Are you ready for what's next? The 2022 TPRM Preparedness Toolkit will take your program to the next level!

Third-Party Cyber Risks: Some Are Worse than Others

Be sure to prioritize these top cybersecurity issues in your vendor and supplier risk assessments.
By:
Dave Shackleford
,
Owner & Principal Consultant, Voodoo Security
October 19, 2021
Share:
Blog third party cyber risks 1021

These days, vendor data breaches, PII/PHI exposures, and supply chain disruptions are constantly in the news, so it’s no wonder that risk and security teams are paying closer attention to third parties than ever before. However, taking on responsibility for evaluating third-party risk can be daunting for teams that are already overtaxed with handling internal security policies, controls, infrastructure, and training.

But let’s face it – third-party relationships are here to stay, and third-party ecosystems are expanding rapidly for most organizations. NOT focusing on these risks isn’t really an option, so what’s the answer? While I can’t prescribe a panacea for TPRM in a single blog post, I can share a strategy for prioritizing third-party cyber risks based on my experience working with clients.

Credential Exposures

Right at the top of the list is the theft of credentials, which are often exposed and posted for sale on the dark web. You need to focus on not only those credentials entrusted to third-party providers for direct access to your systems, but also on those credentials third parties use to access your organization’s data – including customer or patient data – regardless of where that data is housed.

With the proliferation of cloud storage like AWS S3 buckets, credentials and other sensitive data are now potentially exposed in more places than most people realize. For instance, the 2017 exposure of U.S. Department of Defense credentials by Booz Allen Hamilton is a just one striking example of credentials being ill-protected in a cloud service environment.

Data Breaches and Confirmed Incidents

Another area that requires significant attention includes security incidents, validated attacks, and data breaches affecting your third parties. How do you find out about them and take action before they impact your organization? The perfect example of this is with the SolarWinds breach, where the software supply chain was wholly compromised before the software was distributed to unsuspecting customers.

Make sure your organization is conducting cyber risk monitoring for “chatter” about incidents and breaches involving your third parties on the dark web or other forums, particularly when sensitive data has already been accessed by attackers and is available or imminently available for sale.

The 5 Most Important Third-Party Cyber Risks To Track - And Why

Join Dave Shackleford, founder of Voodoo Security, for an on-demand webinar where he highlights a process that organizations should use to prioritize third-party risks

Watch Now
Webinar top5cyberrisks 1013

Web Application Misconfiguration and Vulnerabilities

Another major category of cyber risk includes misconfigurations or vulnerabilities in third-party web or application infrastructure. While evaluating third-party vulnerability management programs can be a hefty undertaking, it’s nonetheless critical to conduct assessments of key vendors’ patching, configuration management, and vulnerability scanning practices. It’s also helpful to determine whether critical third parties are actively looking for evidence of command and control or data exfiltration.

Typosquatting and Other Brand Threats

Finally, there are those cyber threats that pose direct threats to your brand reputation. Consumers and regulators increasingly judge organizations by the company they keep – so any incidents affecting a vendor in your supply chain may cast negative light on your organization. Take typosquatting, for example, where an attacker registers domain names that are similar to legitimate websites and uses them to host fraudulent and/or malicious content with false brand associations.

Next Steps for Monitoring Third-Party Cybersecurity Risks

It's clear that we need to focus more on third-party cyber risk, but one of the most common questions is, “Where do we start?” The issues outlined here are great starting points in developing a third-party risk monitoring and assessment program, but they still only scratch the surface. For a closer look, watch my on-demand webinar, The 5 Most Important Third-Party Cyber Risks to Track – and Why.

Tags:
Dave Shackleford
Dave Shackleford
Owner & Principal Consultant, Voodoo Security
Dave Shackleford is the owner and principal consultant of Voodoo Security and faculty at IANS Research. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. Dave is a SANS Analyst, serves on the Board of Directors at the SANS Technology Institute, and helps lead the Atlanta chapter of the Cloud Security Alliance.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo