks reveals that malicious attackers are increasingly targeting third-party vendors and supply chain partners. Why? Because third parties often have less sophisticated security policies and controls than the actual target companies. In fact, research shows that 63 percent of data breaches are caused by security vulnerabilities introduced by third parties.
The nature of the risks
When organisations consider the security of remote, external users accessing the network, they often prioritise securing the connection using Virtual Private Networks (VPN) or Virtual Desktop Infrastructure (VDI). While these are a good idea, problems arise when account credentials for the VPN or VDI are put in the hands of the external user. With no central control over the credentials or governing policies, organisations leave themselves vulnerable to their partners' potentially poor credential management tactics, such as storing passwords in a file (or on paper) or sharing credentials.
Lack of security on the third party user’s endpoint is another source of risk. The security of the originating endpoint remains unknown if it is not under the management of the organisation’s IT team. Similarly, there is risk when accounts created by the third party are unknown to the organisation. This leads to an impossible situation. How can the enterprise secure what it doesn't know exists?
Attackers' methods are usually direct: compromise the third party's access points, steal and exploit privileged credentials and gain access to targeted networks. Along their journey they elevate privileges, which allows them to move further through the network and execute attack plans. All this activity falls under the radar, unseen by the company's security systems. Despite this, with appropriate controls and monitoring, there are ways organisations can provide third party access without compromising the security of their networks.
The first requirement is to manage and secure credentials. This means finding all accounts provisioned by your organisation as well as those created by vendors. Included in this discovery process should be all accounts and credentials assigned to users as well as application-to-application accounts accessed using passwords embedded in the application or SSH keys locally stored in the server. For speed and ease, this task is best carried out using a tool designed to scan the network and identify privileged accounts.
Next, it’s time to shore-up any areas of potential compromise by putting the privileged accounts and credentials used by third parties under the full control of IT. An effective approach is to centrally store the credentials in a secure digital vault. Once safely stored and managed, regular, automated rotation of credentials by the system reduces the risks associated with stale credentials.
Isolate and monitor
Other risks arise when unmanaged endpoints accessing the network provide an opportunity for attackers to install and use malware such as key logging software to obtain direct access to sensitive assets. The primary mitigation tactic is to isolate all sessions originating outside the network and from unmanaged devices. This is achieved by requiring connections go through a jump server, which can provide added security by monitoring and recording privileged sessions.
The jump server protects the target asset in three key ways. It blocks the spread of desktop malware, mitigates the risk of credential theft, and monitors and records every session.
Remote, external users accessing your network from third-party organisations is often a business necessity. While that access can introduce risk, it can be mitigated with the proper privileged credential protection, account controls and detection capabilities, including the ability to isolate and contain potential threats. Implementing these controls enables the business to partner effectively with outside parties and still maintain consistent security standards and trust across the enterprise.
Want to know more?
Why not become a CSO member and subscribe to CSO's mailing list.
Get newsletters, updates, events and more right here