44% of Orgs. Report Breaches Due to 3rd Parties, 74% Cite Privileged Access

The Ponemon Institute and SecureLink report “A Crisis in Third-party Remote Access Security” shows the gaps between stated third-party access threats and the security measures an organization actually uses. The report notes the threat surface increase due to remote access over the last 12 months. Among other key findings:  44% of respondent organizations experienced a breach in the last 12 months, with 74% faulting too much-privileged access among third parties. Also, 63% state that the third party’s reputation is the reason they’re not evaluating those privacy and security practices; 61% said their third-party management program does not define or rank risk levels; and 63% don’t know who has what level of access and permissions, and 54% don’t regularly monitor the security and privacy practices of third parties that they share sensitive or confidential information with.

Experts Comments

May 06, 2021
Jonathan Knudsen
Senior Security Strategist
Synopsys

Recent zero-day vulnerabilities in Apple’s iOS are a stark reminder of the complexity of software security. 

 

First, the software is made of many smaller pieces, which are often open source components. In the case of iOS, the vulnerable component was WebKit. Most software products have hundreds, sometimes thousands, of open source components. The security of the whole product is only as good as the security of the components, so it is critically important to understand which components have

.....Read More

Recent zero-day vulnerabilities in Apple’s iOS are a stark reminder of the complexity of software security. 

 

First, the software is made of many smaller pieces, which are often open source components. In the case of iOS, the vulnerable component was WebKit. Most software products have hundreds, sometimes thousands, of open source components. The security of the whole product is only as good as the security of the components, so it is critically important to understand which components have been used and keep them up to date as vulnerabilities bubble to the surface.  

 

Second, handling arbitrary input is always a challenge. While developer training and awareness can help, the very best defense against unexpected and badly formed input is fuzzing during product development. Fuzzing is an automated testing tool that delivers thousands or millions of test cases to a piece of software or software components. When fuzzing causes a failure, the test case can be reproduced so that developers can fix the vulnerability. Incorporated as part of a secure development life cycle, fuzzing helps teams squash zero-day vulnerabilities before the software is distributed to customers.

  Read Less
May 05, 2021
Demi Ben-Ari
CTO
Panorays

Remote access for third parties has been a particularly pressing issue since the pandemic began when much of the workforce shifted to the home and new cybersecurity risks emerged as a result. Given these circumstances, it’s unfortunate—but not altogether surprising—that 74% of respondents that suffered a breach said that it was the result of too much third-party privileged access. Such numbers underscore the growing need for comprehensive third-party security risk management that also

.....Read More

Remote access for third parties has been a particularly pressing issue since the pandemic began when much of the workforce shifted to the home and new cybersecurity risks emerged as a result. Given these circumstances, it’s unfortunate—but not altogether surprising—that 74% of respondents that suffered a breach said that it was the result of too much third-party privileged access. Such numbers underscore the growing need for comprehensive third-party security risk management that also assesses vendors’ preparedness for remote work by checking for MFA, strong passwords, security awareness training, and more.

  Read Less
May 05, 2021
Garret F. Grajek
CEO
YouAttest

It’s important to remember that the attack mechanisms hackers are using are not all new. They succeed simply because of their ability to quickly access our weaknesses through massive and constant vulnerability scanning and then select or craft the best malware available to inject the payload of choice. The actions of the payload may be different - especially with the rise of encrypting ransomware tied to crypto payments - but the actual entry and lateral movement across our enterprises are

.....Read More

It’s important to remember that the attack mechanisms hackers are using are not all new. They succeed simply because of their ability to quickly access our weaknesses through massive and constant vulnerability scanning and then select or craft the best malware available to inject the payload of choice. The actions of the payload may be different - especially with the rise of encrypting ransomware tied to crypto payments - but the actual entry and lateral movement across our enterprises are consistent with known cyber kill chain mechanisms.

 

We just need to be diligent on our system hardening and patching, and have real-time alerts on identity and changes, especially around identity privilege escalation - which hackers use to move around our systems and exfiltrate data.

  Read Less
May 05, 2021
Rajiv Pimplaskar
Vice President
Veridium

Establishing and verifying trusted digital identity across 3rd party B2B relationships is especially challenging during the COVID19 remote work climate. The Governance, Risk, and Compliance (GRC) profile of a contractor or 3rd party worker is very different when they themselves are offshore and/or operating from an uncontrolled environment.  Many of such 3rd party relationships are transactional and have high flux which further exacerbates the issue.  Remote workforce identity proofing (also

.....Read More

Establishing and verifying trusted digital identity across 3rd party B2B relationships is especially challenging during the COVID19 remote work climate. The Governance, Risk, and Compliance (GRC) profile of a contractor or 3rd party worker is very different when they themselves are offshore and/or operating from an uncontrolled environment.  Many of such 3rd party relationships are transactional and have high flux which further exacerbates the issue.  Remote workforce identity proofing (also known as Know Your Employee - KYE) and strong authentication methods are necessary to reduce the attack surface and mitigate this third-party risk.   According to Verizon’s Data Breach Investigations Report (DBIR), over 80% of data breaches occur due to stolen credentials.  Traditional passwords are easy to compromise and Two Factor Authentication (2FA) using One Time Passcodes (OTP) over SMS is also vulnerable to the Man In The Middle (MITM) attacks. 

 

Enterprises and consumers need to embrace passwordless authentication methods using “phone as a token” which creates a trusted relationship with a certificate exchange between a user and their smartphone.  Also, FIDO security keys can be used, depending on the nature of the transaction and the level of security desired.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.