Gregory C. Rasner - Cybersecurity and Third-Party Risk

1 Cover

2 Title Page Cybersecurity and Third‐Party Risk Third Party Threat Hunting Gregory C. Rasner

3 Introduction Introduction Third‐party risk (or supply‐chain security) are not new disciplines, and there have been frameworks, regulatory directives, professional certifications, and organizations that all attest to its maturity. Cybersecurity could be considered more mature, since it has been around in some form since computing came of age in the 1970s. Nowadays, it's even more complex in terms of frameworks, disciplines, certifications, regulatory guidance and directives, and avenues of study. Why do the surveys, time after time, indicate that well over 50 percent of organizations do not perform any type of Third‐Party Risk Management (TPRM), and even fewer have anything other than an ad hoc cybersecurity due diligence program for vendors? Reasons for this lack of attention and collaboration can be found in hundreds, if not thousands, of breaches and security incidents that were the result of poor third‐party oversight and a lack of any due diligence and due care for the vendors' cybersecurity. This book is designed to provide a detailed look into the problems and risks, then give specific examples of how to create a robust and active Cybersecurity Third‐Party Risk Management program. It begins by covering the basics of the due diligence processes and the vendor lifecycle, with models and illustrations on how to create these basic but necessary steps. Then it goes more in depth about the next parts in the creation of a mature program: cyber legal language, offshore vendors, connectivity security, software security, and use of a predictive reporting dashboard. The book is designed to not only help you build a program, but to take an existing program from one of compliance checkbox work to an active threat‐hunting practice. Many programs that do currently exist are designed and run as an obligation to “check a box” for a regulator or an internal auditor. Yet, no one has ever secured their network or data by doing only what the regulators told them to do. Security is an ongoing activity that requires its application in third‐party risk to be equally active and ongoing. Its activities and results should emulate a cyber operations or threat operations team that focuses its efforts on reducing cybersecurity threats externally at the suppliers. Get away from checking boxes and filling out remote questionnaires and take a risk‐based approach that engages your highest risk and/or most critical third parties in conversations to build trust and collaboration to lower risk for both your organization and the vendor. Who Will Benefit Most from This Book Who Will Benefit Most from This Book A superset of cybersecurity, third‐party risk, and executive leadership will benefit the most from reading this book. On the cybersecurity side, analysts to senior leadership will be able to take their information security knowledge and experience to perform the hands‐on work and management of third‐party risk, while third‐party risk professionals will better understand and appreciate the need to include a more robust cybersecurity risk domain. Executive and senior leadership in business who are not focused on cybersecurity or third‐party risk will gain an understanding of the risk, practice, and frameworks, and how to lower their risk for a cybersecurity event at their vendors. Special Features Special Features The notes found sprinkled throughout this book are designed to provide an example or expansion on topics that bring the topic (either in the chapter or the book as a whole) into a real‐world illustration or in‐depth analysis. Tips are added in the book to deliver information to the reader on how to improve a process or activity (or a common pitfall to avoid), while definitions help the reader to understand the concepts involved.

4 Chapter 1: What Is the Risk? Chapter 1 What Is the Risk? On December 10, 2020, ESET researchers announce they have found that a chat software called Able Desktop (Able)—part of a widely used business management suite in Mongolia including 430 Mongolian government agencies—was exploited to deliver the HyperBro backdoor, the Korplug RAT (remote access trojan), and another RAT named Tmanger. They also found and identified a connection with the ShadowPad backdoor, used by at least five threat actors in the exploit. Two installers were infected with the trojan and the compromised Able update system was installed with the malicious software. Evidence shows that the Able system had been compromised since June 2020, while the malware‐infected installers were delivered as far back as May 2018. The post explains that HyperbBro is commonly attributed to the cybercriminal group named “LuckyMouse,” a Chinese‐speaking threat actor known for highly targeted cyberattacks. Primarily active in South East and Central Asia, many of their attacks have a political aim. Tmanger is attributed to TA428, also a Chinese Advanced Persistent Threat (APT) group. Because these two applications are used normally by different APTs and are now together in one attack, the ESET team theorizes that LuckyMouse and TA428 are sharing data and weapons; they are also likely the subgroup of a larger APT. Given the region and threat actors, it is considered to be a political attack that had been planned as early as May 2018, yet not carried out in earnest until two years later. Advanced Persistent Threat (APT) is the term given to state actors (i.e., government run or authorized hackers) or large cybercriminal syndicates that have a lot of time and patience to perform very stealthy, large‐scale attacks aimed at political or economic goals. The SolarWinds Supply‐Chain Attack The VGCA Supply‐Chain Attack The Zyxel Backdoor Attack Other Supply‐Chain Attacks Problem Scope Compliance Does Not Equal Security Third‐Party Breach Examples Conclusion

5 Chapter 2: Cybersecurity Basics Cybersecurity Basics for Third‐Party Risk Cybersecurity Frameworks Due Care and Due Diligence Cybercrime and Cybersecurity Conclusion

6 Chapter 3: What the COVID‐19 Pandemic Did to Cybersecurity and Third‐Party Risk The Pandemic Shutdown SolarWinds Attack Update Conclusion

7 Chapter 4: Third‐Party Risk Management Third‐Party Risk Management Frameworks The Cybersecurity and Third‐Party Risk Program Management Kristina Conglomerate (KC) Enterprises Conclusion

8 Chapter 5: Onboarding Due Diligence Intake Cybersecurity Third‐Party Intake Conclusion

9 Chapter 6: Ongoing Due Diligence Low‐Risk Vendor Ongoing Due Diligence Moderate‐Risk Vendor Ongoing Due Diligence High‐Risk Vendor Ongoing Due Diligence “Too Big to Care” A Note on Phishing Intake and Ongoing Cybersecurity Personnel Ransomware: A History and Future Conclusion

10 Chapter 7: On‐site Due Diligence On‐site Security Assessment On‐site Due Diligence and the Intake Process Conclusion

11 Chapter 8: Continuous Monitoring What Is Continuous Monitoring? Enhanced Continuous Monitoring Third‐Party Breaches and the Incident Process Conclusion

12 Chapter 9: Offboarding Access to Systems, Data, and Facilities Conclusion

13 Chapter 10: Securing the Cloud Why Is the Cloud So Risky? Conclusion

14 Chapter 11: Cybersecurity and Legal Protections Legal Terms and Protections Cybersecurity Terms and Conditions Conclusion

15 Chapter 12: Software Due Diligence The Secure Software Development Lifecycle On‐Premises Software Cloud Software Open Web Application Security Project Explained Open Source Software Mobile Software Conclusion

16 Chapter 13: Network Due Diligence Third‐Party Connections Zero Trust for Third Parties Conclusion

17 Chapter 14: Offshore Third‐Party Cybersecurity Risk Onboarding Offshore Vendors Country Risk KC's Country Risk Conclusion