Read more
Move beyond the checklist and fully protect yourself from third-party cybersecurity risk
Over the last decade, there have been hundreds of big-name organizations in every sector that have experienced a public breach due to a vendor. While the media tends to focus on high-profile breaches like those that hit Target in 2013 and Equifax in 2017, 2020 has ushered in a huge wave of cybersecurity attacks, a near 800% increase in cyberattack activity as millions of workers shifted to working remotely in the wake of a global pandemic.
The 2020 SolarWinds supply-chain attack illustrates that lasting impact of this dramatic increase in cyberattacks. Using a technique known as Advanced Persistent Threat (APT), a sophisticated hacker leveraged APT to steal information from multiple organizations from Microsoft to the Department of Homeland Security not by attacking targets directly, but by attacking a trusted partner or vendor. In addition to exposing third-party risk vulnerabilities for other hackers to exploit, the damage from this one attack alone will continue for years, and there are no signs that cyber breaches are slowing.
Cybersecurity and Third-Party Risk delivers proven, active, and predictive risk reduction strategies and tactics designed to keep you and your organization safe. Cybersecurity and IT expert and author Gregory Rasner shows you how to transform third-party risk from an exercise in checklist completion to a proactive and effective process of risk mitigation.
* Understand the basics of third-party risk management
* Conduct due diligence on third parties connected to your network
* Keep your data and sensitive information current and reliable
* Incorporate third-party data requirements for offshoring, fourth-party hosting, and data security arrangements into your vendor contracts
* Learn valuable lessons from devasting breaches suffered by other companies like Home Depot, GM, and Equifax
The time to talk cybersecurity with your data partners is now.
Cybersecurity and Third-Party Risk is a must-read resource for business leaders and security professionals looking for a practical roadmap to avoiding the massive reputational and financial losses that come with third-party security breaches.
List of contents
Foreword xvi
Introduction xviii
Section 1 Cybersecurity Third-Party Risk
Chapter 1 What is the Risk? 1
The SolarWinds Supply-Chain Attack 4
The VGCA Supply-Chain Attack 6
The Zyxel Backdoor Attack 9
Other Supply-Chain Attacks 10
Problem Scope 12
Compliance Does Not Equal Security 15
Third-Party Breach Examples 17
Third-Party Risk Management 24
Cybersecurity and Third-Party Risk 27
Cybersecurity Third-Party Risk as a Force Multiplier 32
Conclusion 33
Chapter 2 Cybersecurity Basics 35
Cybersecurity Basics for Third-Party Risk 38
Cybersecurity Frameworks 46
Due Care and Due Diligence 53
Cybercrime and Cybersecurity 56
Types of Cyberattacks 59
Analysis of a Breach 63
The Third-Party Breach Timeline: Target 66
Inside Look: Home Depot Breach 68
Conclusion 72
Chapter 3 What the COVID-19 Pandemic Did to Cybersecurity and Third-Party Risk 75
The Pandemic Shutdown 77
Timeline of the Pandemic Impact on Cybersecurity 80
Post-Pandemic Changes and Trends 84
Regulated Industries 98
An Inside Look: P&N Bank 100
SolarWinds Attack Update 102
Conclusion 104
Chapter 4 Third-Party Risk Management 107
Third-Party Risk Management Frameworks 113
ISO 27036:2013+ 114
NIST 800-SP 116
NIST 800-161 Revision 1: Upcoming Revision 125
NISTIR 8272 Impact Analysis Tool for Interdependent Cyber Supply-Chain Risks 125
The Cybersecurity and Third-Party Risk Program Management 127
Kristina Conglomerate (KC) Enterprises 128
KC Enterprises' Cyber Third-Party Risk Program 131
Inside Look: Marriott 140
Conclusion 141
Chapter 5 Onboarding Due Diligence 143
Intake 145
Data Privacy 146
Cybersecurity 147
Amount of Data 149
Country Risk and Locations 149
Connectivity 150
Data Transfer 150
Data Location 151
Service-Level Agreement or Recovery Time Objective 151
Fourth Parties 152
Software Security 152
KC Enterprises Intake/Inherent Risk Cybersecurity Questionnaire 153
Cybersecurity in Request for Proposals 154
Data Location 155
Development 155
Identity and Access Management 156
Encryption 156
Intrusion Detection/Prevention System 157
Antivirus and Malware 157
Data Segregation 158
Data Loss Prevention 158
Notification 158
Security Audits 159
Cybersecurity Third-Party Intake 160
Data Security Intake Due Diligence 161
Next Steps 167
Ways to Become More Efficient 173
Systems and Organization Controls Reports 174
Chargebacks 177
Go-Live Production Reviews 179
Connectivity Cyber Reviews 179
Inside Look: Ticketmaster and Fourth Parties 182
Conclusion 183
Chapter 6 Ongoing Due Diligence 185
Low-Risk Vendor Ongoing Due Diligence 189
Moderate-Risk Vendor Ongoing Due Diligence 193
High-Risk Vendor Ongoing Due Diligence 196
"Too Big to Care" 197
A Note on Phishing 200
Intake and Ongoing Cybersecurity Personnel 203
Ransomware: A History and Future 203
Asset Management 205
Vulnerability and Patch Management 206
802.1x or Network Access Control (NAC) 206
About the author
GREGORY C. RASNER is the lead of Cyber Third-Party Risk at Truist Financial Corporation. He has extensive experience in cybersecurity and technology leadership in banking, biotech, software, telecom, and manufacturing. He is the author of several published articles on Third Party Risk and is a sought-after keynote speaker in this area.
