How organizations are exposing themselves to third-party risk
Our live session began with the subject of how businesses expose themselves to third-party vulnerabilities in the first place. Inadequate third-party risk assessments are a known culprit, with many businesses not paying enough attention to their blind spots. Free, open-source toolsets, for instance, are quite often missed because they have no financial footprint. Such tools might include something as critical and widespread as PHP, which an organization’s full web interface might depend on, but because there’s no charge associated with it, it often gets omitted from the list of third-party vendors.
However, if a business gets its third-party vulnerability assessment right, there are other risks. For example, many organizations will give an unusual level of permissions and freedoms to third-party vendors simply to make them easier to set up. It’s far easier to give an MSSP full admin rights than work out precisely what they need access to, control by control. This, again, can lead to a compromising situation, even if all associated third-party risk benchmarks are run. As well as vendors themselves, businesses also need to be wary of the software they’re producing and where it’s being used. Multiple companies might use the same Exchange or PHP platform, for instance. If a bad actor targets one business using this platform, they’re effectively targeting all businesses that share the software.
Some interesting examples of other third-party exploits in the news recently are the SolarWinds application being backdoored with Sunburst malware and the dependency confusion research by Alex Birsan.