On Thursday, September 15th, 2022, Uber confirmed reports of a cybersecurity breach. Following an internal review, Uber reported that cybercriminals gained access via an account allocated to an external contractor.
According to Uber, it is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device was infected with malware, exposing their credentials. The cybercriminal then repeatedly tried to log in to the contractor’s Uber account, which prompted two-factor login approval requests. The contractor initially ignored the MFA prompt, but eventually accepted a request, probably having been worn down from continuous prompts on their phone to authorise access. This allowed the attacker to successfully log in.
From there, the attacker accessed several other employees accounts which gave him elevated permissions to a number of tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.
While this article doesn’t seek to shame or celebrate Uber’s compromised state, it highlights the risks that third parties with access to company systems and not just employees can potentially pose to an organisation.
What are third-party risks?
Third party risks simply means the threats that may surface when businesses outsource specific services to third parties.
In today’s world, organisations of all sizes are becoming more reliant on third parties. This includes and it is not limited to subcontractors, consultants, employment agencies, suppliers, and partners. Yet, while these external vendors provide invaluable services, they also introduce significant risks to an organisation’s information security.
The compliance posture of a third-party is integral and can be intricately linked to the reputation and resilience of the organisation using the third party. As seen with Uber, criminals can take advantage of a third-party to breach an organisation’s networks and systems and cause catastrophic reputational and financial damage, loss of revenue, and lead to actions by regulatory bodies.
It is therefore important for third parties to be carefully vetted before being onboarded to ensure they are safe.
What is third-party risk management?
Third-party risk management is a process of identifying, analysing, and controlling risks associated with outsourcing to third-party service providers and vendors. Diligence is required to enable organisations determine the overall suitability of a third-party for a task and assess the cybersecurity risks posed by them. Organisations looking to be cyber safe must understand the complexity that third parties add to an organisation’s risk profile.
When choosing a vendor, critical questions that must be considered. Does this third-party work with any other parties that could pose security challenges? What is their security history? Are they in compliance with relevant regulatory laws? The answers to these questions will help determine the level of risk they can potentially pose to the business.
What is a third-party management lifecycle?
There is no one-size-fits-all approach for assessing risks. The scope and requirements for a risk management framework will vary depending on regulations, industry, etc, however the ultimate goal of any management program is to meet regulatory requirements and mitigate data breaches and costly operational failures.
The third-party management (TPM) lifecycle is a series of steps that details an organisation’s relationship with a third party. For a third-party management framework to be successful, there are a few essential stages. These include:
Third-party onboarding
When considering working with a third party, it is essential to perform an initial risk assessment. This should be based on the area of risk posed by the third party. However, relevant questions on the security posture of a potential third party must be asked, regardless of the area of specialisation.
Risk tiering
When scrutinising a third-party, bear in mind that not every party will need a thorough risk management analysis. Third parties must be classified according to the risk they could potentially introduce to your organisation. Applying the same level of risk to every vendor is unnecessary, ineffective, and difficult to maintain. Tiering vendors allows organisations to streamline the third-party management process to manage third-party risks more effectively.
A vendor who delivers office supplies, for example, does not pose the same risks as a software-as-a-service contractor who performs the delicate role of processing customer payment on your organisation’s behalf. Those that don’t have access to your computer networks or confidential information may pose little risk to your organisation, compared to those that have credentials to systems including a company email account.
Assessment & response validation
After assessments are returned by a third-party, it is important to review these responses adequately and decide what risk management strategy is appropriate. In some cases, validation of these responses is necessary to better understand how a vendor operates and conduct an in-depth evaluation. Validation of a third party’s systems, might include checking the third party’s domain service records and conducting basic penetration tests on their internet facing networks. Organisations who need this level of scrutiny would be those that pose great risks to your business in the event of an incident.
Remediate issues and revalidate responses
At this stage, tasks are generated, findings and issues are responded to, and evidence is provided, if necessary. Responses may need to be revalidated to ascertain that the third party has resolved all issues. In extreme cases, where issues and findings are still existent, some third parties have to be dropped.
Ongoing monitoring
Managing third parties is not a one-time assessment. It is a relationship that must be carefully managed right through to the offboarding process. Third parties must be continuously assessed and monitored for any change in security or risks. The frequency of these assessments, however, should be dependent on the tier, with third parties who pose more risks having more frequent assessments. Any change, like security certification expiration, should trigger a tier change or a reassessment.
Offboarding
Organisations must have a thorough offboarding process to retire third parties and ensure all information that should not be stored permanently is deleted. This is critical for both recordkeeping requirements and security purposes.
Mitigating third-party risks
Tivarri is experienced in both the definition and testing of ISO and FCA compliant IT systems. We respond to dozens of audit forms and questionnaires annually, providing Chief Technical Officer and cyber security audit and review services to organisations. This gives us a unique understanding of the areas of focus for auditor and investment organisations.
Our third-party risk assessment framework draws from a wide range of experience and skills to probe an organisation’s cyber security stance and alignment to industry best practices. The results of our assessments act as a verification to clients that an organisation’s defences are adequate. Our risk assessment framework is custom-made and considers the individual needs of each organisation and their third parties. Together with our clients, Tivarri establishes metrics and parameters to determine compliance for their partners, suppliers and other third parties.
Contact us today at [email protected] to get a custom-made risk assessment framework for your organisation.
