Most organizations today view the question of being hacked as not if, but when. Cybercriminals are adapting and evolving how they breach enterprises, and are more targeted than ever in stealing the highest-value information from an organization—from sensitive documents to personal banking information to new episodes of a hit show.
The recent ransomware attack against producers of Orange is The New Black occurred when hackers obtained the media content by hacking one of the show’s third-party post-production vendor. This pattern of attacking weak surrounding parties to go after high-profile targets has proven to be increasingly more common in the entertainment industry. The recent Orange is The New Black breach demonstrates why third-party security remains a particular challenge for all organizations, even for the largest brands with the most robust security budgets and policies. The true challenge of protecting critical systems lies in the difficult task of balancing security with productivity, speed, and efficiency.
Third-party vendors are members of a wider group of individuals or entities with special access to IT networks called privileged users. These individuals are one of the most treasured targets for hackers looking to infiltrate sensitive information because of their elevated level of access. Privileged credentials pose challenges for organizations in a number of ways— even companies with a sophisticated security strategy may have a great grasp on how to define who represents a “privileged” user.
This issue is a significant vulnerability in corporate security strategies. For example, according to the 2017 Verizon Data Breach Report, 81% of hacking-related breaches leveraged either stolen and/or weak passwords. Companies aren’t spending enough time ensuring that third parties or individual privileged users have access only to exactly the systems and information they need to do their jobs. Meanwhile, hackers are getting better at impersonating legitimate individuals with authentic credentials. In this environment, third parties and others with privileged access must be constantly vetted to ensure that their access doesn’t go deeper into the network than it needs to.
According to Bomgar, 67% of global IT decision makers reported suffering a breach due to unsecured third-party access and only 34% of organizations can track their business vendors’ log-ins. This is extremely concerning because using stolen credentials from a vendor, hackers can easily infiltrate and move laterally around a network undetected.
Security-conscious businesses are using privileged access management solutions that secure, manage, and administer shared credentials for privileged users and external contractors and vendors. With this technology, companies can change, manage, and update passwords without the user ever seeing or knowing them. Privileged access management technology allows organizations to improve security, compliance, and productivity. It also enables an organization’s security professionals and IT administrators to quickly find and gain control of privileged credentials, manage, and rotate passwords.
Implementing privileged access management technology is critical, but it’s not the only thing companies must do to be prepared for a breach. Below are a few considerations to keep top of mind:
- Review remote access tools in use. Like online document sharing services and apps, remote access tools are often downloaded for free and can proliferate among both employees and third parties. These tools may be in use without IT’s knowledge or consent, and they could provide unauthorized access to almost anyone outside the network who obtain the credentials. IT must perform a complete scan to determine if these basic remote access software tools are in use and, if so, block them to eliminate unnecessary access points.
- Evaluate permission settings. As mentioned above, access to the IT infrastructure should be viewed by role—the majority of vendors only need access to a single or very small set of systems on the network. Even within this group, they likely don’t need full-time access to those systems. Organizations should utilize a remote support tool that includes permission settings by vendor or team, so they can decide who can access what, and when.
- Keep audit logs. Compliance and regulatory concerns, particularly in certain industries such as healthcare or finance, are priorities for many organizations. Secure access solutions should capture and store session logs of all activity, providing a record of how the technology is being utilized—and by whom. That way, all secure access to IT systems is centrally audited and recorded, providing greater insight into the activities of third-party providers.
- Provide unique log-in credentials. Every third-party technician should have his or her own unique login credentials. Vendors will often use simple or shared login credentials with no multi-factor requirement, making them an easy target for hackers with keystroke loggers. Once hackers have legitimate credentials for a system, they can pose as a legitimate user and potentially gain direct access to all systems available to that account. From there, experienced cybercriminals often know how to use malware such as ransomware and other tactics to further exploit the organization.
- Use multi-factor authentication. A secure access solution should be configured for multi-factor authentication to add another layer of security. This will not only make it more difficult for a hacker to use stolen vendor credentials, but also improve compliance with industry regulations concerning data protection.
Without the proper controls, sensitive data could land in the wrong hands – this is a quick and surefire way to create a firestorm of negative brand association and organizational chaos. Companies and individuals alike must be cautious and proactive when it comes to third-party access – the alternative can be catastrophic.
[su_box title=”About Sam Elliott” style=”noise” box_color=”#336588″][short_info id=’101975′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.