M3 is dedicated to bringing you the most updated information in these uncertain times. We’ve tapped Tetra Defense, M3’s trusted cyber incident response partner, to offer you and your organization insight on cybersecurity.
Giving up control when it comes to safety can be unsettling. When we relinquish control, we lose sight of possible outcomes and cling to what we know keeps us safe. When we give up the driver’s seat, we turn to the seatbelt for protection. When we board a plane, we follow safety guidelines. When the security of our data relies completely on an outside vendor, what can we turn to?
Relinquishing control of this sort can increase risk, but it is often a necessary decision as organizations rely on several external vendors to keep their operations going. While there may be anxiety in bringing a new “driver” into the situation, there are ways to determine how risky each one may be. When relying on outside vendors for tools and other critical software, what should be considered in order to stay protected in external agreements?
The Main Risk Factors
Tetra Defense’s Senior Vice President of Digital Forensics and Incident Response (DFIR) Nathan Little has extensive experience in this domain. When an organization’s data is spread across several tools, Nathan notes, “There are really two main risk points: access that the vendor has to your network, and the amount/nature of your data that vendor might store on their own network. Remote Monitoring and Management (RMM) tools are a specific risk when choosing an IT provider, but risk could also come from your HVAC, your medical software support team, etc.”
While RMM and other tools of a similar nature come with risks, their benefits cannot be ignored. Organizations utilize and interact with these tools because they provide quick and effective service remotely. Instead of sending an expert employee on-site for every little fix, Managed Service Providers (MSPs) and the Remote Access Tools (RATs) they use are cost-effective, efficient, and convenient. It’s a double-edge sword — organizations benefit when trusted vendors have access to their network, but organizations suffer if this access is in the wrong hands.
Similarly, and even with less IT-related tools, the risks are still there. Nathan mentions the potential exposure when agreeing to share a network with any new vendor, seeing as any new tool that runs on an organization’s network could be a potential risk.
Tales from the Trenches
Any organization, whether they want to or not, will have to rely on outside vendors and oftentimes give them access to an internal network. In a separate Tetra case, one organization with responsible Remote Desktop Protocol (RDP) practices, a common exploit for threat actors to compromise, was still hit with a ransomware attack. Despite implementing necessary security protocols, authenticating users, and keeping remote connections off of the public internet within their own organization, they were attacked via their HVAC system. The HVAC machine had wireless access and was implemented with exposed RDP for ease of monitoring and maintenance. Through this exposed RDP connection, threat actors found their entrance into their network and worked their way up to a comprehensive ransomware attack.
In order to avoid falling victim to security exploits outside of your organization’s control, it’s important to vet any new or even well-known vendors. While you may not be able to be in the “drivers” seat at all times, here’s how to determine if your drivers are taking all the necessary precautions:
Asking the Right Questions
“There are several questions to ask anyone who needs persistent access to your network,” adds Nathan. Vendors should be able to clearly respond to the following:
- How do you protect the remote access we are giving you from being compromised?
- Do you use Multi-Factor Authentication (MFA) for remote access?
- What tools and technologies do you use for remote access, and are those tools regularly updated and patched?
Learning about how external vendors prioritize and implement cybersecurity will equip any organization with enough information to form an opinion. In addition to verifying the cybersecurity landscape and features of a new vendor open, clear communication is important.
Is the organization communicating effectively about which hosts are in their environment, and which hosts they want to be monitored? How will any unmanaged hosts or Bring-Your-Own-Device (BYOD) organizations (especially in a time of COVID remote work), be isolated or otherwise handled? Who’s responsible for keeping up with unsupported hardware/software?
Doing Due Diligence
This kind of communication and questioning may be cumbersome, but it gives your organization insight into security when providing access to a 3rd-party. Knowing the security practices of an outside vendor will offer peace of mind when relinquishing control of a certain tool, software, or system.
Because the safety of your data relies on the quality of the vendor’s information security program, it’s important to do due diligence. The risks to your data come from both the risk of being stolen or compromised, and the risk of being lost because of system failure, accidental deletion, or cyberattack. To ensure your vendors can still effectively manage your data in the wake of a cyber incident, Tetra’s cyber risk management team encourages asking for references.
Larry Boettger, Tetra’s Vice President of Cyber Risk Service Deliveries adds, “Contact the vendor’s references and ask what services they used. How good was their support when needed? Where there any challenges that they had with the vendor, and how were they overcome?”
To truly make the conversations risk-focused, Larry also encourages to ask, “What were the lessons learned in a recent incident-handling scenario, whether real or simulated during red/blue team exercises or tabletop exercises?” While it may be uncomfortable to directly confront these risks, it is a necessary topic to discuss to help provide insight into security. Just as driving companies vet their drivers and pilots require a license, there is merit to asking just how “safe” a new vendor is before bringing them onboard.
No “Perfect” Solution
In a perfect world, complete visibility, control, and customizable security for every system would be widely available and internally managed. Realistically, many organizations need to rely on outside vendors to continue to make their business function, optimize efficiency, or even to simply keep the heat on in their building.
Whatever infrastructure an organization relies on, chances are that a good portion of their operations are managed and maintained by an outside source. Just as you put on a seatbelt when someone else is driving, be sure to ask the necessary questions and clearly communicate with new vendors to keep your organization better protected.