While security threats resulting from exposure to third-party partners are serious, security pros face an even tougher challenge from fourth-party security risks.
What do we mean by fourth-party risks? Think of fourth parties as the "vendors of your vendors." Everyone from Amazonian giants to small businesses uses subcontractors.
According to a recent BitSight report of over 35,000 companies, one in four technology companies link to Amazon Web Services (AWS). One disruption on that service could impact multiple vendors.
"Service providers can experience an outage and they can also experience cyberattacks," said Stephen Boyer, CTO and co-founder of BitSight. "When they do, it brings down many organizations and can also severely impact an organization's vendors."
Earlier this year, a domain name server (DNS) provider called NS1 experienced an attack that impacted many websites in the U.S. and Europe. As DNS service providers offer critical services to the vendors of many organizations, they act effectively as fourth parties. A similar outage at UltraDNS brought down sites like Netflix and Expedia for an hour or two. And fourth-party breaches have taken Salesforce offline at times.
Fourth-party Security Risks: a True Story
Plixer, the maker of Scrutinizer incident response software, had been working with a vendor that sub-contracted some work to a fourth party without consent. It discovered this when malicious activity lit up the administrative portion of the Plixer website, which is only available via a very restricted VPN where the company keeps a close watch on network traffic usage, anomalies (should they occur) and DNS for requests to known malicious domains.
"I noticed alarms appearing in Scrutinizer for malicious domain requests," said Thomas Pore, director of IT and Services, Plixer. "We were able to quickly identify the requests to a VPN user and obtain the user credentials used."
Pore suspended the account and contacted the vendor that its workstation was compromised, sharing the following information: His machine performed an IP lookup against an "IP check" service to determine its internet IP address; a domain generating algorithm (DGA) was launched which requested domains that do not exist; one request was made to a domain that has a reputation of being malicious.
The vendor insisted that his computer was not infected. But when Pore refused to re-enable his VPN account, he mentioned he had contracted work to a designer and provided the designer with VPN credentials for fourth-party access.
"Fourth-party network access is definitely a problem if the third party is not going to adhere to basic security practices," said Pore. "Even with multi-factor tokens, the third party could assist the fourth party with gaining entry."
App Stores and More: Who Are Your Suppliers?
The research team at PerimeterX has highlighted a new kind of risk associated with fourth-party breaches. What happens when the fourth party is a trusted source of apps or browser extensions that carry a malicious payload that causes users to unknowingly participate in fraud campaigns?
The website is the first party in this case. Its affiliate marketing vendor is the third party, and the Google Chrome Web Store is the fourth-party infrastructure provider that is being abused.
Thus fourth-party breaches have evolved beyond vendors of vendors. These kinds of breaches can involve a loosely coupled ecosystem of companies and users impacting each other. This type of breach is more severe than the traditional fourth-party breach as you have no way to map all the actors and risks.
"We presented malicious browser extensions which are listed as valid, highly rated extensions on the Google Chrome Web Store," said Omri Iluz, PerimeterX's CEO and founder. "These extensions provide value to the user, and as such are installed millions of times. Unfortunately, they also contain a malicious payload which attributes the user purchases on the website to a fraudulent affiliate."
These attacks are getting attention, as they are tough to plan for and detect. Depending on the type of breach, moving laterally from the fourth party to the third party and then infiltrating the organization stack is significantly easier than breaching directly.
John Pescatore, SANS director for Emerging Security Trends, observed that companies are held accountable for the breach, whether it is caused by their own internal sloppiness, a successful phishing attack against one of their employees or the fault of a third or fourth party.
"Everything bad that happens to a business when they are at fault for a breach happens to that business if there is a third or fourth party at fault for the breach," said Pescatore. "Yet when the enterprise uses a supplier/vendor who uses a supplier/vendor, the likelihood of bad security hygiene just keeps going up."
Mitigating Fourth-party Security Risks
How do you effectively identify and manage fourth-party security risks? The most effective strategy is to choose the most secure suppliers. That means making sure security is involved in those sourcing decisions, with the security organization having and using a mature process and methodology for evaluating suppliers and their suppliers.
Other tips include:
Ensure Basic Security Hygiene Is in Place
Pescatore called attention to basic security hygiene, which he feels is often overlooked. He gave examples of the CIS Critical Security Controls, the FedRAMP Continuous Monitoring program and the NSA’s IAD Top Ten as proven methodologies to make sure that basic hygiene is demonstrated. Supply chain risk management is another aspect.
Refine Your Risk Processes
"The best approach is to try to use similar approaches to what is used for supply chain or second-party risk," Pescatore said. "Some enterprises have very mature supply chain risk processes that use formal assessments and detailed contractual and audit requirements."
Others use more active approaches, he said, such as requiring suppliers to allow continuous monitoring and also requiring those suppliers to monitor their suppliers. Some are trying to add some newer approaches, such as "risk rating" services like Bitsight, he added.
Companies today also sometimes include fourth-party questions in their risk questionnaires. These may include asking for a list of the vendor's cloud service providers (fourth parties), as well as asking whether any of these fourth parties would have access to their data.
Some highly regulated organizations like those in the financial services sector will do fourth, fifth, sixth or seventh party audits to assure data protection of certain data sets. However, this can be costly and doesn't scale well. And there are other shortcomings as well, said BitSight's Boyer.
"These questionnaires and audits only provide a moment-in-time snapshot of the fourth party ecosystem and are only as accurate as the vendor's responses," Boyer said. "Organizations are finding it increasingly beneficial to continuously monitor their vendors' vendors, especially in the face of regulatory pressures and the increased number of breaches and outages affecting cloud service providers."
Put It in the Contract and Use Multiple Forms of Authentication
Contracts with third parties should clearly outline the restrictive use of access and repercussions of unauthorized or negligent behavior, Pore recommends. Only through monitoring successful logins, network behavior and correlating DNS can you identify if a fourth party is accessing your network, he said. Each party, therefore, should be set up with multiple forms of authentication (tokens or certificates) which can be easily revoked though misuse or malicious behavior is detected.
"In our instance of a fourth-party violation, the VPN account used was restricted significantly," Pore said. "However an engineer in an understaffed situation may not have been as diligent, and confidential corporate information could be easily obtained."
Encrypt Your Data
Any data stored or utilized by third and fourth parties should be encrypted both on disk as well as in-transit, said Travis Smith, senior security research engineer at Tripwire. This will reduce the risk of data disclosure in the event of a breach. If there are any mission-critical business services using these parties, appropriate business continuity planning should account for the compromise of the confidentiality, integrity and/or availability of the service.
"Assume that your data and services are going to be targeted, and apply layered defense in-depth strategies around protecting the business and its customers," he said. "Don't rely on the third or fourth party to apply security controls, which may or may not fit your business' needs."
Drew Robb is a freelance writer specializing in technology and engineering. Currently living in Florida, he is originally from Scotland, where he received a degree in geology and geography from the University of Strathclyde. He is the author of Server Disk Management in a Windows Environment (CRC Press).