Cybersecurity and Third-Party Risk Third Party Threat Hunting

Move beyond the checklist and fully protect yourself from third-party cybersecurity risk

Over the last decade, there have been hundreds of big-name organizations in every sector that have experienced a public breach due to a vendor. While the media tends to focus on high-profile breaches like those that hit Target in 2013 and Equifax in 2017, 2020 has ushered in a huge wave of cybersecurity attacks, a near 800% increase in cyberattack activity as millions of workers shifted to working remotely in the wake of a global pandemic.

The 2020 SolarWinds supply-chain attack illustrates that lasting impact of this dramatic increase in cyberattacks. Using a technique known as Advanced Persistent Threat (APT), a sophisticated hacker leveraged APT to steal information from multiple organizations from Microsoft to the Department of Homeland Security not by attacking targets directly, but by attacking a trusted partner or vendor. In addition to exposing third-party risk vulnerabilities for other hackers to exploit, the damage from this one attack alone will continue for years, and there are no signs that cyber breaches are slowing.

Cybersecurity and Third-Party Risk delivers proven, active, and predictive risk reduction strategies and tactics designed to keep you and your organization safe. Cybersecurity and IT expert and author Gregory Rasner shows you how to transform third-party risk from an exercise in checklist completion to a proactive and effective process of risk mitigation.

• Understand the basics of third-party risk management
• Conduct due diligence on third parties connected to your network
• Keep your data and sensitive information current and reliable
• Incorporate third-party data requirements for offshoring, fourth-party hosting, and data security arrangements into your vendor contracts
• Learn valuable lessons from devasting breaches suffered by other companies like Home Depot, GM, and Equifax

The time to talk cybersecurity with your data partners is now.

Cybersecurity and Third-Party Risk is a must-read resource for business leaders and security professionals looking for a practical roadmap to avoiding the massive reputational and financial losses that come with third-party security breaches.

GREGORY C. RASNER is the lead of Cyber Third-Party Risk at Truist Financial Corporation. He has extensive experience in cybersecurity and technology leadership in banking, biotech, software, telecom, and manufacturing. He is the author of several published articles on Third Party Risk and is a sought-after keynote speaker in this area.

Foreword xvi

Introduction xviii

Section 1 Cybersecurity Third-Party Risk

Chapter 1 What is the Risk? 1

The SolarWinds Supply-Chain Attack 4

The VGCA Supply-Chain Attack 6

The Zyxel Backdoor Attack 9

Other Supply-Chain Attacks 10

Problem Scope 12

Compliance Does Not Equal Security 15

Third-Party Breach Examples 17

Third-Party Risk Management 24

Cybersecurity and Third-Party Risk 27

Cybersecurity Third-Party Risk as a Force Multiplier 32

Conclusion 33

Chapter 2 Cybersecurity Basics 35

Cybersecurity Basics for Third-Party Risk 38

Cybersecurity Frameworks 46

Due Care and Due Diligence 53

Cybercrime and Cybersecurity 56

Types of Cyberattacks 59

Analysis of a Breach 63

The Third-Party Breach Timeline: Target 66

Inside Look: Home Depot Breach 68

Conclusion 72

Chapter 3 What the COVID-19 Pandemic Did to Cybersecurity and Third-Party Risk 75

The Pandemic Shutdown 77

Timeline of the Pandemic Impact on Cybersecurity 80

Post-Pandemic Changes and Trends 84

Regulated Industries 98

An Inside Look: P&N Bank 100

SolarWinds Attack Update 102

Conclusion 104

Chapter 4 Third-Party Risk Management 107

Third-Party Risk Management Frameworks 113

ISO 27036:2013+ 114

NIST 800-SP 116

NIST 800-161 Revision 1: Upcoming Revision 125

NISTIR 8272 Impact Analysis Tool for Interdependent Cyber Supply-Chain Risks 125

The Cybersecurity and Third-Party Risk Program Management 127

Kristina Conglomerate (KC) Enterprises 128

KC Enterprises’ Cyber Third-Party Risk Program 131

Inside Look: Marriott 140

Conclusion 141

Chapter 5 Onboarding Due Diligence 143

Intake 145

Data Privacy 146

Cybersecurity 147

Amount of Data 149

Country Risk and Locations 149

Connectivity 150

Data Transfer 150

Data Location 151

Service-Level Agreement or Recovery Time Objective 151

Fourth Parties 152

Software Security 152

KC Enterprises Intake/Inherent Risk Cybersecurity Questionnaire 153

Cybersecurity in Request for Proposals 154

Data Location 155

Development 155

Identity and Access Management 156

Encryption 156

Intrusion Detection/Prevention System 157

Antivirus and Malware 157

Data Segregation 158

Data Loss Prevention 158

Notification 158

Security Audits 159

Cybersecurity Third-Party Intake 160

Data Security Intake Due Diligence 161

Next Steps 167

Ways to Become More Efficient 173

Systems and Organization Controls Reports 174

Chargebacks 177

Go-Live Production Reviews 179

Connectivity Cyber Reviews 179

Inside Look: Ticketmaster and Fourth Parties 182

Conclusion 183

Chapter 6 Ongoing Due Diligence 185

Low-Risk Vendor Ongoing Due Diligence 189

Moderate-Risk Vendor Ongoing Due Diligence 193

High-Risk Vendor Ongoing Due Diligence 196

“Too Big to Care” 197

A Note on Phishing 200

Intake and Ongoing Cybersecurity Personnel 203

Ransomware: A History and Future 203

Asset Management 205

Vulnerability and Patch Management 206

802.1x or Network Access Control (NAC) 206

Inside Look: GE Breach 207

Conclusion 208

Chapter 7 On-site Due Diligence 211

On-site Security Assessment 213

Scheduling Phase 214

Investigation Phase 215

Assessment Phase 217

On-site Questionnaire 221

Reporting Phase 227

Remediation Phase 227

Virtual On-site Assessments 229

On-site Cybersecurity Personnel 231

On-site Due Diligence and the Intake Process 233

Vendors Are Partners 234

Consortiums and Due Diligence 235

Conclusion 237

Chapter 8 Continuous Monitoring 239

What is Continuous Monitoring? 241

Vendor Security-Rating Tools 241

Inside Look: Health Share of Oregon’s Breach 251

Enhanced Continuous Monitoring 252

Software Vulnerabilities/Patching Cadence 253

Fourth-Party Risk 253

Data Location 254

Connectivity Security 254

Production Deployment 255

Continuous Monitoring Cybersecurity Personnel 258

Third-Party Breaches and the Incident Process 258

Third-Party Incident Management 259

Inside Look: Uber’s Delayed Data Breach Reporting 264

Inside Look: Nuance Breach 265

Conclusion 266

Chapter 9 Offboarding 267

Access to Systems, Data, and Facilities 270

Physical Access 274

Return of Equipment 275

Contract Deliverables and Ongoing Security 275

Update the Vendor Profile 276

Log Retention 276

Inside Look: Morgan Stanley

Decommissioning Process Misses 277

Inside Look: Data Sanitization 279

Conclusion 283

Section 2 Next Steps

Chapter 10 Securing the Cloud 285

Why is the Cloud So Risky? 287

Introduction to NIST Service Models 288

Vendor Cloud Security Reviews 289

The Shared Responsibility Model 290

Inside Look: Cloud Controls Matrix by the Cloud Security Alliance 295

Security Advisor Reports as Patterns 298

Inside Look: The Capital One Breach 312

Conclusion 313

Chapter 11 Cybersecurity and Legal Protections 315

Legal Terms and Protections 317

Cybersecurity Terms and Conditions 321

Offshore Terms and Conditions 324

Hosted/Cloud Terms and Conditions 327

Privacy Terms and Conditions 331

Inside Look: Heritage Valley Health vs. Nuance 334

Conclusion 335

Chapter 12 Software Due Diligence 337

The Secure Software Development Lifecycle 340

Lessons from SolarWinds and Critical Software 342

Inside Look: Juniper 344

On-Premises Software 346

Cloud Software 348

Open Web Application Security Project Explained 350

OWASP Top 10 350

OWASP Web Security Testing Guide 352

Open Source Software 353

Software Composition Analysis 355

Inside Look: Heartbleed 355

Mobile Software 357

Testing Mobile Applications 358

Code Storage 360

Conclusion 362

Chapter 13 Network Due Diligence 365

Third-Party Connections 368

Personnel Physical Security 368

Hardware Security 370

Software Security 371

Out-of-Band Security 372

Cloud Connections 374

Vendor Connectivity Lifecycle Management 375

Zero Trust for Third Parties 379

Internet of Things and Third Parties 385

Trusted Platform Module and Secure Boot 388

Inside Look: The Target Breach (2013) 390

Conclusion 391

Chapter 14 Offshore Third-Party Cybersecurity Risk 393

Onboarding Offshore Vendors 397

Ongoing Due Diligence for Offshore Vendors 399

Physical Security 399

Offboarding Due Diligence for Offshore Vendors 402

Inside Look: A Reminder on Country Risk 404

Country Risk 405

KC’s Country Risk 406

Conclusion 409

Chapter 15 Transform to Predictive 411

The Data 414

Vendor Records 415

Due Diligence Records 416

Contract Language 416

Risk Acceptances 417

Continuous Monitoring 417

Enhanced Continuous Monitoring 417

How Data is Stored 418

Level Set 418

A Mature to Predictive Approach 420

The Predictive Approach at KC Enterprises 420

Use Case #1: Early Intervention 423

Use Case #2: Red Vendors 425

Use Case #3: Reporting 426

Conclusion 427

Chapter 16 Conclusion 429

Advanced Persistent Threats Are the New Danger 431

Cybersecurity Third-Party Risk 435

Index 445

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.