Vendor Risk

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
8 hours 20 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Vendor risk. The learning objectives
00:00
for this lesson are to explain vendor risk,
00:00
to perform vendor risk assessments,
00:00
and to explore the shared responsibility model.
00:00
Let's get started. Vendor risk.
00:00
You may have done everything that was necessary
00:00
to secure the network of
00:00
your enterprise but all companies
00:00
are doing business with other vendors.
00:00
Some of these vendors may even need to connect
00:00
to your network and have access to your data.
00:00
We need to make sure that they're doing
00:00
everything to protect that as well.
00:00
This creates a unique challenge
00:00
to us as security practitioners
00:00
because we don't have a lot of control over
00:00
their network and what they're doing.
00:00
I've mentioned this several times throughout the course,
00:00
but it bears mentioning again that
00:00
the Target hack all happened because of
00:00
the HVAC vendor that was connected to Target's network.
00:00
Target itself didn't get hacked
00:00
but they came in through the back door,
00:00
through the HVAC vendor into Target's network.
00:00
We want to really take care when
00:00
we're looking at doing business with another vendor,
00:00
especially if they're going to be
00:00
connecting directly to us.
00:00
The shared responsibility model.
00:00
This is where the responsibility for securing apps, data,
00:00
and the workloads that are in a Cloud environment
00:00
are shared between the customer
00:00
and the Cloud Service Provider.
00:00
Different areas will be assigned to each,
00:00
but identifying these and
00:00
ensuring they are being performed is critical.
00:00
Before you choose any level
00:00
of service in the Cloud model,
00:00
you want to be sure what you're responsible
00:00
for and what your Cloud
00:00
service provider is responsible for.
00:00
Then you can go about making sure that each of those
00:00
are doing the things that they are responsible for.
00:00
The Cloud service models,
00:00
we're going to begin with the software as a service.
00:00
This is the lowest level of responsibility
00:00
for the customer because the facilities,
00:00
utilities, the physical security, the platform,
00:00
and the apps are all the
00:00
responsible of the Cloud service provider.
00:00
They're simply giving you access to an app that's it.
00:00
You're not responsible for anything,
00:00
they're responsible for it all.
00:00
Next, we have platform as a service,
00:00
and this is where the OS and the apps are
00:00
now your responsibility as a customer.
00:00
Everything else still stays
00:00
with the Cloud service provider,
00:00
but those two are now under your control.
00:00
Then last we have infrastructure as a service.
00:00
This is where the CSP only provides
00:00
the infrastructure utilities and the physical security,
00:00
more of the responsibility
00:00
has now shifted to the customer.
00:00
Here's a good visual that will help
00:00
you understand this better.
00:00
You can see with a SaaS model that
00:00
the customer is not really responsible for anything.
00:00
We move over to the platform as
00:00
a service now they're responsible for
00:00
the apps and the OS
00:00
and then finally with the infrastructure as a service,
00:00
they're responsible for the platform,
00:00
the apps, and the OS.
00:00
This is a good visual to help you
00:00
see what level of responsibility based on
00:00
what service model so you
00:00
understand what you would be
00:00
responsible for and what
00:00
your CSP would be responsible for.
00:00
Vendor assessments. Whenever you're
00:00
looking to do business with a new vendor,
00:00
you want to make sure that you do
00:00
a proper vetting on that new vendor.
00:00
You might want to look at, for example,
00:00
have a third-party audit and
00:00
other proof that that vendor is stable,
00:00
that their finances are good,
00:00
and just what are their cybersecurity capabilities.
00:00
Now, depending on what type of vendor it is and
00:00
what level of access to
00:00
your network and your data they have,
00:00
will determine how thorough
00:00
this vetting process would be.
00:00
Here are some considerations
00:00
that you want to think about when
00:00
you're choosing a new vendor. Vendor lock-in.
00:00
This is when the customers are
00:00
completely dependent on the vendor
00:00
because changing is either
00:00
too expensive or it's impossible.
00:00
Before you go into a relationship with a new vendor,
00:00
you want to make sure is this going to happen to us?
00:00
If that's what you're looking for,
00:00
if that's not a problem, just make
00:00
sure that it's not a surprise for you later.
00:00
Vendor lockout. This is when
00:00
a vendor's product will not
00:00
work with other vendors' products.
00:00
They will not allow it to integrate and that could
00:00
cause problems if you need that level of integration,
00:00
you need to know this going in. Vendor viability.
00:00
Will a vendor be in business in the future?
00:00
Are they growing or expanding in their field?
00:00
You want to make sure that before you allow this,
00:00
that are they going to be purchased by someone else
00:00
or are they even going to be here in two years?
00:00
Source code escrow.
00:00
This is where the vendor-developed products
00:00
have their source code placed at
00:00
a third party so that it is
00:00
available should they go out of business.
00:00
Support availability.
00:00
What is the level of support
00:00
that that vendor will provide?
00:00
What is the service level agreement?
00:00
How fast will they respond?
00:00
You want to make sure all this is documented out before
00:00
you engage in any agreement with them.
00:00
Meeting client requirements.
00:00
These are the formal measures
00:00
that are used to evaluate if
00:00
the vendor's products or
00:00
services meet the needs of the customer.
00:00
Then also we want to consider
00:00
their incident reporting requirements.
00:00
How and how quickly will the vendor notify
00:00
the customer of any incidents at the vendor,
00:00
such as breaches or downtime?
00:00
You want to make sure that you understand
00:00
that especially if they have access
00:00
to your data in a HIPAA situation, for example, PHI,
00:00
if a third party to a covered entity,
00:00
which is the grouping that
00:00
HIPAA law relates to
00:00
the third party known as a business associate.
00:00
If they were to have a breach,
00:00
it goes straight up stream
00:00
back to the covered entity and they're responsible.
00:00
You want to make sure that that business associate
00:00
is letting the covered entity
00:00
know about that breach since
00:00
ultimately the covered entity will also be responsible.
00:00
You want to ensure that if your vendor has
00:00
a breach and somehow impacts you,
00:00
you want to know about it.
00:00
There's also geographic considerations.
00:00
Globalization has increased how vendors may be spread
00:00
out over a number of countries and each of
00:00
those countries will have their own laws
00:00
on the data security,
00:00
privacy, and even copyright.
00:00
Legal jurisdictions have become extremely important,
00:00
especially with compliance frameworks like
00:00
the GDPR. Instructor side note.
00:00
I once worked with a medical provider
00:00
who had outsourced his billing
00:00
operations to an Indian firm.
00:00
This is quite common now,
00:00
but at that time it wasn't a common thing.
00:00
It was still fairly unheard of and it was because they
00:00
were very inexpensive compared
00:00
to billers here in the United States.
00:00
Their billing company had an employee that
00:00
for whatever reason decided that he wasn't paid
00:00
enough and wasn't paid fairly from
00:00
the billing company in
00:00
India and instead of trying to work it out,
00:00
he decided to steal all of the data for
00:00
the different sites they were doing billing for.
00:00
It took over six months for
00:00
the billing company to let
00:00
the medical provider know about this.
00:00
But that is a breach under
00:00
HIPAA because now that information,
00:00
that PHI is outside of the direct control
00:00
of this billing company
00:00
and it is now considered a breach.
00:00
But because this was a company overseas and again,
00:00
this was back when this wasn't common,
00:00
the medical provider had no recourse because he
00:00
couldn't do anything against that company
00:00
and he had no way to get it resolved.
00:00
If that company chose not to pay,
00:00
then the data was never going to be given back and it was
00:00
a very messy situation and ultimately, against my advice,
00:00
this provider chose not to report this
00:00
as a HIPAA breach, but unfortunately,
00:00
it was 40,000 plus
00:00
patient's data that had been
00:00
stolen and they chose not to do it.
00:00
That includes all the credit
00:00
card numbers that might have been used,
00:00
all those social security numbers,
00:00
all of that was now in the hands of
00:00
this one individual that was already disgruntled.
00:00
Vendor assessment tools.
00:00
Once you've established a relationship,
00:00
you need to consider doing
00:00
an ongoing assessment of the vendor
00:00
just to make sure that they're
00:00
staying within the bounds of your agreement.
00:00
Vendor policies are the levels
00:00
of service and the expectations from the customer.
00:00
These should be monitored for
00:00
compliance on a regular basis.
00:00
Supply chain diversity.
00:00
Supply chain includes all of the suppliers,
00:00
vendors, and partners that are
00:00
used to deliver a product to the market.
00:00
Many of the most notable breaches in
00:00
history have come from supply chain attacks.
00:00
Supply chain visibility is understanding how all
00:00
of the vendor-supplied parts and
00:00
services are produced and delivered.
00:00
Also, how they will impact
00:00
your organization's operations or your finished products.
00:00
Third-party assessments.
00:00
A third party assessment is performed by
00:00
another party different from the vendor.
00:00
An objective view of the vendor's stability and
00:00
capabilities is the goal of this assessment.
00:00
Here are some examples.
00:00
The Cloud Security Alliance, CSA,
00:00
security trust and risk, or Star.
00:00
This is the ability of a CSP to
00:00
adhere to the key principles in transparency,
00:00
auditing and best practices for security.
00:00
The system and organization controls or SOC.
00:00
This uses standards created by
00:00
the American Institute of Certified Public
00:00
Accountants for the evaluation of policies,
00:00
processes, and procedures to
00:00
protect technology and financial operations.
00:00
These are both third party
00:00
services they could come in and
00:00
evaluate your vendor to ensure that
00:00
they're adhering to their level of responsibility.
00:00
We also have the International
00:00
Organization of Standards, ISO.
00:00
They'll do an audit of compliance with ISO 27,000 for
00:00
cybersecurity and then you have
00:00
Cybersecurity Maturity Model Certification, CMMC.
00:00
These are standards created by
00:00
the US Department of Defense to help fortify
00:00
the DoD supply chain by requiring suppliers to
00:00
prove they have a mature cybersecurity capability.
00:00
Vendor technical considerations.
00:00
When we're looking to choose a vendor,
00:00
there are some technical things that
00:00
we also want to give some thought to.
00:00
Testing and evaluation allows
00:00
us to ensure that the vendor
00:00
and/or their products are meeting
00:00
the service level that we are expecting it to be.
00:00
Is the product working the way we want it to?
00:00
Is the service performing the way we need it to?
00:00
Network segmentation is where we want
00:00
to ensure that the systems that are managed
00:00
by vendors should be
00:00
isolated from the rest of the organization's network.
00:00
Transmission control ensures that
00:00
any connection between the customer and
00:00
the vendor is secured
00:00
and free from being intercepted or infiltrated.
00:00
This may be a good example of using a VPN.
00:00
Then shared credentials should be a no-no.
00:00
Every vendor employee should have
00:00
their own unique account on any customer resources.
00:00
This establishes accountability for
00:00
any activity that is done on
00:00
customer devices by the vendor.
00:00
You don't want an account just named vendor for example,
00:00
where all the employees of
00:00
the vendor can log in remotely.
00:00
It needs to be a specific account
00:00
where it's first name, last name,
00:00
or whatever so that anything
00:00
that happens can be tracked back to
00:00
that specific individual rather than
00:00
just a generic vendor company name.
00:00
Let's summarize. We went over vendor risk.
00:00
We also discussed the shared responsibility model
00:00
and the different Cloud service types.
00:00
We went over vendor assessments and what
00:00
globalization means for all of this.
00:00
Then we went over vendor assessment tools.
00:00
Let's do some example questions.
00:00
Question 1, this describes
00:00
when a product does not allow integration
00:00
with third party products or services. Vendor lockout.
00:00
Question 2, all of the suppliers, vendors,
00:00
and partners needed to deliver a product
00:00
or service. Supply chain.
00:00
Question 3, the blank was
00:00
developed by the US Department of Defense to
00:00
ensure Department of Defense suppliers
00:00
had a mature security program.
00:00
Cybersecurity Maturity Model Certification or CMMC.
00:00
Finally Question 4,
00:00
the ability to understand
00:00
how all vendor-supplied parts are
00:00
produced and delivered and how this
00:00
impacts an organization's operation is.
00:00
Supply chain visibility or SCV.
00:00
Hope this lesson was helpful for
00:00
you, and I'll see you in the next one.
Up Next