- Security TWENTY
- Women in Security
The nature of the connected world means that more and more companies are able to outsource some of their responsibilities to a third-party supplier. As they are often able to undercut the cost of a full-time employee, they make an attractive proposition in the enterprise space. Whether that be a shipping business, a recruitment agency or an IT supplier, organisations rely on the support of partners. But, by placing so much trust in a third party are you opening yourself up to cyber-threats and data breaches that you could have prepared for? asks Csaba Krasznay, Security Evangelist at Balabit, a Privileged Access Management (PAM) and Log Management product company.
Third parties can easily be forgotten when planning security procedures. However, they are often granted access to much, or all, of their employer’s critical systems and sensitive data. For example, recruiters will hold employee data covering; job titles, names, addresses and even salaries. Thousands of files containing the private info of US military personnel were exposed online just a few weeks ago when a recruiter insecurely held the data. Whilst internally data and security can often be accounted for, there’s simply no telling what a third party may do.
High profile targets
A common issue with third parties is that administrative accounts are shared among employees. Not only does this makes it impossible to track who did what in your system, it also makes it difficult to track just who has the password. With shared accounts, passwords tend to be passed around the team and if a team member does leave the business it’s unlikely to be changed. The password is out in the wild. Due to this, the privileged accounts used by third party contractors have become a popular target for criminals. In fact, these external privileged accounts have been used in some of the most notable data breaches of the last few years, including the Time Warner breach just last week. A recent survey highlighted that as many as 63pc of breaches could be traced back to third party vendors.
Whilst most employees can be trusted, there are always those that might find a reason to abuse that trust, external administrators are no exception. Your organisation’s data has a very real monetary value and without visible sight, it’s easy for external contractors to take advantage. Alternatively, some employee activity is an honest mistake rather than malicious. The simple fact is humans can, and do, make errors. An inexperienced administrator could make a configuration mistake that can end in service outages or lost data. With a third party, you can never be 100pc certain of the experience of the people accessing your system. To make this worse, often malicious or unintentional damage is concealed by deleting log files.
A strong response
Preventing these threats takes a structured approach, but with the right processes in place, the risk can be minimised. In particular, access management policy should be carefully considered. Granular policies for contracted administrators, including restrictions based on attributes such as time periods or groups will help to stem illicit activity. Legal regulation and standards should be taken into consideration for policies, be sure to treat those users with privileged access separately, as more risk centres on them. Administrator, system and root access should be strictly controlled as they are not needed for daily operations. In fact, third party privileged users should only be given the access they need to undertake their jobs. Even system administrators should only have access to systems that are absolutely necessary for operational reasons.
In order to properly track each user, ensure that named user accounts are used. This encourages personal accountability but also avoids the risks associated with shared accounts. Any shared accounts that remain should be assessed to investigate a solution that might mitigate the associated risk. If a shared privileged account must be used, take actions to protect the password and implement a password vault. This will allow users access to the target server, without them actually having access to the credentials. With named user accounts in place a central user monitoring solution can be implemented. Privileged Access Management tools can provide detailed, traceable records of user activity. Advanced solutions can operate host-independently and transparently, meaning there’s no interference with day to day business operations.
Despite all this, some privileged users may still have access to functions and data that are of high importance to the organisation but do require occasional access. To combat this threat some session management systems, feature real-time alerts. These can prevent the execution of unwanted commands, something that is of far more value than retrospectively examining logs. Any rule based security can easily miss unknown attack vectors. To combat this, some session management tools use machine learning to detect the misuse of privileged accounts. With machine learning driven analytics tools, user behaviour can be analysed automatically, and anything out of the ordinary can be flagged.
As third-party contractors continue to become a default choice for organisations, these strategies will become ever more important. Contractors benefit too, recorded audit trails are evidence of all activity, including the fulfilment of SLAs and billable activities. With the right monitoring technologies implemented your organisation can greatly mitigate the risk that insider threats and third-party suppliers present, whilst simultaneously your supplier is proving their value.