Earlier this month American Express announced it suffered a third-party data breach. Although it is not known how many of its customers were affected by the breach, the fact that it occurred so soon after the Bank of America breach raises concerns. Even though these organizations have the resources to implement some of the most comprehensive cybersecurity solutions in the industry, they still fall prey to attackers.
Why do we continue to see these attacks in the headlines?
Attackers successfully infiltrate these leading organizations through vulnerabilities in third parties. While these organizations almost certainly have a vulnerability risk management program, these programs may not include vulnerability risk management for their third parties.
What is Vulnerability Risk Management?
Vulnerabilities can be present in third-party hardware, software and networks and have an impact on your organization.
Here are a few types:
- Misconfigurations. Misconfigurations of third-party access controls and APIs. According to the Cloud Security Alliance, SaaS misconfigurations could account for 63% of security incidents, including third-party data leaks.
- Weak authorization credentials. Attackers use brute force attacks, credential stuffing, key logging and phishing to exploit weak passwords.
- Insider threats. Disgruntled or former employees with permission to networks can exploit vulnerabilities to steal, expose and sell data or launch additional attacks.
- Outdated software. Attackers can easily exploit old versions of software using publicly announced KVEs and CVEs.
- Common vulnerabilities and exposures (CVEs). Cross-Site Request Forgery (CSRF), SQL Injection (SQLi), and Remote Code Execution (RCE) are just a few types of CVEs associated with third-party software.
- Known exploited vulnerabilities (KEVs). These vulnerabilities in widely-used products such as Microsoft Windows and Google Chrome are currently being exploited by attackers and pose one of the top third-party risks.
- Zero-day vulnerabilities. Tens of thousands of organizations were impacted when attackers exploited zero-day vulnerabilities in Microsoft Exchange Server.
- Open-source vulnerabilities. Attackers can exploit CVEs in either direct or transitive dependencies of third-party software. Mapping these dependencies in the supply chain is a critical part of third-party risk management.
- Network vulnerabilities. Compromised endpoints, misconfigured firewalls and wifi and failure to implement multi-factor authentication are common attack vectors leveraged in third-party networks to launch attacks.
What is Risk Based Vulnerability Management?
Risk-based vulnerability management is the process of managing vulnerabilities where those that pose the greatest risk to your organization are managed first. It prioritizes risks using a combination of threat intelligence, risk scoring and automation. Risk-based vulnerability management is an effective strategy for organizations with limited resources who need to optimize their vulnerability risk management.
Risk based vulnerability management offers additional advantages over traditional vulnerability risk management. First, its use of threat intelligence and threat hunting delivers improved accuracy and greater visibility into your entire attack surface, including cloud applications and IoT devices. Second, it continually monitors your IT environment for vulnerabilities, it is more prepared to defend against evolving risks to your organization. Finally, automation allows the IT team to streamline certain aspects of vulnerability management so that they can devote their time to other high-value tasks.
The Role of Vulnerability Risk Management in Cyber Risk
Taking a proactive approach to vulnerability management is imperative in today’s world, especially when organizations are so heavily dependent on their third parties. The number of cyberattacks, including data breaches, has been steadily rising over the last decade and is becoming more sophisticated as time passes. A study conducted by the Ponemon Institute found 56% of breaches are caused by vendors.
Cybercriminals are constantly searching for vulnerabilities in server software and end-user software, including operating systems and mobile apps. Many of those applications are from third-party vendors. Once a vulnerability is detected, cybercriminals commence an attack that often leaves businesses damaged or scrambling to recover. While vulnerability management is critical to managing third-party cyber risk, the specific manner in which it is implemented is critical.
The Vulnerability Management Process
Due to the dynamic nature of networks, systems, internal organization processes and evolving risk, the vulnerability management process should be continuous to proactively defend against the exploitation of vulnerabilities by malicious actors. Organizations use different processes together to optimize the identification and management of vulnerabilities.
These processes include:
1. Continuous, automatic processes like scanning and firewall logging
Protecting a network manually is impossible. Using automated software to run certain processes is the only way to identify and isolate threats.
2. Network scanning
Network scanning is an automated process that continuously scans a network for active devices connected to the network. The software attempts to identify the connected devices and the user associated with the device to determine whether or not there is a threat.
Network scanning should be used in conjunction with other automated processes in which users are perceived as a threat. For instance, suspicious devices can be disconnected from the network and banned based on IP address. Any changes made to the network can be isolated and reversed until the threat is cleared by another automatic process.
3. Firewall logging
Firewall logging is a process that automatically documents all activity related to a network firewall. For example, a typical firewall log will contain information about how the firewall handles different segments of traffic across the network. The logs also track the source and destination IP addresses of all traffic, in addition to port numbers and protocols used.
4. Penetration testing
Penetration testing simulates various cyberattacks against your network and/or applications for the purpose of identifying vulnerabilities. When vulnerabilities are found, the network’s IT administrator is notified to remediate any issues.
5. Network scan analysis
Scanning a network is important, but meaningless without analysis. A network scan analysis looks for indications of a security breach that may have gone unnoticed.
6. Patching software vulnerabilities
When a vulnerability is detected in third-party software, the software vendor determines if a patch is available. If the vendor is unaware of the vulnerability, it will take time to come up with a patch. However, this process is often automated with patch management software.
7. Verifying and ranking vulnerabilities
Finding hundreds or thousands of vulnerabilities in a scan can be overwhelming. Therefore, ranking the criticality of the vulnerabilities is essential. Prioritization makes it easier to remediate the problems in the proper order.
How a vulnerability ranks is determined by the potential damage it can cause. For instance, if a vulnerability makes it easy for a hacker to gain admin access to part of the network, that is a severe problem that should be handled immediately. This type of vulnerability would be ranked higher than others whose potential to cause damage is significantly lower.
Data sensitivity is the other factor considered when ranking vulnerabilities. If the data that could be accessed is highly sensitive, then the threat should be ranked higher. If that data is encrypted, the threat would be ranked lower.
8. Managing vendor vulnerabilities
Managing vendor vulnerabilities is perhaps the most challenging part of vulnerability management. When you’re dealing with a third-party vendor whose systems and protocols aren’t secure, you don’t have the control you need to tighten down on security. For instance, if you’re working with a vendor that doesn’t encrypt all data on their end, your data is vulnerable on a network you don’t control and therefore can’t secure.
A huge part of managing vendor vulnerabilities requires people skills to work with vendors until they get their systems up to speed with basic security measures. The problem is that without hiring a company to perform an audit on your vendors, you may not be aware that there’s a problem until it’s too late.
The Consequences of Not Implementing Vulnerability Risk Management
Financial ruin is just one consequence of letting security vulnerabilities slip by. Other consequences may include a damaged reputation and even bankruptcy. Vulnerability management isn’t just for large corporations; it’s for businesses of all sizes. No network is immune to cyberattacks and all networks need to be protected and continuously monitored to keep threats at bay.
How Panorays Helps Manage Third-Party Risk
Unlike many vulnerability management tools that focus on internal vulnerability risk management, Panorays offers a solution that continuously monitors your third parties.
Its contextual third-party risk management platform includes:
- Supply chain discovery and mapping. Discover third parties in your supply chain and the business relationship each has with your organization. Profile vendors based on business impact and unique context and prioritize your efforts according to the criticality of the relationship.
- Risk DNA assessment. Combine internal and external assessments along with risk appetite, business priorities, and compliance and regulation for evolving, customized risk-based ratings for each supplier.
- Continuous threat detection. Get alerts about early indications of breaches and vulnerabilities, prioritized according to business criticality. Discover critical findings that deliver risk insights and alerts to prioritize threats and prevent them from escalating with a contextualized view of your supply chain.
- Remediation and collaboration. Benefit from seamless collaboration with your third parties while receiving a prioritized remediation plan to close gaps with each vendor. View the changes automatically in the Panorays platform.
Want to learn more about how Panorays can help your organization manage third-party risks? Get a demo today.
FAQs
-
Vulnerability risk management is a set of systems and processes that identify and remediate potential threats to an organization’s entire IT ecosystem. While organizations typically turn to a software or solution to help them manage vulnerabilities in their attack surface, advanced solutions include vulnerability risk management of an organization’s third parties as well.
-
Vulnerability risk management is important because organizations rely increasingly on third parties that they integrate into their IT infrastructure. Attackers intentionally target these third parties, leveraging vulnerabilities to expose data, infiltrate networks and systems and launch other types of attacks.
-
The four steps of the vulnerability management process are:
- Vulnerability scanning. Identity vulnerabilities in your network and systems.
- Assessment and prioritization. Prioritize vulnerabilities to address the most critical ones first.
- Mitigation and remediation. This can involve patching systems, updating software, implementing security controls and reconfiguring settings.
- Reporting. Track progress and demonstrate compliance with reports.
-
Risk based vulnerability management is the process of managing vulnerabilities in which those that pose the greatest risk to your organization are managed first. It prioritizes risks using a combination of threat intelligence, risk scoring and automation. It is an effective strategy for organizations with limited resources who need to optimize their vulnerability risk management.
