The document discusses the threats of cyberterrorism and the importance of third-party risk management. It provides examples of recent cyberattacks attributed to state actors. It then outlines best practices for managing third-party vendor access, including identifying vendors, controlling their access, and auditing their connections. The presentation concludes by introducing SecureLink's Vendor Privileged Access Management (VPAM) solution for securing remote access of third-party vendors.
2. Today’s Speakers
Tony Howlett is a published author and speaker on various security, compliance, and
technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory
Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds the
CISSP, GNSA certifications, and a B.B.A in Management Information Systems. Tony is
currently the CISO at SecureLink.
Justin Strackany is the Chief Customer Officer at SecureLink. He has been with the
company since it was founded in 2003, serving in many customer-focused capacities,
including sales engineering, implementation, customer success, account management,
and onboarding new clients. Over the years, he has developed deep partnerships with
some of the largest, most complex enterprise organizations and technology vendors in
industries such as healthcare, gaming, legal, finance, and retail.
3. Cyberterrorism and why Third Party Risk Management
Cyberterrorism: Why 3rd Party Risk Management Matters
The State of Cyber-Terrorism
Actors, Methods and Attack Vectors
Best Practices for Managing Third-Party Risk
Demo of SecureLink VPAM
5. The Age of Cyber-Terrorism
In the modern era of increasingly connected countries through the
Internet and the importance of those services, nation state actors and
affiliated groups are increasingly turning to cyber-attacks and cyber-
terrorism to carry out their national and political goals.
● Fast: Attacks take be carried out from ANYWHERE to
ANYWHERE at the speed of light and easily cross national
boundaries
● Low Cost: Capable technicians with computers
● Hard to attribute: The perpetrator can be concealed, hidden or
otherwise obfuscated.
● Less chance of embarrassing failure. If a cyber attack fails, it is
rarely publicized vs. the very public loss of troops and hardware
(i.e. Bay of Pigs, Somalia)
● Can be highly effective at causing chaos, confusion, loss of
productivity and GDP. And possibly.. LIVES.
6. The Threat Is Real
VICTIM EVENT ACTOR DAMAGE
Sony Corporate servers hacked and
upcoming movies and emails
leaked on Internet
North Korea Loss of IP and revenues;
embarrassment from top level
exec’s emails
Bushehr Nuclear
Facility
Stuxnet virus attacked nuclear
material centrifuges and altered
operations
US/Israel? Over 1000 centrifuges destroyed
plus collateral worldwide
damage
Powerplant in Ukraine Malware shut down power plant
for an hour
Russia? Area-wide power outage;
possible long term damage to
plant equipment
City of Las Vegas Large DDOS attack Iran and proxies None; attack was repulsed
8. Advanced Persistent Threat (APT) Actors
COUNTRY DESCRIPTION IDEAL TARGETS PRIMARY OBJECTIVES
China Many separate groups
(APT1,2,3,10,19,20,30,40,41)
made up of PLA official units
and irregular or proxy groups.
100K+ total cyber-soldiers
Military-industrial
complex and
technology companies
Theft of IP and intelligence,
long term persistence
Russia Four main groups (Cozy Bear,
Fancy Bear Venomous Bear
and Voodoo Bear)
Political, financial and
Infrastructure
Political
disruption/interference,
some generic cybercrime
Iran Elfin, Helix Kitten, Charming
Kitten, APT39. Many related
proxy groups
US/Israel related
groups, companies
and sites
Propaganda posting,
destruction of infrastructure
and services
North Korea Lazarus Group, Ricochet
Chollima
Financial and general
industry/business
Monetary gain through fraud
and ransom
10. Who is being targeted?
• Government entities:
– Military: Regular probes and attacks on all
branches, testing of field units, hacking of
drones
– Federal, state and local agencies - critical
services, gather data on citizens and
government workers, voting, disruption of
services
– Quasi-governmental - school districts, MUDs,
etc. to disrupt services, ransom hacked systems
11. But not limited to government entities
US Companies are targeted because the US relies on more
private enterprise for its critical services than other countries:
– Government contractors, esp. military to steal IP
– Financial to cause financial chaos, steal money
– Healthcare to disrupt services, sell or ransom data
– Manufacturing to insert backdoors, flaws, cause
accidents
– Utilities to cause service disruption and equipment
destruction
– Energy producers to upset supply and cause
accidents
15. Cyber-Terrorist Methods
Increasing specialization and sophistication by
major APT threat actors and cyber-gangs have
them separating their “workforces” into:
• Malware code writing
• Network penetrators
• Social engineers
• PR and marketing - esp. for those seeking propaganda value
Some are delegating certain tasks to contractors and outside firms (Internet
Research Agency and Guccifer 2.0)
16. Use of custom code
A serious APT will write it’s own custom exploits in order
to evade standard signature based virus detection and to
adapt to specific elements in a target environment.
Example: Stuxnet was written to only activate when it
found a specific number of Siemens microcontrollers in a
specific array configuration that matched the internal
architecture of the Natanz nuclear facility centrifuges
17. Use of Zero Day Exploits
A Zero Day Exploit AKA 0-Day is an exploit that has never
been identified “in the wild” by security researchers. They
are particularly powerful as cyber-defences will not be
aware of them and software vendors will not have patches
available. Many APTs have contracts or offer bounties for
zero day exploits Once used extensively, the 0-Day’s
value goes down as they get publicized and remediated.
18. Targeting of vendors and MSPs
APTs are increasingly targeting vendors, Managed
Service Providers (MSPs) and other third party
providers as a “Force Multiplier” to increase the
scale and damage of attacks:
• APT10 (China) hacked into 45 MSPs and other
technology companies between 2006-2018
• 22 Texas cities were taken down simultaneously by
hacking a MSP they all used
20. 3rd Party Danger is Fueled by Outsourcing
Relationships between organizations and third party vendors
have become more complicated as more and more critical
business functions are outsourced and those third parties
are increasingly given access to internal networks and
resources
Hardware Software Cloud
21. • Average enterprise
has 67 vendors with
privileged access
The Third-Party Access Tsunami
• Average tech vendor has
238 customers
22. This Results In...
vendor reps log into the systems of the typical
enterprise each week.
Privileged Accounts
VPNs
Credentials
Critical Systems
Sensitive Data
23. Barriers to a Robust, Efficient Third-Party Remote
Access Solution
Security
Efficiency
Enterprise
Requirements VendorRequirements
Lack of resources or budget
Wrong tools
Too many tools / no standard
Decentralized vendor managers
Vendor buy-in
24. Best Practices for Managing 3rd Party Risk:
Keep your company from becoming “Collateral Damage” in the Age of
Cyber-terrorism
25. Third Party Security Best Practices
Identify and Authenticate
Control Access
Record and Audit
27. Best Practice: Identify
GDPR
Of enterprises unsure of total
number of vendors accessing
networks
Company Names
Service/Function
Access Needs
Comprehensive list of
vendors
29. Best Practice: Identify
Don’t allow generic
accounts
Identify every individual
Created efficiently
Given Least Privilege
Disabled when terminated
30. Best Practice: Identify
Enforce Multi-Factor
Authentication (MFA)
You may need multiple
options for multiple vendors.
Time-Based One-Time Password (TOTP)
Vendor Enforced
31. Best Practice: Identify
Employment verification
on login
Just because you identified the person, doesn’t mean
they are still authorized.
Verification before enabling Frequent reporting from vendor
Tool to verify on login
33. Best Practice: Control
Secure Remote Access
Make sure the method
vendors are using to
remote access is actually
secure.
AV Protection
TLS 2.0/SSL/IPSec
FIPS-140 Certified Cryptography
34. Best Practice: Control
Least Privileged Access
Don’t put vendors on the network. Give them
access to directly what they need.
Hosts, Devices, Apps
Ports/Services
No Scanning
No Leapfrogging
35. Best Practice: Control
Decentralize Access
Approvals
Make sure the right resource is
enabling access as needed for better
security and efficiency.
App Owners own the relationship
with their vendor.
Access for a vendor is usually being
requested by the App Owner.
IT determines
WHAT a vendor
has access to.
App Owner
determines
WHEN a vendor
has access.
36. Best Practice: Control
Vendors should not know
network credentials
One set of keys to get the vendor
into the “lobby” where they can see
the hosts they need to connect to.
One set of keys the vendor does not
have to authenticate to the hosts on
the network.
Credential Vault
Single Sign On
Federated Authentication
38. Best Practice: Audit
Tie contextual info to audit
Who connected
Host/IP of system connected to
Origin source IP
Session start/end time
Authorizer
Reason for connecting
Associated ticket number
Minimum Logs:
Granular Logs:
39. Best Practice: Audit
Centralize Vendor Audit
You need a single source of truth (SSOT) for third-
party remote access that allows for quick and
easy auditing and reporting of all user activity so
you can consolidate the required reports to
demonstrate compliance and conduct necessary
investigations efficiently.
Ponemon 2017 Cost of a Data Breach Study shows, the
longer it takes to detect a breach, the more expensive
it will be.
Firewall Audit
Disable Unapproved Methods
Redirect to Approved Methods
40. Best Practice: Audit
Make sure audit is viewed
Breaches discovered by an
external source.
Setup notifications with real-
time basic audit
● Notifications on login/logout
● Alerts on suspicious activity
44. Your Partner for Vendor Privileged Access
Focused solely on secure
vendor privileged access for
highly regulated industries
Support more than 30,000
organizations worldwide
www.securelink.com
contact@securelink.com
888.897.4498