The most powerful statement of 2014 regarding cybersecurity was made in October by Benjamin M. Lawsky, New York State’s top financial regulator. In the wake of several devastating data breaches, Mr. Lawsky wrote a letter to the nation’s top banks in an effort to address major vulnerabilities.
“It is abundantly clear that, in many respects, a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors.”
This assertion speaks to all sectors, not just finance. Advancements in network security products have made it difficult for unauthorized individuals to access enterprise systems directly. The new way in is through privileged partners. Enterprise technology vendors (retail, hospitals, casinos, banks, energy providers, government agencies) are typically provided network credentials to remotely support their customers.
Remote support is absolutely necessary as technology improves, but the most commonly used methods of connection – VPNs and desktop sharing tools – are not secure for third-party access. It is this vulnerable vendor connection that is being highly exploited by hackers. Handing over the keys to the kingdom to every technology partner is no longer an option in this post-“Year of the Breach” world.
Two of the largest data breaches on record, Target and Home Depot, were both caused by the mismanagement of third-party vendor network credentials. This is not a coincidence; this is a trend. VPNs will lead others down this same dangerous road if used for remote support because hackers are focusing on third-party vendors to gain access to their more lucrative targets.
Securing your network from unauthorized access is critical, but it’s equally important to have a comprehensive audit of authorized access as well. How you manage the “keys to the kingdom” directly reflects the overall security Threat intelligence of your network.
Third-party vendors need to access their customer’s networks for a variety of reasons, but the method of access needs to be monitored and secure. Remote support software and solutions are used to gain fast access and resolve issues – VPNs and desktop sharing tools are most common. However, if we look at the Home Depot and Target, it becomes clear that the most common solutions are now becoming the problem.
A VPN alternative is necessary to secure any accountability in remote access. Third-party vendors often share their VPN credentials; this limits the ability to track changes and spot irregularities. Many companies rely on a VPN to provide remote access to employees, but a VPN alternative should be used when working with third-party vendors. Desktop sharing tools are good for collaboration, but during vendor network support they create ghosts that leave no trace. If we learn anything from Home Depot and Target, it should be to pay close attention to both who you give credentials to and how you manage and monitor that vendor’s access.