Avoiding Third-Party Access Pitfalls That Cause Security Risks

 
 
By Darryl K. Taft  |  Posted 2016-01-29
 
 
 
 
 
 
 
 
 
  • Previous
    1 - Avoiding Third-Party Access Pitfalls That Cause Security Risks
    Next

    Avoiding Third-Party Access Pitfalls That Cause Security Risks

    Here are several common third-party access mistakes organizations should avoid and alternative practices they should implement to shore up IT security.
  • Previous
    2 - Pitfall: Believing They Do What They Say They Do
    Next

    Pitfall: Believing They Do What They Say They Do

    Vendors need access to critical systems in the normal course of business, but that doesn't mean they need access to all of the information in the systems. In a health care setting, for instance, a vendor may need to access an electronic health records system to provide important software updates, but they don't need to access individual health records. The same can be said for financial and operational systems that house vital and valuable insider information. Trusting that vendors and contractors don't have either curious or malicious insiders is a pitfall that has resulted in data breaches time and time again.
  • Previous
    3 - Pitfall Alternative: Monitor Vendor Actions
    Next

    Pitfall Alternative: Monitor Vendor Actions

    Monitor and chaperone vendor actions in real time or review recordings after the fact to help with root-cause analysis or verification that the job is done right. Recording and monitoring all privileged access activity provides transparency and visibility, and becomes useful in an IT security audit following a compromise. The inability to trace backward by reviewing remote access sessions and log-ins from users can be crippling to an organization that needs to close security gaps or meet compliance regulations. Technology that captures and records this information is essential when acknowledging that public- and private-sector businesses are consistently being probed for weaknesses.
  • Previous
    4 - Pitfall: Vendors Don't Operate in a Vacuum
    Next

    Pitfall: Vendors Don't Operate in a Vacuum

    Organizations often make the mistake of believing their vendors and other third parties operate in a vacuum and may fail to take the steps to ascertain their security risks. The often weak security practices of vendors make these third parties a prime target for hackers. Taking advantage of vendor access to organizations' networks, hackers can get in, plant malware, snoop around in critical business systems and wreak havoc.
  • Previous
    5 - Pitfall Alternative: Record Vendor Actions
    Next

    Pitfall Alternative: Record Vendor Actions

    Audit and log all vendor actions. This is important not just for compliance but also to provide intel on their activities to other security or behavioral analysis systems for dashboarding and correlation against other events for a holistic security view. Spotting suspicious activity—such as access to unusual systems or during odd hours—early on will help limit the reach and potential damage of a data breach.
  • Previous
    6 - Pitfall: Vendors Have All the Fun (in Your Network)
    Next

    Pitfall: Vendors Have All the Fun (in Your Network)

    Offering carte blanche access to your network is a recipe for a substantial data breach. Many employees, vendors or other privileged users may only need access to limited, or very specific, systems, while some privileged users, such as IT administrators, require broader access. Implementing granular access controls can prevent hackers from infiltrating your system via a vendor and causing substantial damage. The inability to limit permissions for vendors and other third parties is one of the reasons the average length of time to detect a data breach has reached 243 days.
  • Previous
    7 - Pitfall Alternative: Set Time Limits
    Next

    Pitfall Alternative: Set Time Limits

    Limit the time third parties have access to the systems that require work. Kick them out of systems when that time limit is up. Let them ask for more time if needed. If a system is compromised, any malicious activity would be stopped once the user's session comes to an end.
  • Previous
    8 - Pitfall: Vendors Like to Ask for Forgiveness
    Next

    Pitfall: Vendors Like to Ask for Forgiveness

    We've all heard (and probably acted on) the adage, "It's easier to ask forgiveness than it is to get permission." Vendors and other third parties are no different. Without maintaining tighter controls over who is accessing what and when in the network, organizations open themselves up to data breaches. Allowing vendors to connect to much more of the network than needed without explicit permission also opens the doors for hackers to access those same systems.
  • Previous
    9 - Pitfall Alternative: Vendors Should Ask for Permission
    Next

    Pitfall Alternative: Vendors Should Ask for Permission

    Make vendors ask for permission by ensuring that dual controls and approval workflows exist in order to protect critical systems. Why do they need access? Make them tell you in an ad hoc manner. Then you decide if you want to grant it before they get in. Adding alerts for ad hoc access requests also allows users to address urgent issues without sacrificing security.
 

What do many recent mega-breaches have in common? In most, hackers gained access to IT systems through a trusted third-party account, such as that of a vendor. A new Gartner report on remote privileged access for third-parties finds that nearly 75 percent of enterprises are significantly exposed to a cyber-attack due to unsafe privileged access processes. Two of 2015's mega-breaches—of health insurer BCBS Excellus and the U.S. Office of Personnel Management—show that the damage from these events can be long-lasting. But what can be done? Creating a virtual fortress around IT systems and networks won't likely offer an organization greater protection. In fact, such a response could cause further harm by preventing data, systems and people from functioning productively. Implementing granular access controls that can be tailored for each privileged user, rather than giving everyone all-or-nothing VPN access; this allows users to continue to be productive while reducing the potential impact of compromised credentials. This slide show, based on eWEEK reporting, including information provided by remote support software provider Bomgar, lists several common third-party access mistakes that organizations should avoid and alternative practices organizations should implement to shore up IT security.

 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
Rocket Fuel