Third-party Risk Management – SY0-601 CompTIA Security+ : 5.3

Security risks are everywhere, including with third-parties. In this video, you’ll learn about risks associated with vendors, the supply chain, business partners, and more.

If you are part of a company, then you’re certainly going to be working with some third party vendors. These could be people that are providing the payroll for your organization, you might be working with a separate email marketing organization, you might have a travel department that’s external to your company, or you may obtain raw materials from a third party vendor. In each one of these relationships, there is data that’s going to be shared with a third party. If you’re working with a service that’s in the cloud, it’s almost required that you put your data into that cloud service.

It would be important from a security perspective to understand the risk associated with providing that data to a third party, so it would be important to categorize the risk for each individual vendor and then have security policies and procedures in place to help protect against the highest risk vendors. It may be useful to have a list of these security requirements in the original contract that you have with a third party. This means that everyone understands what the security requirements might be, and you can use the contract to make sure that the third party is enforcing the requirements that were stated.

An example of a third party not following security policies and then causing an enormous breach to the network, occurred in November of 2013 with Target. Every point of sale terminal in the Target network was infected with malware, and that malware was collecting credit card information and transferring that credit card information outside of the Target network. This started with an HVAC vendor, and this vendor got infected prior to connecting to the Target network. They were infected through an email attachment and they did not have any type of antivirus or anti-malware on their individual workstations. When the vendor then connected to the Target network, the malware found its way onto the Target servers. And unfortunately, Target didn’t have any segmentation in place that would prevent malware from jumping from the vendor network onto the corporate network. Once that malware got on the inside, the attackers were able to gain access to every point of sale device, they were able to install their malware, and ultimately they collected over 110 million credit card numbers.

Another concern from third-party vendors is the supply chain. The supply chain is the process involved when creating a product. So this might be separate organizations, it might be people involved in the process, and it might be the resources that we receive in order to create the product. It becomes difficult to understand what security methods may be in place through every step of the supply chain. It may be useful to perform an assessment of the supply chain so that you understand the security risks. You need to understand how the product or the service gets from the supplier to the customer, we need to evaluate any coordination that may be in place between each group within the supply chain, we should then identify where we may be able to improve the security in the supply chain process. We should also understand the IT systems that are supporting the supply chain process, and if we need to make changes to the process, we can document that as well.

If we don’t pay attention to the security in the supply chain, the results can be disastrous. For example, between March and June of 2020, a software update that was provided from a network management provider installed malware onto their customers systems. We weren’t made aware of this until December of 2020 when SolarWinds announced that this update that was provided to the customers could potentially install malware as well. Because the malware was installed onto the SolarWind servers, it was put into the update and digitally signed with the SolarWind certificate. This meant that customers receiving this update, validated the digital signature and trusted the information they were receiving from SolarWinds. And after analyzing the customers who had installed this update, of the 300,000 customers of SolarWinds for this product, at least 18,000 companies were infected. This was a significant breach and it was able to gain access to thousands of networks by taking advantage of the supply chain.

Your organization may have a third party you work with very closely, that’s not a vendor but more of a business partner. In that particular case, there may even be direct network connections between your corporate network and the network on the business partner side. Because of this relatively open path between the two organizations, there could be significant security concerns that have to be addressed. For example, it’s very common to build an IPsec connection between the organizations and transfer information through that encrypted tunnel. That also means that there’s now an easy way to move data between one network and the other, so it’s important to be able to monitor this for any malicious activity.

Because of this, there should be some policies in place to handle risks. So we should understand what the best practices are for that connection between ourselves and the business partner, we should understand the best way to handle data between these two organizations, and understand how intellectual property should be handled. In a configuration like this between business partners, it’s not unusual to include a firewall or some type of filter so that you can manage exactly what type of traffic can be transferred between the two networks.

When working with third-parties, it’s very common to use different agreements. One of these would be a service level agreement, which sets a minimum set of service terms for particular service or product. For example, if you have a third party that you contract with for internet access, there may be an uptime or response time agreement to provide a minimum level of service for that internet connection. These are common contracts to have with service providers, so that everyone understands what the minimum service level should be, and you understand what happens if that service level isn’t met. For agreements with a third party that don’t require a full blown contract, you may use something like a Memorandum Of Understanding or MOU. This is a memo that is sent between two different parties so that they understand what the requirements might be for a particular business process. This might even have information inside that would be confidential between the two organizations. You can think of this as an informal letter of intent that may not necessarily have the binding qualities of a contract, but it does inform both sides of what the expectations might be.

If you’re working with a quality management system, for example Six Sigma, then you may be familiar with a Measurement System Analysis, or an MSA. This provides a way for a company to evaluate and assess the quality of the process used in their measurement systems. If you’re making business decisions based on a measurement system, it’s good to know that the measurement system itself is accurate. The measurement system analysis will assess the measurement process itself, and then be able to calculate any uncertainty that may be in place during the measurement process. If you are planning to go into business with a third party, you may want to create a Business Partnership Agreement, or BPA. This provides details about what the owners stake might be, you can understand what the contractual agreement is for the finances, part of this agreement may provide information on who gets to make certain decisions, and there may be contingency arrangements built into the business partnership agreement.

If you’re working with a third party and there’s a requirement to have some secrecy or privacy, then you may want to have a nondisclosure agreement. This creates confidentiality between parties, and it ensures that the information you’re sharing with each other is not going to be disclosed to others. You might have a nondisclosure agreement if you’re sharing trade secrets, if there’s certain business activities, or other information that you want to keep private within your organization’s. Nondisclosure agreements can be one way agreements, where only one person is required to maintain the privacy, or they could be mutual nondisclosure agreements where both parties agree to maintain privacy. Nondisclosure agreements may also apply to a single party as a unilateral agreement, or to multiple parties such as a bilateral or multilateral agreement. These are usually formal contracts and a signature is commonly required with a non-disclosure agreement.

Another important security concern when working with third-parties, is understanding when a products end of life might be. This is when a manufacturer stops selling a product, and stops supporting a product. This certainly can be important, especially if you’re relying on that vendor to provide ongoing security patches. When a manufacturer commonly announces end of life, that may be a case where they’re not selling the product any longer, but they do continue to support the product.

The next phase in this is probably the End Of Service Life, or EOSL. This is when the vendor is not selling the product, and they’ve decided to no longer support the product. This means that you won’t receive any additional security patches, there’ll be no more updates to the software, although there may be an option to pay an additional premium fee to continue receiving security patches. It’s important that a security team understand when a product’s end of life and end of service life might be, so they can make arrangements to maintain the security of those systems.