Gregory C. Rasner - Cybersecurity and Third-Party Risk

Some terminology and a few foundational cybersecurity principles are required for a discussion on vendor risk management. Many of these concepts and components of cybersecurity are reviewed throughout this book. The reader isn't expected to be a cybersecurity expert; however, it's easier to grasp risk, priority, and actions if you have a basic understanding of them. You should keep the following bolded terms, which have simplified explanations, in mind.

Encryptionis the process of taking plaintext, like a text message or email, and scrambling it into an unreadable format called cipher text . This text helps protect the confidentiality of data, either stored on computer systems or transmitted through a network like the internet. This capability is at the core of most discussions for securing data. There are subcategories in this area, such as synchronous and asynchronous encryption, but for this book, the discussions revolve mostly around the level of encryption. Advanced Encryption Standard (AES) is the type of encryption most often used by the U.S. government, among others. Most organizations typically leverage the AES‐128 or AES‐256 level of encryption for their enterprise. The trade‐off of higher encryption levels is speed—the higher the number, the more processing power it takes to decrypt—thus, the higher the number, the better.

Another area of encryption to focus on is the three states of encryption. Data consists of three states: at‐rest, in‐motion, and in‐use. At‐rest is as it sounds, meaning when the data is in a database or file. In‐motion refers to when data is traveling over a network or the internet. When a process is using the data, as in the CPU or memory, it is considered to be in‐use . In all three states, it is important to have the data encrypted. As you engage vendors on how they protect the data, ensure that your discussion involves all three states.

In recent years, a new mantra has been born: “Identity is the new perimeter.” This statement refers to how millions of people, especially after the rush to remote work during the COVID‐19 pandemic, are now connecting to work and school away from those places. Their identities, which are used to connect users to organizations, work, or school, and how that access is managed, which is known as access management , is very important when protecting the enterprise (and the data that resides internally at the vendor). It requires entities to focus on several areas for third‐party risk.

First, we cover the access process, which includes three steps: identity, authorization, and access. The identity phase is where a user types in their name and password and the system confirms their identity. Next, the authorization step confirms what access the user has—what that user is permitted to see and do. Lastly, the correct level of access is provided. Once these three steps are completed, the user is permitted to access the data and resources they have authorization to view.

The most common type of access in corporate environments, role‐based access (RBAC), includes predefined job roles with a specific set of access privileges. This implementation is demonstrated by the difference between two examples of types of roles. For example, a human resources (HR) manager will likely have access to payroll and personnel files. However, if they try to log in to a finance server, it will not permit them to connect because they do not have a role in the finance department. If the HR manager requires entry into that server, they must submit a business reason to the access management team for needing access to that server.

The ongoing explosion of exposed credentials makes understanding and prioritizing risk difficult. In 2020, Digital Shadows published a study with some illustrative statistics:

Over 15 billion credentials have been exposed and are for sale on the internet.

The number of credentials for sale has increased by 300 percent since 2018.

Normal consumer accounts are sold for an average of $15/account.

Financial accounts are valued at $70/account.

Domain administrator accounts are sold for a premium of $3,149/account.

The differences in cost and the number of accounts are part of the problem. As the study states, there are more accounts for sale than people on Earth. The vast majority of accounts for sale are normal user accounts. However, so many of them are for sale that it is difficult to defend against them. Multi‐factor authentication (MFA) and other services are the best defense for this type of standard user account. MFA is explained in more detail later.

Administrator or elevated account access is where the money and the risk is at its highest. The challenge there is determining from the Dark Web which are valid privileged accounts and which are actually standard user accounts. Again, MFA and Privileged Access Manager (PAM) systems are the best defense.

Single Sign‐On (SSO)is a mechanism that limits the number of times a user has to submit their identity for access verification. In most larger organizations, users are required to interact with multiple systems. Their SSO enables them to log in once and gives them permission to gain access without reentering their credentials. The different systems pass this credential permission between them silently and provide access to other systems and services without referencing the credentials.

Multi‐factor authentication (MFA), also referred to as two‐factor authentication (2FA), refers to when there is more than one login step required. (Note, two or more factors can be involved in this authentication.) There are four main types of MFA:

1 Things you know, like your password or PIN.

2 Things you have, such as an employee badge or security token (physical and soft).

3 Things you can refer to, such as biometric items like your fingerprints, retinas, or voice.

4 Where you are based—your location. Most systems leverage this in the background, so the end user may be unaware of this check. Note, this MFA type is not used as often, but if you are based in the United States and someone attempts to use your login in South America, the system is attuned to this difference and would take appropriate action, such as prompt for additional verification or deny access.

MFA is an important security feature and should be pushed to all account types. At a minimum, MFA must be used for all privileged and elevated accounts. Privileged accounts are those with elevated access and permissions to do things that present a higher risk, such as system administrators, senior executives, and data owners. This important feature ensures that only the authorized user gains data access.

Least‐privilegeis a principle where a user has only the privileges (i.e., access) they need to complete the task or job at hand. For example, a database user who only needs access to be able to view data records should not have permission to perform deletions or change any users' rights to the database. Least‐privilege is important for ensuring that the Confidentiality, Integrity and Availability is kept for the data.

As part of the security hygiene, patch managementis an important component. It's the process of distributing and applying updates to software and hardware. This process is vital to fixing errors and vulnerabilities. Vendors must focus on what their processes are and how they prioritize them as security vulnerabilities are identified and categorized (high to lower priority), tested, and deployed into production.

An Intrusion Detection System (IDS)is hardware or software that monitors network traffic and computer systems looking for anomalous behavior or known threats. The IDS alerts security personnel, which is why this system is called a detection system—it takes no other action except to detect and alert. While there are several IDS types, what your vendor uses is generally not an issue. The disadvantage of an IDS is that it doesn't take any actions, it merely alerts; if it detects suspicious network traffic, it does not stop the traffic. The general rule of thumb is that most companies do not buy an IDS as a standalone product but as part of a suite or bundled product. This system doesn't take action against the suspicious traffic, but leaves it in place within the enterprise notifying Security so it can be monitored.