Cybersecurity and Third-Party Risk. Gregory C. Rasner
investment that CISOs and cybersecurity professionals have made in the last 20 years has been proven effective in many ways. Most companies and governments that know they will be a target (due to size, money, power) have beefed up their own cybersecurity. But behind these medium and large organizations are thousands or millions of smaller companies that are focused on selling, not securing, their data. Cybersecurity can lean into this area more forcefully, trying and implementing new capabilities learned from other cyber domains and leadership. The need is to take Cybersecurity Third‐Party Risk from a compliance‐driven effort to an active always learning, always searching for risk approach in order to lower risk from vendors.
Chapter 2 Cybersecurity Basics
While this book does not require the reader to be either a risk expert or cybersecurity expert, given there will be terminology and process discussions on some cybersecurity topics, some time spent on the terminology and the subject matter is warranted.
Cybersecurity has three main pillars: Confidentiality, Integrity and Availability (CIA):
Confidentiality: Prescribes only authorized users and systems should be able to access or modify data.
Integrity: Data should be maintained in a correct state and cannot be improperly modified.
Availability: Authorized users should be able to access data when needed.
This is called the CIA Triad as shown in Figure 2.1.
FIGURE 2.1 The CIA Triad
These pillars are designed to break down the complexities of cybersecurity to determine how to best make decisions. For example:
Does the vendor store our data in ways that make it more secure?
Will this product ensure the integrity of our data in the cloud?
Can the vendor ensure that the data will be available when required to those who need it?
Because this book is mainly focused on third parties, references will be aligned with that focus in mind. It is not about what security your organization is performing, but what is going on at the third party, both with the specific services they provide and also how they secure their own enterprise. We include several examples of how a vendor's connection is used to target a company, and how their company‐wide cyber controls directly impact the ability to protect a company's data and any connection to your network (both intermittent and persistent).
Cybersecurity Basics for Third‐Party Risk
Some terminology and a few foundational cybersecurity principles are required for a discussion on vendor risk management. Many of these concepts and components of cybersecurity are reviewed throughout this book. The reader isn't expected to be a cybersecurity expert; however, it's easier to grasp risk, priority, and actions if you have a basic understanding of them. You should keep the following bolded terms, which have simplified explanations, in mind.
Encryption is the process of taking plaintext, like a text message or email, and scrambling it into an unreadable format called cipher text. This text helps protect the confidentiality of data, either stored on computer systems or transmitted through a network like the internet. This capability is at the core of most discussions for securing data. There are subcategories in this area, such as synchronous and asynchronous encryption, but for this book, the discussions revolve mostly around the level of encryption. Advanced Encryption Standard (AES) is the type of encryption most often used by the U.S. government, among others. Most organizations typically leverage the AES‐128 or AES‐256 level of encryption for their enterprise. The trade‐off of higher encryption levels is speed—the higher the number, the more processing power it takes to decrypt—thus, the higher the number, the better.
Another area of encryption to focus on is the three states of encryption. Data consists of three states: at‐rest, in‐motion, and in‐use. At‐rest is as it sounds, meaning when the data is in a database or file. In‐motion refers to when data is traveling over a network or the internet. When a process is using the data, as in the CPU or memory, it is considered to be in‐use. In all three states, it is important to have the data encrypted. As you engage vendors on how they protect the data, ensure that your discussion involves all three states.
In recent years, a new mantra has been born: “Identity is the new perimeter.” This statement refers to how millions of people, especially after the rush to remote work during the COVID‐19 pandemic, are now connecting to work and school away from those places. Their identities, which are used to connect users to organizations, work, or school, and how that access is managed, which is known as access management, is very important when protecting the enterprise (and the data that resides internally at the vendor). It requires entities to focus on several areas for third‐party risk.
First, we cover the access process, which includes three steps: identity, authorization, and access. The identity phase is where a user types in their name and password and the system confirms their identity. Next, the authorization step confirms what access the user has—what that user is permitted to see and do. Lastly, the correct level of access is provided. Once these three steps are completed, the user is permitted to access the data and resources they have authorization to view.
The most common type of access in corporate environments, role‐based access (RBAC), includes predefined job roles with a specific set of access privileges. This implementation is demonstrated by the difference between two examples of types of roles. For example, a human resources (HR) manager will likely have access to payroll and personnel files. However, if they try to log in to a finance server, it will not permit them to connect because they do not have a role in the finance department. If the HR manager requires entry into that server, they must submit a business reason to the access management team for needing access to that server.
Exposed Credentials
The ongoing explosion of exposed credentials makes understanding and prioritizing risk difficult. In 2020, Digital Shadows published a study with some illustrative statistics:
Over 15 billion credentials have been exposed and are for sale on the internet.
The number of credentials for sale has increased by 300 percent since 2018.
Normal consumer accounts are sold for an average of $15/account.
Financial accounts are valued at $70/account.
Domain administrator accounts are sold for a premium of $3,149/account.
The differences in cost and the number of accounts are part of the problem. As the study states, there are more accounts for sale than people on Earth. The vast majority of accounts for sale are normal user accounts. However, so many of them are for sale that it is difficult to defend against them. Multi‐factor authentication (MFA) and other services are the best defense for this type of standard user account. MFA is explained in more detail later.
Administrator or elevated account access is where the money and the risk is at its highest. The challenge there is determining from the Dark Web which are valid privileged accounts and which are actually standard user accounts. Again, MFA and Privileged Access Manager (PAM) systems are the best defense.
Single Sign‐On (SSO) is a mechanism that limits the number of times a user has to submit their identity for access verification. In most larger organizations, users are required