The Ponemon Institute and SecureLink report “A Crisis in Third-party Remote Access Security” shows the gaps between stated third-party access threats and the security measures an organization actually uses. The report notes the threat surface increase due to remote access over the last 12 months. Among other key findings: 44% of respondent organizations experienced a breach in the last 12 months, with 74% faulting too much-privileged access among third parties. Also, 63% state that the third party’s reputation is the reason they’re not evaluating those privacy and security practices; 61% said their third-party management program does not define or rank risk levels; and 63% don’t know who has what level of access and permissions, and 54% don’t regularly monitor the security and privacy practices of third parties that they share sensitive or confidential information with.
<p>Recent zero-day vulnerabilities in Apple’s iOS are a stark reminder of the complexity of software security. </p> <p> </p> <p>First, the software is made of many smaller pieces, which are often open source components. In the case of iOS, the vulnerable component was WebKit. Most software products have hundreds, sometimes thousands, of open source components. The security of the whole product is only as good as the security of the components, so it is critically important to understand which components have been used and keep them up to date as vulnerabilities bubble to the surface. </p> <p> </p> <p>Second, handling arbitrary input is always a challenge. While developer training and awareness can help, the very best defense against unexpected and badly formed input is fuzzing during product development. Fuzzing is an automated testing tool that delivers thousands or millions of test cases to a piece of software or software components. When fuzzing causes a failure, the test case can be reproduced so that developers can fix the vulnerability. Incorporated as part of a secure development life cycle, fuzzing helps teams squash zero-day vulnerabilities before the software is distributed to customers.</p>
<p>Remote access for third parties has been a particularly pressing issue since the pandemic began when much of the workforce shifted to the home and new cybersecurity risks emerged as a result. Given these circumstances, it’s unfortunate—but not altogether surprising—that 74% of respondents that suffered a breach said that it was the result of too much third-party privileged access. Such numbers underscore the growing need for comprehensive third-party security risk management that also assesses vendors’ preparedness for remote work by checking for MFA, strong passwords, security awareness training, and more.</p>
<p>It’s important to remember that the attack mechanisms hackers are using are not all new. They succeed simply because of their ability to quickly access our weaknesses through massive and constant vulnerability scanning and then select or craft the best malware available to inject the payload of choice. The actions of the payload may be different – especially with the rise of encrypting ransomware tied to crypto payments – but the actual entry and lateral movement across our enterprises are consistent with known cyber kill chain mechanisms.</p> <p> </p> <p>We just need to be diligent on our system hardening and patching, and have real-time alerts on identity and changes, especially around identity privilege escalation – which hackers use to move around our systems and exfiltrate data.</p>
<p>Establishing and verifying trusted digital identity across 3rd party B2B relationships is especially challenging during the COVID19 remote work climate. The Governance, Risk, and Compliance (GRC) profile of a contractor or 3rd party worker is very different when they themselves are offshore and/or operating from an uncontrolled environment. Many of such 3rd party relationships are transactional and have high flux which further exacerbates the issue. Remote workforce identity proofing (also known as Know Your Employee – KYE) and strong authentication methods are necessary to reduce the attack surface and mitigate this third-party risk. According to Verizon’s Data Breach Investigations Report (DBIR), over 80% of data breaches occur due to stolen credentials. Traditional passwords are easy to compromise and Two Factor Authentication (2FA) using One Time Passcodes (OTP) over SMS is also vulnerable to the Man In The Middle (MITM) attacks. </p> <p> </p> <p>Enterprises and consumers need to embrace passwordless authentication methods using “phone as a token” which creates a trusted relationship with a certificate exchange between a user and their smartphone. Also, FIDO security keys can be used, depending on the nature of the transaction and the level of security desired.</p>