Cybersecurity and Third-Party Risk. Gregory C. Rasner
systems. Their SSO enables them to log in once and gives them permission to gain access without reentering their credentials. The different systems pass this credential permission between them silently and provide access to other systems and services without referencing the credentials.
Multi‐factor authentication (MFA), also referred to as two‐factor authentication (2FA), refers to when there is more than one login step required. (Note, two or more factors can be involved in this authentication.) There are four main types of MFA:
1 Things you know, like your password or PIN.
2 Things you have, such as an employee badge or security token (physical and soft).
3 Things you can refer to, such as biometric items like your fingerprints, retinas, or voice.
4 Where you are based—your location. Most systems leverage this in the background, so the end user may be unaware of this check. Note, this MFA type is not used as often, but if you are based in the United States and someone attempts to use your login in South America, the system is attuned to this difference and would take appropriate action, such as prompt for additional verification or deny access.
MFA is an important security feature and should be pushed to all account types. At a minimum, MFA must be used for all privileged and elevated accounts. Privileged accounts are those with elevated access and permissions to do things that present a higher risk, such as system administrators, senior executives, and data owners. This important feature ensures that only the authorized user gains data access.
Least‐privilege is a principle where a user has only the privileges (i.e., access) they need to complete the task or job at hand. For example, a database user who only needs access to be able to view data records should not have permission to perform deletions or change any users' rights to the database. Least‐privilege is important for ensuring that the Confidentiality, Integrity and Availability is kept for the data.
As part of the security hygiene, patch management is an important component. It's the process of distributing and applying updates to software and hardware. This process is vital to fixing errors and vulnerabilities. Vendors must focus on what their processes are and how they prioritize them as security vulnerabilities are identified and categorized (high to lower priority), tested, and deployed into production.
An Intrusion Detection System (IDS) is hardware or software that monitors network traffic and computer systems looking for anomalous behavior or known threats. The IDS alerts security personnel, which is why this system is called a detection system—it takes no other action except to detect and alert. While there are several IDS types, what your vendor uses is generally not an issue. The disadvantage of an IDS is that it doesn't take any actions, it merely alerts; if it detects suspicious network traffic, it does not stop the traffic. The general rule of thumb is that most companies do not buy an IDS as a standalone product but as part of a suite or bundled product. This system doesn't take action against the suspicious traffic, but leaves it in place within the enterprise notifying Security so it can be monitored.
An Intrusion Prevention System (IPS) is software or hardware that can both detect and prevent known threats. These systems can also just alert, depending on how their thresholds are configured. These systems continuously evolve, and in recent years, have advanced. Network access controls and firewalls are now available with this feature.
Firewalls inspect network traffic and block or allow traffic based upon rules. Available as hardware and software, these devices have highly evolved from their early days and can now read and inspect encrypted traffic. These Next‐Generation Firewalls (NGFW) can look deep into the data within the network traffic as it passes by, and can provide options to take action, stopping anything that meets its malicious criteria.
An IP address is a string of numbers that identifies a unique computer or network. These unique numbers allow communications within private networks or over the internet. Think of an IP address as an address found on a mailed letter. As the email (or traffic) is passed along on the network, the provided IP address indicates where the email must go in order to get to the intended recipient. IP addresses have three numbers in four sets: 192.168.1.1 or 10.102.201.32 and billions of combinations.
Ports are physical or logical openings that allow connectivity for a specific program or application. An example of a physical port could be to plug in a mouse or a USB stick. On the logical side, an example is normal internet browsing that occurs over port 80. If you are connecting to a secure site, such as your bank, you would connect over port 443. These ports are there so that each side of the connection knows exactly which port to use when communicating. Similar to the IP address, a port enables the traffic to arrive at the intended computer or network; the port specifies which “room” to go to for the conversation.
A domain name server (DNS) is a system of computers that translate human‐friendly names (www.rasner.com) to an IP address, simply because IP addresses can evolve and virtually no one wants to memorize one. Whenever a user types in a website address, a DNS server helps translate it into the correct IP address to ensure that the target resource (i.e., a website, database server, printer, etc.) is found.
Network access control is a method used to restrict access to network resources by ensuring that devices (i.e., laptops, mobile devices, computers, servers, printers, etc.) comply with security policies. It is also known by its protocol name of 802.1x, and is viewed as an essential tool for limiting network access to those devices that meet security criteria and are allowed to connect to a network.
Out of band communications refers to devices that are not the primary connectivity device. For example, many vendors will use a router or VPN concentrator as hardware devices to connect to a customer's network. Some will want to place a modem or an alternate device for connecting to that network if the router is offline. These devices can be problematic for connectivity as they are usually not connected to any monitoring or logging system; hence, they can be a used as a backdoor by hackers.
A shared responsibility model for cloud security is adhered to by Cloud Service Provider (CSPs) and refers to how different solutions shift the responsibility from the CSP to the customer. In a traditional data center owned by a company, that company is responsible for its technology's delivery. When deploying to the cloud, the level of responsibility increases for the customer as they shift from Infrastructure as a Service (IaaS) to Platform as a Service (PaaS). The IaaS model requires the customer to perform more of the security and maintenance than in the PaaS model.
Personally Identifiable Information (PII) is data that is used alone or with other data and enables a viewer to identify an individual. Thousands of combinations of information are possible that make up data PII, but typically it contains name, Social Security numbers, financial info, drivers' licenses, physical address, phone numbers, or more.
Personal Health Information (PHI) is PII that pertains to an individual's medical information, such as smoking status, any illnesses, medications, and other very confidential medical data. PHI is considered more sensitive than PII and as such, requires more security.
Data classification is when data is analyzed and organized into categories based upon its sensitivity to the sorting organization. There are often three or four classes of data for most companies, but there should only be one category that is labeled as public and one labeled private or sensitive.
For the purposes of this book and how cybersecurity third‐party risk approaches this topic, the cloud is defined as any location not inside your own data center, server closet, or laptop hard drive (if you are a small‐business owner). The cloud could be located in a CSP, such as AWS, Google, or Azure, at a co‐location facility provider, or at a data center managed by the vendor directly.
Advanced Persistent Threat (APT) is considered a more superior threat actor because hackers use continuous, clandestine, and advanced techniques to gain