Are You Safe from the Third-Party Threat? (Industry Perspective)

In the age of the data breach, here are questions internal auditors and compliance managers must ask regarding third-party access.

by Scott Braynard / March 12, 2015

The White House. USPS. HealthCare.gov. The list of federal entities that are victims of data breaches grows seemingly every day, raising fears among government IT professionals about threats to IT infrastructure and how to best protect data.

The reality is there is no single solution, and like businesses, government bodies should expect that breaches will happen. Instead IT should take a layered approach to security, leveraging a combination of proven technologies and best practices, which includes preventative measures to increase controls over privileged access and help protect the network. 
 
Hackers determined to break into networks are targeting those with privileged access — anyone from employees to vendors and other third parties. The focus on risk mitigation and compliance, fraud detection and other disciplines requires tools to assess risk and review when, where and how access to networks is granted. Privileged account management (PAM) technology is emerging as a solution whereby IT can control access to networks, enforce administrative policies and maintain a comprehensive view of privileged accounts and usage in the IT environment.

Hacking and Third-Party Access 

The vulnerability in many recent data breaches in both the public and private sectors has been third-party access points, which follows the findings of the 2013 Trustwave Global Security Report. That report found remote access or remote desktop services as a leading vector through which hackers are infiltrating networks, accounting for nearly half of the breaches studied. Another study by Verizon found that remote access tools were used in 88 percent of hacking-related data breaches. 
 
This issue remains a problem for federal, state and local agencies: To sustain operations, all have the need to provide privileged accounts and internal access to a number of third parties. These groups — including service providers, contractors and vendors — require regular access to government IT networks to conduct essential business and IT operations.
 
Agencies need to gain better control over these accounts, which are often accessed through legacy tools or even free software that cannot be tracked by IT. Disparate remote access tools create a problem for IT staff, so consolidation of these tools in favor of a single solution can help mitigate many of the issues they may create.  

Auditing for Remote Access Weaknesses

When scanning a network for abnormalities, or performing testing, government IT managers and internal auditors need to know the issues, and what to look for to assess whether remote access tools would be a point of failure for the organization.
 
Each of the following areas should be assessed:
 
Total number of remote access tools in use. Like online document sharing services and apps, remote access tools that may be downloaded for free can proliferate among both employees and third parties. Often, these tools may be used without IT’s knowledge or consent, and they could provide unauthorized access to almost anyone outside the network holding the credentials. IT must perform a complete scan to determine if these basic remote access software tools are in use, and if so, block them to eliminate unnecessary access points.  
 
Permission settings. Think in terms of physical security. If a vendor needs access to a specific room in a building to deliver supplies, would you turn over the keys to the entire building to allow them to complete the job? The majority of vendors only need access to a single or very small set of systems on the network — and most don’t need full-time access to those systems. Government organizations should utilize a remote support tool that includes permission settings by vendor or team, so they can decide who can access what, and when. 
 
Audit logs. Compliance with how and when data can be accessed is critical, particularly in areas such as health care. Remote access solutions should capture and store session logs of all activity, providing a record of how the technology is being utilized, and by whom. With all remote access to IT systems centrally audited and recorded, IT has greater insight into the activities of third-party entities. 
 
Unique log-in credentials. Every third-party technician should have his or her own unique log-in credentials. Vendors will often use simple or shared log-in credentials with no multi-factor requirement, making them an easy target for hackers with keystroke loggers. Once hackers have legitimate credentials for the remote access system, they can pose as a legitimate user and potentially gain direct access to all systems available to that account, putting the entire organization at risk for a major data breach.
 
Multi-factor authentication. Remote access tools should be configured for multi-factor authentication to add another layer of security. This not only makes it difficult for hackers to use stolen vendor credentials, but also improves compliance with regulations concerning payment information and personal data.  
 
Insider threats, failed audits, sophisticated malware and large ecosystems of internal and external end users are all factors causing IT professionals and auditors to consider new solutions. PAM, integrated with a sophisticated remote access solution, can improve security, increase compliance with standards across levels of government and offer guidance via auditing functions when a problem occurs. 
 
Establishing controls around privileged access continues to be a priority area for IT leaders and internal auditors, and IT must prepare to address the implementation and use of privileged accounts, and help protect against the threat of exploitation of third-party access points.
  
Scott Braynard is vice president of public sector for Bomgar, a remote support solutions provider.
 
Platforms & Programs