Vector
Vector

Choose your topics

Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Vector (7)
Vector-1
Vulnerability Management, GRC

Trends in vulnerabilities in third-party software

Trends in vulnerabilities in third-party software
Written by

Isadora Gregori

Published on

17 May 2021

Trends in vulnerabilities in third-party software

 

Lately, we’ve seen a large increase in high-severity vulnerabilities linked to patching of third-party software on servers. These often affect high-value systems that are otherwise well patched and usually still within the ranges of acceptable patching timelines for their policies, making them difficult to remedy. In the first of a new series of live cyber threat briefings, Adversary Simulation Lead, Aaron Dobie, and Product Marketing Manager, Andrew O’Hara sat down to discuss the issue.

How organizations are exposing themselves to third-party risk

Our live session began with the subject of how businesses expose themselves to third-party vulnerabilities in the first place. Inadequate third-party risk assessments are a known culprit, with many businesses not paying enough attention to their blind spots. Free, open-source toolsets, for instance, are quite often missed because they have no financial footprint. Such tools might include something as critical and widespread as PHP, which an organization’s full web interface might depend on, but because there’s no charge associated with it, it often gets omitted from the list of third-party vendors.

However, if a business gets its third-party vulnerability assessment right, there are other risks. For example, many organizations will give an unusual level of permissions and freedoms to third-party vendors simply to make them easier to set up. It’s far easier to give an MSSP full admin rights than work out precisely what they need access to, control by control. This, again, can lead to a compromising situation, even if all associated third-party risk benchmarks are run. As well as vendors themselves, businesses also need to be wary of the software they’re producing and where it’s being used. Multiple companies might use the same Exchange or PHP platform, for instance. If a bad actor targets one business using this platform, they’re effectively targeting all businesses that share the software.

Some interesting examples of other third-party exploits in the news recently are the SolarWinds application being backdoored with Sunburst malware and the dependency confusion research by Alex Birsan.

So, what can businesses do to mitigate third-party software risks?

Relying on third-party software these days is virtually unavoidable. In order to stay safe, businesses first need to accept that risk can never truly be eradicated entirely – it’s a dynamic, changeable variant that requires constant scrutiny, monitoring, and patching to stay ahead. Here are some of the things Aaron and Andrew recommended during the live session.

1. Pace your patching 

There’s a balance to strike with patching. If you simply push out patches the day they’re released, there’s a risk that you might impact the availability of the services you’re managing. Instead, patches should be ranked and scheduled according to the level of vulnerability they fix. Crucial patches that fix high vulnerability issues should be done immediately and tested afterward, but others can be ranked and pushed out gradually following in-depth testing. This approach, combined with a good backup policy, will ensure that your business is exposed to minimal risk and minimal downtime.  

2. Vet your vendors 

Businesses need to get a firmer grip on their third-party vulnerability assessments. It’s not just about which vendor a business spends most of its money on or time with, it’s about which vendors have the greatest access to an organization’s network and how much that organization depends on its libraries and software. Risk management requires a highly nuanced approach to get right. Think about end-points and network footprint rather than how much your business utilizes or depends on a third-party service. The biggest threat could come from something fairly innocuous that you think your business could live without.  

3. Check permissions 

This is all about minimizing risk exposure. Suppose you assume that an application or service is compromised. In that case, you want the attacker to have the lowest possible level of access, so businesses need to really understand the permission requirements when they implement third-party access and software in their network. Applications should only be given permissions required for them to perform their function, remove any excessive permissions, and apply the basic principle of least privilege.  

4. Have a detection and response plan 

Last but not least is detection and response – benchmarking what is normal on a server and putting in detection mechanisms so that when things happen outside of the normal band, an organization is alerted and can trigger a pre-defined response from an established playbook.

About SureCloud

SureCloud provides cloud-based, Governance Risk and Compliance products, and Cybersecurity & Risk Advisory services, which reinvent the way you manage risk. SureCloud connects the dots with Integrated Risk Management solutions, enabling you to make better decisions and achieve your desired business outcomes. SureCloud utilizes a highly configurable technology platform, which is simple, intuitive, and flexible. Unlike other GRC Platform providers, SureCloud is adaptable enough to fit your current business processes without forcing you to make concessions during implementation, meaning you get immediate and sustained value from the outset.