As organizations continue to rely on third-party technologies, third-party breaches have become common. One of the key ways to prevent third-party vendor breaches is to monitor your attack surface continuously.
What Is a Third-Party Breach?
As the name suggests, third-party data breaches are security violations caused by third-party contractors, vendors, and other businesses affiliated with an organization.
In attacks like this, while the compromise comes from a third party’s computer system or processes, it’s the sensitive data from your organization that is exposed.
As a result, your organization can suffer guilt — and damage — just by association with a third-party breach. The maxim of being as strong as your weakest link couldn’t be more accurate regarding third-party violations.
This is because all it takes is just one application, device, firmware, or software component from a third party to get compromised for an attacker to get a foothold in your enterprise supply or value chain.
What Kind of Attacks or Vulnerabilities Can Come From Third Parties?
A third-party breach, oftentimes through a vulnerability in vendor software, can create a backdoor for hackers to access the host system.
These underlying vulnerabilities are no different from general cybersecurity threats that can arise from cloud misconfiguration, the principle of least privilege not being implemented, poor coding practices, poor antivirus defenses, etc.
These are just a few of the cybersecurity attacks that can result from third-party risks:
- Spear phishing
- Intellectual property theft
- Unauthorized network intrusion
- Data exfiltration
- Advanced persistent threats (APT)
- Login credential theft
- Ransomware attacks
- Malware and virus propagation
Third-party breaches can create procurement and value-chain risks as well as lead to a supply-chain attack.
What Is a Supply Chain Attack?
A supply chain is a distributed system that provides the materials, resources, expertise, and technologies — typically through an array of vendor companies — required to create a product.
Supply chains are necessary because no business is 100% self-sufficient. This is especially the case with software products and the constantly evolving complexity of modern software infrastructure. Many software developers typically use open-source components, including resources from third parties, which can open an organization to risk.
A supply chain attack undermines an organization by targeting the vulnerabilities in poorly secured supply chain elements. As a result, hackers launch supply chain attacks by weaponizing the weaknesses in third-party vendor components to infiltrate a company.
Simply being part of a supply chain can increase your attack surface, something that can unfortunately make it challenging to detect and prevent attacks involving them.
As an example, in cybersecurity circles, although SolarWinds is a US information technology firm, it is now associated with something more pernicious. The SolarWinds hack, in which hackers infiltrated a backdoor in SolarWinds software and launched a malware attack, is already regarded as one of the most significant cybersecurity breaches of the 21st century.
Attackers did this by compromising “Orion,” a widely used SolarWinds application. This consequently meant any company that used SolarWinds was automatically at risk. It’s estimated that about 18,000 SolarWinds customers were eventually exposed to the breach.
The hack highlighted how devastating a supply chain attack can be now that global supply chains have become more complicated than ever.
Supply Chain Regulations
Supply chain attacks can disrupt and hinder businesses. In the aftermath of the SolarWinds cyber attack, policymakers have stepped up to provide more oversight. As a result, legislation and regulations have been crafted to provide adequate supply chain management.
On February 24th, 2021, the Biden Administration issued an Executive Order to make America’s supply chains more secure and resilient. It tasked the heads of appropriate agencies to assess vulnerabilities and issue reports on critical supply chains for the US economy’s vital industrial sectors and subsectors.
On the first anniversary of the executive order, on February 24th, 2022, the White House issued The Biden-Harris Plan to Revitalize American Manufacturing and Secure Critical Supply Chains in 2022.
Along with the capstone report, it emphasized the need to evaluate supply chain vulnerabilities across key product areas such as large-capacity batteries, semiconductors, critical materials, and minerals, along with pharmaceutical ingredients.
In March 2022, the US Securities and Exchange Commission (SEC) unveiled proposed amendments to cybersecurity governance and risk management strategies. These were rules meant to enhance cybersecurity public disclosures, especially incident reporting by public companies.
Supply Chain Compliance Standards
These regulations compel organizations to adhere to specific compliance standards to maintain cybersecurity resilience. Some of these compliance standards and practices include:
- Maintaining up-to-date patch management.
- Clear audit and reporting procedures for transparency.
- Conducting third-party risk assessment and due diligence.
- Creation of standard operating procedures and policies for cyber incidents.
- Running penetration tests to evaluate the rigor of systems and their defenses.
How to Respond to a Third-Party Breach
Your organization needs to take steps in the event of a third-party breach.
Having documented evidence is vital when it’s time to report the data breach to the relevant authorities accurately. Cybercriminals and malware have grown stealthier, making their activity more difficult to detect. Organizations may need to use forensic investigators to help uncover evidence depending on the scope.
Time is of the essence. The longer you take to respond to a security breach, the more time hackers have to burrow deeper into the corporate network and cause damage.
Implement a Contingency and Incident Response Plan
Develop threat models and contingency plans. In addition to enabling you to visualize potential threats, it gives you the latitude to respond nimbly when your supply chain is jeopardized.
Provide Full Disclosure
Data protection regulations like HIPAA and GDPR have reporting mandates to be upheld in a data breach. Ensure you have a notification toolkit that covers all the ground you need to cover in responding to policyholders, perhaps incorporating a data breach notification analysis.
Security Best Practices To Prevent Third-Party Breaches
Organizations must adopt a holistic approach to combat third-party breaches. A comprehensive third-party and supply chain management should include the following best practices:
- Maintaining visibility and transparency by understanding supply chain activities and third-party product composition. This can be achieved by enacting a software bill of materials (SBOM) to provide a nested inventory of the elements that comprise third-party software components.
- Conduct due diligence and adopt a rigorous supplier qualification process. This should involve third-party risk management, applying vendor risk assessments and scores, then screening contractors for various risks.
- Ensure your contractors, suppliers, and vendors use well-tested tools and apply strict cybersecurity protocols.
- Set up a compliance management system (CMS) tailored to your company environment and infrastructure. These standards, policies, and procedures provide a framework to continuously monitor supply chain compliance risk.
- Integrate vendor controls that allow you to restrict access to your system from compromised third parties.
- Adopt the principle of least privileges (POLP) with a strict role-based access control system. These practices ensure that your vendors are only provided the requisite access to perform on their infrastructure.
- Implement attack surface management software to detect, prevent, and minimize data breaches across the supply chain.
What’s Next? Learn How Vera Can Help You
Third-party breaches and supply chain attacks are challenging to detect. Fortunately, Vera provides diligent third-party and attack surface cyber risk management.
Vera’s always-on security protects data anywhere and helps you navigate the challenges of third-party breaches. These security capabilities empower organizations to control supply chains in a digital world where perimeters no longer exist.
To learn more about data loss prevention and how to bulletproof your endpoints, read about our DLP solutions here.