Third parties are a problem when it comes to cybersecurity. According to IT Business Edge, handling third-party security risk will be a major concern in 2015 — and that's no surprise, since a recent BitSight study found that almost one-third of all retail IT breaches started with a third-party vendor. Since the self-certification of vendor security credentials is no longer a reliable touchstone, how can companies protect their assets?
Target is the most obvious example: Point-of-sale (POS) malware made its way from a third party onto the company's corporate network and resulted in massive credit card data theft. Even worse, detecting this malware was almost impossible, since typical network security controls had no jurisdiction. Target took vendor assurances at face value — but hardware and software vendors aren't security experts. They need products on the market in order to make a profit, and they often don't have the time or expertise to fully test and retest an application, service or solution. And with malware now expanding beyond traditional attack vectors, the self-certification and assessment of security performance becomes a problem.
Third-party application code further increases this risk. According to Help Net Security, while the use of third-party code is becoming common for mobile applications since it allows companies to reuse typical functions, it also comes with significant dangers. As Robert Miller of security firm MWR notes, "Most mobile devices contain a security model that means app A can't easily see the data of app B and also can't use the same permissions." But this all falls apart when common code is used. Miller adds, "However, if app A and app B contain code from the same ad network, then the ad network can view your SMS, if it wishes." The result is a larger attack surface — and an easy way in for malware creators if they target this code rather than specific application functions.
So, what's the solution? A recent Consultant-News.com article examines third-party security risk from the perspective of financial services — an ideal test case, since the industry relies on high-value personally identifiable information (PII). The piece examines new findings from research firm Booz Allen Hamilton, which point to a shift in corporate security culture. According to Senior Vice President Bill Stewart, "When it comes to cyber, clients are wary that they are studying to fight the lastest war. They're looking for a fundamentally different way to deal with the cyberthreats of the future, based on a clear understanding of those emerging threats." According to Booz Allen Hamilton, that "new way" starts with a rejection of the self-certification process, replacing it with cybersecurity programs that are built in by design rather than as afterthoughts.
Here's how that looks in real life: Instead of asking a vendor to report whether its IT security is enough to handle emerging threats, companies will begin leveraging cloud-based security services to scan apps from end to end, regardless of their location in the IT chain. This puts testing, updating and fixing code at the forefront of any vendor relationship rather than confining these tasks to post-incident debriefs. As recent malware breaches have clearly demonstrated, taking security assurances at face value saves time at the start but comes with significant long-term costs.
Third-party security represents big risk, and self-certification simply isn't enough. In 2015, expect to see programmatic and complete supply chain security models become the dominant form of cyberdefense.
Photo Source: Flickr