[BreachExchange] Building a network of trust: Don't let partners be your weakest link in cybersecurity

[Destry Winant]

http://www.zdnet.com/article/building-a-network-of-trust-dont-let-partners-be-your-weakest-link-in-cybersecurity/

As technology and its implementation continue to grow in scale and
complexity, organizations increasingly look to third-party vendors and
partners to help accomplish their goals. In short, with the modern
extended enterprise, "there's a lot more reliance on outsiders," said
451 Research security analyst Garrett Bekker.

Vendors and partners can be useful in helping enterprises take full
advantage of emerging tech tools; however, the extent to which
businesses are bringing them into their environment can cause some
problems in managing the organization. And this often goes beyond
working with a handful of partners -- one large financial institution
in New York once had around 20,000 external vendors that it dealt
with, Bekker said.

In addition to complexity of management, vendors also bring new
vulnerabilities into an organization. Partners and vendors have their
own processes, their own methods, and their own authentication
practices, and could provide a way into your network for attackers.
The widely-cited Target hack, in which a compromised vendor led to a
data breach for the retail giant, is one example of this.

Still, it's nearly impossible to do business today without working
with vendors or partners in some capacity. Fortunately, there are some
steps that IT and business leaders can take to protect their
organisations. Here are five best practices for proper cybersecurity
in vendor and partner relationships.

1. Know what you're protecting

As simple as it sounds, the first step to protecting your organization
is clearly understanding what data you have, where it resides, how
much of it is sensitive, and how you can control access to it. Some
businesses fail to even understand the scale of their infrastructure.
Bekker said that he has worked with companies in the past that, when
questioned, think they have around 200 databases -- when the real
number was revealed to be closer to 5,000.

It may be nearly impossible to track down every single asset, but at
the bare minimum all of an organization's mission-critical and
sensitive data should be accounted for. After locating where that data
lives, make sure that no third-party partners and vendors have access
to that location, if possible, Bekker said. If they need certain data,
consider establishing a proxy from your organization who can access it
on their behalf.

Sensitive resources should be treated with the utmost care, and
organizations should implement multi-factor authentication to make it
more difficult for a third party to access it. Consider what levels of
access partners will have, and what data that gives them access to.
Also, adopt tools to monitor third-party movement in your network,
Bekker said, and be on the lookout for any patterns that may be out of
the ordinary.

Look for anything suspicious, like, 'Hey, why is this admin
downloading all of these files at three o'clock in the morning on a
Saturday night, and saving them to a thumb drive?'" Bekker said.

Other questions to ask are whether or not sensitive data in encrypted,
if the organization has a data loss prevention plan in place, and the
proper tools to implement it. This could help mitigate some of the
damage done by a breach.

2. Know the outsiders

Once an organization understands what's at stake, it must also
consider the weight of bringing outside vendors into its environment.
Even if both parties share the same goals for their partnership, they
may approach it in completely different ways.

Because of this, company leaders must seek to understand just how many
third parties they are doing business with. At the onset, this seems
easy, but there are almost always more variables lurking below the
surface. Determining the number of companies with which a formal
contract has been drafted is one thing, but security leaders must also
develop a strategy for addressing shadow IT.

Because some employees or managers are so used to the instant
gratification offered by cloud apps, they may be willing to bypass the
IT vetting process for new tools and services.

"A certain department has a project to get done, and they don't want
to wait for IT, they'll just go out and download a SaaS application,
or open an account with a SaaS application, pay for it on their own
account, and expense it through their project budget," Bekker said.

Now, you have a bunch of other third parties involved in your
organization, whether you want them there or not. So, work on
developing a policy around shadow IT, and allow for open
communication. After all, you cannot secure a vendor if you don't know
that they are a partner in your organization.

3. Determine your metrics for security

In order to keep vendors and partners from becoming a weak link in
cybersecurity, businesses must determine the metrics by which they
will measure third parties' performance. John Pironti, president of IP
Architects, noted in a paper that proper metrics will initially
provide both positive and negative thresholds for performance, along
with business context that can be used to weigh the behavior.

When possible, the third parties in question should be looped into the
process and made aware of the metrics. This will allow for the
development of common language to be used in the measurements, and for
both sides to understand what is expected of them, Pironti noted in
his report. Some metrics will be actionable, while others will merely
be informational, and it is important to denote the difference.

Make sure legal signs off on the metrics in question, too. "In some
cases their existence can be a considered a liability to the
organization and should not be generated or documented," Pironti
wrote.

Finally, be consistent in both collecting data on these metrics and
processing it, Pironti wrote. This makes the metrics more useful
historically, as they can be compared and contrasted across the life
of a vendor relationship.

4. Address risk in your contract

Addressing risk directly in your vendor or partner contract goes
beyond simple metrics by outlining exactly what's expected from each
partner, and clearly laying out the consequences to contrary behavior.
At a high level, Bekker said that businesses can use their contracts
to define the steps they want partners to take when they are working
in the company's network.

For example, a customer organization could require that all of a
vendor's employees use multi-factor authentication, or that they
encrypt data using a specific form of encryption. In a separate
report, Pironti recommended including these five clauses in a
contract:

The right to audit a partner
Software maintenance and accountability from a vendor
Verification of compliance and regulatory requirements
Disclosure of open source software components
Flow down attestation

Proper security clauses will help "ensure there are both revenue and
business based incentives for them to effectively implement and
maintain appropriate security controls and capabilities," Pironti
wrote.

5. Audit your partners

Once the clause is in place, it's critical that customers regularly
audit the partners they are doing business with. Bekker said that
there are companies that will do this for you, or your organization
can develop its own process.

In this process, questionnaires are often used to help the business
assess security and financial risks posed by vendors and partners.
Simple questions that can easily be scored with a "yes" or "no," or
along a five-point scale, are a great way to see how certain vendors
may stack up regarding your security needs.

As with overall metric collection, consistency is key in your audits.
During the partner audit process, take steps to compare recent scores
with those in the past to gauge the consistency of your vendor's
behavior.

However, bear in mind that your vendors and partners will have some
questions of their own, and they might have a specific way that they
plan on responding to your questionnaire. Before answering, vendors
will consider how your organization may use the data, how it may be
secured, and more, Pironti pointed out in a 2010 ISACA post. Make sure
that your policies are clear regarding these concerns, and work to
respect your vendors' needs as well.