Third-party code, Supply chain, Critical Infrastructure Security

Third-Party Risk: Mitigation strategies

With companies increasing their partner base and expanding into new services and dependencies, the attack surface for third-party breaches is larger than ever.

This, according to security provider Censys, who says that as partners, subcontractors, and hardware vendors enter the picture, network defenders need to reconsider what does and doesn’t constitute a threat.

Speaking at an SCMedia virtual summit, Censys Director of Strategic Alliances Celestine Jahren told attendees that they need to reconsider what constitutes a third-party threat, and extend that definition into subcontractors and hardware vendors in what she terms forth- or fifth-party security threats.

“You can imagine that there are maybe 30 vendors that your company works with that are critical to your organization,” Jahren explained.  “When they are breached it can cause a chain reaction.”

Examples of this risk are not particularly hard to find. Jahren pointed to the recent breakdown of Crowdstrike on Windows systems as one example of the chain reaction that can result from an error up the supply chain.

Perhaps even more galling was the 2021 Log4Shell vulnerability, which saw millions of systems proven vulnerable to attack. Even years after disclosure of the bug, many of those systems remain vulnerable to the remote code execution attack and facing the open internet.

“We still see about 39 percent of the vulnerable hosts still vulnerable and online today,” said Jahren. “That is a lot for something that had so much publicity and so much impact.”

Enterprises are not the only ones feeling the effects of increased attacks and exposures from third parties. Jahren noted that costs for cyber insurance providers have also risen as that the attack surface has expanded.

“It is a really big topic for insurers in which very often there are policies that say if the access point is a third party the customer is covered,” explained Jahren “But the insurers have very little visibility to assess those third-party risks and that is a really big problem for everyone.”

Ultimately, says Jahren, the best way to cover those blind spots is to expand the visibility companies have over their potential exposures and points of risk. This includes covering the supply chain and hardware landscape with search and visualization tools.

To that end, Censys believes its own search and mapping tools can be useful not only for network managers and security officers, but also for researchers looking to track potential threats and understand what endpoints are being exposed to the open internet.

“We see billions of hosts every day, and we see data points on them that tell us whether or not they are vulnerable to a major zero day and then notify the organization,” said Jahren. “What we’re doing is scanning the entire internet every single day. We touch every internet connected device every three to four minutes.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds