The number of breaches that originate from a business partner is skyrocketing. In healthcare, which has the best public reporting, breaches through 3rd parties has increased.
To help solve the 3rd party breach issue, the March 2023 White House Cyber Strategy calls for several sectors to begin demanding the cyber equivalent of “show me your papers”, requiring potential vendors or suppliers to prove they have the necessary security to store and handle your data and your customers’ data.
Critical Insight Incident Responders have seen this problem growing for years in their work helping businesses who have had incidents.
Indicators a Client or Supplier May Require Cybersecurity Incident Response Services
Evaluating the risk of doing business with an upstream or downstream client can be difficult. In many cases, your access to the data needed to make an informed evaluation and decision will not be available, especially in cases where you don’t have a mutually trusted relationship with the other entities.
Critical Insight has experience working with and evaluating the cybersecurity readiness of many organizations. This experience covers all sectors of the economy public and private, whether it be healthcare, small businesses, public utilities, large Enterprises, or State & Local governments.
Over time we have identified some signals that indicate that the cybersecurity posture of an organization may not be using the latest best practices and that anyone using their services should demand they work with a security company to improve both their internal security.
Below are the 11 cybersecurity red flags we typically see when working with organizations. When evaluating the security posture of organizations you currently work with or are considering working with, you can use these topics to ask about their current cybersecurity proactive and response strategy. This will help you build a better risk profile to use in your decisions about working with them. Critical Insight has the people and expertise to assist you with this process (see contact details below).
Multi-factor authentication (MFA) is not in general use - MFA is essential to protect access via leaked or hijacked login credentials. Every employee and administrator needs to have it, and every critical application needs to require it. This includes all file-sharing sites like Dropbox and Box, plus public cloud services such as Microsoft 365 (née Office 365) and Google Workspaces (née Google Docs). MFA protection should also be in place for any ERP or financial systems.
MFA is not mandatory on public Cloud services - further to the first point. Many organizations say they use MFA, but it is not configured correctly on cloud systems. It is often available if a user wants to use it, but it’s not mandatory. We frequently see this with organizations using Microsoft 365 or Google Workspaces. Make sure they mandate that MFA gets used on these Cloud services (aka “enforced” mode). Microsoft 365 makes it hard to ensure that MFA is enabled across all services, as configuration options are on several configuration pages. You need to select them all.
No 24x7x365 eyes-on-glass (MDR or Managed XDR) – when a threat actor gets into a network, you need to be able to spot the activity and take action in minutes, not days. Criminals typically break in at off-hours, when there is no security staff watching. Large organizations need 24x7 security staff and smaller organizations need an outsourced SOC to monitor for anomalies, launch full investigations, and eject threats.
Lack of managed or monitored Anti-Virus (AV) or Endpoint Detection and Response (EDR) - many businesses still use the default Microsoft Defender agent or a bundled copy of a tool like Norton that shipped with their computer. Too many organizations have “an antivirus product” but without employing a centrally managed updating, alerting, and management console to deliver the end-user device security picture from across the organization. Without centralized reporting, security then relies on of those partners’ employees to proactively report when a suspicious event occurs – assuming they know what to look for. If your partner doesn’t have centrally managed AV or EDR on all employee endpoints, they’re missing security events, and there is a risk of malware or other threats spreading, including to your data on their systems, or your systems if your partner has network access.
Not using Conditional Access Policies or other sign-on restrictions - most organizations will know who should access their systems and where they are located. Remote access restrictions should be in place and enforced to restrict sign-on to:
- Countries where you know employees reside (with allowances for employees who are traveling)
- Logons that have successfully passed MFA criteria
- Logons that use modern authentication technologies
System administrators should also block the use of “legacy authentication” methods and legacy protocols such as SMTP, IMAP, POP3, and others not required for access.
Presenting on-premises infrastructure through network firewalls - if any Microsoft Exchange servers, Remote Desktop Protocol ports (via network address translation (NAT) or otherwise), or web applications like Microsoft SharePoint or Dynamics get published for use via the Internet and not behind other technologies such as VPN access gateways, then this is a very high-risk indicator. Microsoft Exchange, RDP, and web applications have multiple, frequent cybersecurity vulnerabilities that attackers can exploit. When Critical Insight incident responders see exposed infrastructure, it is often a sign that an organization has risky practices and may not be not regularly scanning their internet-facing apps or network services.
Lack of a comprehensive vendor onboarding and change process - there need to be documented procedures in place to enable the safe and secure establishment of contact details, payment details, and change request handling between the organization and their suppliers. We recently dealt with a business that had changed the payment details for a supplier upon request via email and later discovered that they had transferred $1.8 million to a criminal gang and not the supplier they meant to pay. Vendor management practices like procedures for handling new or updated banking or payment information, are very important for defending against email fraud and Business Email Compromise (BEC) phishing attacks.
Not requiring that third-party contractors and consultants use official company IT equipment - everyone working on a project for the company, whether a full-time employee or a contractor, should be issued with official security-protected end-user devices if they need to connect to company IT systems. Contractors or consultants should not be able to connect with their own computers or mobile devices. Companies which allow third parties to connect from unmanaged or unmonitored devices, and/or without MFA, have a higher probability of having a breach or compromise.
The use of shared user accounts for third parties - using a single shared account for multiple contractors and consultants to connect to the IT systems. We frequently see this go hand-in-hand with not requiring MFA. Everyone who needs to connect should have unique and separate login credentials and an MFA process, even if they work for the same external third party.
Not enforcing the use of Windows Firewall on PCs - this is a common setting for PCs that get used on corporate on-premise networks that are behind perimeter firewalls. But in the increasingly hybrid working landscape where people frequently work outside the corporate firewall on a laptop, not having the Windows Firewall enabled is a significant risk. Even (especially!) if they are connecting via VPN from their remote locations. We’ve also seen a substantial increase in incidents caused by Universal Plug and Play (UPnP) traffic and the Network Discovery service telling a home Wi-Fi router that the company laptop can accept RDP, WMI, SMB, and other traffic. The home Wi-Fi router then adds UPnP port forward rules, which exposes the company laptop directly to the Internet, and the Internet then begins attacking it. Make sure that your contractors, consultants, and suppliers enforce the local Windows Firewall on their laptops, and have configured or restricted UPnP services, especially if they will be connecting to your network.
Shadow IT use presents a risk - unless they are specifically blocked, it will be the case that many employees will be using unauthorized cloud and file sharing-based services. It’s unlikely that managers or the IT department will have a picture of all the third-party shadow IT Services that are in use. These shadow services, often unmonitored, present a significant security risk while they are in use, and that risk goes up over time as people depart and the accounts they used get abandoned, often with customer or business data in them. There are ways to discover and tackle this problem and prevent using services such as Dropbox, Box, Microsoft 365, Google Workspaces, and others that are not authorized or monitored. Companies should have procedures in place to detect and eliminate shadow IT use.
Critical Insight is Here to Help You Evaluate Your Suppliers
Critical Insight has services that can help you evaluate the cybersecurity posture of any organization you may be working with. We can also ensure that the picture your organization presents to external entities is one that is professional and cybersecurity positive.