Lately, we’ve seen a large increase in high-severity vulnerabilities linked to patching of third-party software on servers. These often affect high-value systems that are otherwise well patched and usually still within the ranges of acceptable patching timelines for their policies, making them difficult to remedy. In the first of a new series of live cyber threat briefings, Adversary Simulation Lead, Aaron Dobie, and Product Marketing Manager, Andrew O’Hara sat down to discuss the issue.
How organizations are exposing themselves to third-party risk
Our live session began with the subject of how businesses expose themselves to third-party vulnerabilities in the first place. Inadequate third-party risk assessments are a known culprit, with many businesses not paying enough attention to their blind spots. Free, open-source toolsets, for instance, are quite often missed because they have no financial footprint. Such tools might include something as critical and widespread as PHP, which an organization’s full web interface might depend on, but because there’s no charge associated with it, it often gets omitted from the list of third-party vendors.
However, if a business gets its third-party vulnerability assessment right, there are other risks. For example, many organizations will give an unusual level of permissions and freedoms to third-party vendors simply to make them easier to set up. It’s far easier to give an MSSP full admin rights than work out precisely what they need access to, control by control. This, again, can lead to a compromising situation, even if all associated third-party risk benchmarks are run. As well as vendors themselves, businesses also need to be wary of the software they’re producing and where it’s being used. Multiple companies might use the same Exchange or PHP platform, for instance. If a bad actor targets one business using this platform, they’re effectively targeting all businesses that share the software.
Some interesting examples of other third-party exploits in the news recently are the SolarWinds application being backdoored with Sunburst malware and the dependency confusion research by Alex Birsan.
So, what can businesses do to mitigate third-party software risks?
Relying on third-party software these days is virtually unavoidable. In order to stay safe, businesses first need to accept that risk can never truly be eradicated entirely – it’s a dynamic, changeable variant that requires constant scrutiny, monitoring, and patching to stay ahead. Here are some of the things Aaron and Andrew recommended during the live session.
1. Pace your patching
There’s a balance to strike with patching. If you simply push out patches the day they’re released, there’s a risk that you might impact the availability of the services you’re managing. Instead, patches should be ranked and scheduled according to the level of vulnerability they fix. Crucial patches that fix high vulnerability issues should be done immediately and tested afterward, but others can be ranked and pushed out gradually following in-depth testing. This approach, combined with a good backup policy, will ensure that your business is exposed to minimal risk and minimal downtime.
2. Vet your vendors
Businesses need to get a firmer grip on their third-party vulnerability assessments. It’s not just about which vendor a business spends most of its money on or time with, it’s about which vendors have the greatest access to an organization’s network and how much that organization depends on its libraries and software. Risk management requires a highly nuanced approach to get right. Think about end-points and network footprint rather than how much your business utilizes or depends on a third-party service. The biggest threat could come from something fairly innocuous that you think your business could live without.
3. Check permissions
This is all about minimizing risk exposure. Suppose you assume that an application or service is compromised. In that case, you want the attacker to have the lowest possible level of access, so businesses need to really understand the permission requirements when they implement third-party access and software in their network. Applications should only be given permissions required for them to perform their function, remove any excessive permissions, and apply the basic principle of least privilege.
4. Have a detection and response plan
Last but not least is detection and response – benchmarking what is normal on a server and putting in detection mechanisms so that when things happen outside of the normal band, an organization is alerted and can trigger a pre-defined response from an established playbook.
About SureCloud
SureCloud provides cloud-based, Governance Risk and Compliance products, and Cybersecurity & Risk Advisory services, which reinvent the way you manage risk. SureCloud connects the dots with Integrated Risk Management solutions, enabling you to make better decisions and achieve your desired business outcomes. SureCloud utilizes a highly configurable technology platform, which is simple, intuitive, and flexible. Unlike other GRC Platform providers, SureCloud is adaptable enough to fit your current business processes without forcing you to make concessions during implementation, meaning you get immediate and sustained value from the outset.