As the business world becomes increasingly interconnected, Australian organisations are opening their IT infrastructures to larger numbers of external users. Suppliers, service providers and partners all regularly access core systems to undertake transactions and access data.
Offering such access can pay big dividends when it comes to productivity and efficiency. Rather than staff needing to double handle orders and information requests they can be dealt with directly by the third party involved.
However, many organisations are unaware of the significant security risks this trend is causing. While robust security may be in place around core systems, opening them to external parties changes the level of protection. A business’s internal systems are then only as secure as the systems of those parties who have been granted access.
According to a recent report by business consulting firm PWC, 65 per cent of Australian organisations have experienced a cybercrime incident in the past 24 months. This compares with 32 per cent of organisations globally. According to the report, Australian CEOs rank cyber security as the top threat to future growth. Improving security when it comes to external parties is clearly top of mind.
The security situation can be exacerbated by the fact that some external parties are granted privileged access rights to internal systems. This might have been done allow them access to sensitive databases or to undertake maintenance or monitoring of applications and servers.
This is particularly important because virtually all attacks make use of privileged accounts and studies have shown that more than 60 per cent are caused by security vulnerabilities introduced by third parties.
This is not to say that third-party users should not be trusted. Rather, that they should have the same level of security in place as the organisation whose systems they are accessing.
Worryingly though, industry research has found that, of the 60 per cent of businesses that now allow third-party vendors remote access to their internal networks, 58 per cent admit they have no confidence that those vendors are securing and monitoring privileged access to their network.
Outsourced service providers
A key area of concern is outsourced service providers (OSPs) who can access an organisation’s core systems through a site-to-site virtual private network (VPN) tunnel. If an attacker is able to compromise the OSP, they can then use the VPN tunnel to compromise the target client organisation.
Typically, cyber attacks follow a five-step process. They start with an initial compromise of an infrastructure and the establishment of a foothold. The attackers then escalate their privileges and internal reconnaissance before completing their mission. However, by first compromising an OSP, they are able to skip the first two steps. Already within the target infrastructure, they are able to rapidly escalate their activity.
Unmanaged credentials in the wrong hands
The key vulnerability that comes from allowing third parties to have remote access to an IT infrastructure stems from the fact that credentials can be compromised. Because the credentials are in the hands of external users, they are outside the control and policies of the internal IT department. While rules and processes protect credentials within the organisation, the same may not be occurring outside.
Problems can arise if third parties use poor credential management procedures. These include simple things such as storing passwords in a file or on paper, sharing credentials between multiple people and inadvertently exposing them to unauthorised users.
Another security hole can occur due to unmanaged endpoints. The endpoint device used by a third party to access the organisation is clearly not under the control of the internal IT team. As such, its security status is unknown and attackers could potentially install malware and use key-logging tools on the endpoint to gain access into the target organisation.
The bottom line is that attackers always seek out the path of least resistance. They are very aware of the weak links that often surround third-party access to IT infrastructures and they will readily use unmanaged credentials or unsecured endpoints to gain entry.
An effective approach
The first step in overcoming the security challenge of third-party users is to understand exactly who has access to the organisation’s IT infrastructure. The group could be very diverse and include third-party hardware and software vendors, supply chain vendors, service companies, external consultants and partners.
The second step is to implement an effective privileged account security solution that prevents credentials from reaching a third party’s systems. Session isolation, provided by a secure jump host, ensures target system credentials are not exposed to external users. If no credentials are on the third-party system to begin with, there is nothing for an attacker to steal.
A third step is to secure and control access to all privileged accounts within the organisation. Behavioural analytics can also be used to monitor all privileged account activity and look for suspicious activity. This can ensure any intrusions that do occur can be quickly stopped.
By being aware of the potential challenges posed by third-party access to core IT systems, Australian organisations can take the steps necessary to ensure they remain secure. The days of ring-fencing an infrastructure and preventing access from the outside world have gone, but by taking a systematic approach the benefits can be enjoyed at the same time as risks are removed.
Matthew Brazier is the ANZ Regional Director at CyberArk