In my last paper I discussed the high level of risk that third-party service providers and vendors pose to organizations. If vendors have a connection to your internal network, or are trusted implicitly by organizational staff, they are a potential risk to private information and services at your business. Because of this danger, it is becoming increasingly important to conduct vendor risk assessments. In addition, vendor risk assessments will produce information valuable to increasing the accuracy of the organization’s business impact analysis. For small to medium size businesses, the goal is producing a useful vendor risk assessment without expending inordinate amounts of time and resources. I will outline below the basic methodology for conducting such a risk assessment.

The first step is formulating questionnaires for both internal employees and for the services providers being assessed. For the internal questionnaires, it is best to question application/vendor owners and subject matter experts. It is also valuable to have the input of IT and security personnel. Some of the information you may want to gain from this effort includes:

• What data and systems does the vendor have access to? How critical to the business are these systems and data? Is the data regulated or sensitive (i.e. PPI, PHI)?
• How does the vendor access these assets (i.e. via VPN, 2FA, simple user name/password)? Is access automatic or must it be enabled before access is granted? Is vendor access logged and monitored? Is there a shared access account used to communicate with the vendor, or is access individual to the employee?
• How critical is the availability of this vendor to business processes? Is the vendor really necessary (Are there other vendors used by the organization that provide similar services to other lines of business, and is it possible to a number of vendors with just one)?
• Has a review of vendor contracts and agreements been performed to see if they meet the organizations security policy and functional requirements?
• Are there periodic reviews of the vendor performed to check on their status in the industry (i.e. financial status, reputation)?

For the external questionnaires, the goal is to gain information about and from the vendor. This information can be gleaned from publicly available sources, user groups, the Better Business Bureau, or you can contact the vendor itself. Some of the information you may wish to collect includes:

• Does the vendor have a SOC 2, PCI DSS, ISO certification in place, or is there other evidence of a risk management program in place?
• Does the vendor support multi-factor authentication mechanisms such as hard tokens, Okta, etc.?
• Is the vendor financially sound?
• Does the vendor have a good reputation in the industry and among users of the vendor service or application?
• Does the vendor have a documented information security program in place that is compliant with the organization security program? Does the vendor perform logging and monitoring of their systems? Do they have an incident response program in place? Etc.
• Does the vendor have a history of security compromises or data breaches?

Once you have the information about the vendors you need, you can apply the regular risk assessment paradigm to them; what threats may menace the vendor, what impacts would the business suffer if the vendor were compromised, how likely is compromise of the vendor? From this you assign the vendor a risk rating, usually stated as high, medium or low.

After the risk ratings have been assigned to all of the organization’s vendors, the risk treatment process can be undertaken. For example:

• Should additional security controls be put in place around the vendor?
• Should a replacement be found for the vendor?
• Is there a way to avoid the risk posed by the vendor to the organization?
• Does the benefit derived from using the vendor outweigh the risk posed to the organization by the vendor?
• Can agreements with the vendor be renegotiated in order to meet the organization’s security and functionality needs?

Although this process is relatively simple, the organization can derive great benefit from undertaking it. In the present business climate, information security cannot be taken too seriously.

We all are a little overwhelmed by the complexity and difficulty of securing our private information against attackers such as cybercriminals and nefarious nation states. It seems that attacks come at us from all sides on a regular basis. One way we cope with this is to outsource our cybersecurity needs to third-party organizations that have staff who perform such services as network monitoring or security patching for a number of client organizations. Another way is to employ third-party security applications that provide such services as email security and data loss protection. We trade our money for their time and expertise.

And there is nothing wrong with that in a lot of ways. The people that form and work for these organizations are able to concentrate their efforts on specific aspects of information security, and often have a great depth of understanding of their particular subjects. Using them or their applications certainly will save you time and can also save you money. However, it is ironic that the very act of allowing such organizations and applications to connect to your networks is a great risk to your private information and systems in and of itself. So, in a way, by trying to simplify your risk management problems, you are actually increasing the attack surface available to cybercriminals, thereby making your cybersecurity problems even more complex and unwieldy.

A big problem is that, despite our best efforts, risk can never be totally eradicated; risk can only be lessened. This is the result of Order and Chaos and the very nature of reality. So even when a cyber-service provider is conscientious and diligent in their security efforts, they can still be compromised. And when they are, there is a good chance that their clients will be compromised as well. Unfortunately, no matter who was responsible for the compromise, you or your organization have the ultimate responsibility for the security of your own information or assets. This creates a no-win situation; you lose, your customers lose, and the service provider loses.

A current example of this is the LastPass hack that occurred sometime in August according to the company. Although details are sketchy, the latest information shows that the breach was massive and exposed encrypted password vaults as well as other user data. The company announced that hackers were able to copy a backup of customer vault data from the encrypted storage container. This means that these hackers have had months to try to guess the master passwords for these vaults. With time, cracking these passwords becomes more and more likely. This creates a huge hassle for clients who now have to change all their passwords and ensure that two-factor authentication is enabled wherever possible. It also has created a huge reputational hit for LastPass. Many information security professionals are even recommending that their clients dump LastPass.

So, what can we do to protect ourselves from the dangers of service provider compromise? The answer is that there is no perfect solution. The best thing we can do is be constantly aware of the situation and put no trust in our hope that the service providers we employ will not be compromised. We need to examine each service provider we use and ask ourselves if we really need the app or service. If we can get by without, then dump that provider. The less service providers we have, the smaller the attack surface we present to the outside world. We also need to do risk assessment of our current and prospective service providers to see how competent and stable they are, and to determine the impact we would experience if compromise did occur. In addition, we need to develop incident response procedures to help us minimize negative impacts that we can foresee, and practice our responses so that we are quick and competent if the incident occurs. Forewarned is forearmed!

Data is the mountain of unorganized fact that inhabits our computer systems and networks. It is analogous to unrefined ore in mining: we mine ore and then process it until we end up with useful metals. Similarly, we mine our computer networks for raw data and process it until we end up with useful information.

It is amazing what information we can glean from seemingly innocent and unrelated facts! People can combine bits of data and deduce who we are, where we live, how we shop, how many kids we have and a plethora of other information that we don’t really want to be common knowledge. This is true not only on the personal level, but on the business and government levels as well. Hence the rise of laws like GDPR, the California Consumer Privacy Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act and the Colorado Privacy Act. We can expect more privacy and data protection laws from more states and countries in the future. To address these problems, it is very important for organizations to develop and maintain a data management policy and the processes necessary to carry it out.

Among the most important of these processes is data inventorying. A data inventory (or data map) should fully describe the data asset and should include such information as the data’s name, contents, ownership, classification (sensitivity level), retention factors, origin, and other considerations that are important to the organization. Setting up such an inventory may be a daunting task, but once in place, will greatly simplify complying with regulatory requirements and other data management tasks. Along with data inventorying, it recommended that data flows should be tracked. Knowing what data you have and where and how it flows across the network is vital to protecting it.

Another important consideration in data protection is ensuring access to specific data is limited to only those individuals with a legitimate need for that access. This is where access control lists come into play. Access control lists should be strictly maintained and reviewed regularly. It is important to adjust these lists immediately when individuals change jobs within the organization, quit or are terminated. It is also highly desirable to employ strong access controls such as MFA to ensure that the person who is accessing protected data is indeed the person they claim to be.

Another way to protect data is through the use of encryption. Encryption is highly effective in protecting data if it is implemented correctly. Data should be encrypted when at rest and when it is being transmitted across networks. This is especially important in keeping ransomware attacks from becoming devastating. Even if attackers gain access to private data on your system, encryption means they can’t actually read it. This limits their attack to availability only, and eliminates compromise of confidentiality, which can save the organization from regulatory and legal penalties. Strong encryption algorithms should be employed, and a usable and secure key management system should be employed. Encryption keys should be among the most highly protected data assets you have, and ideally should be air-gapped from the rest of the network.

Data backups should be made regularly depending on business requirements of the organization. Backups should be stored in more than one location and should be protected as diligently as information on your production network. Backups of sensitive data should be encrypted and tested on a regular basis.

In addition, access to sensitive data, it’s modification and disposal should be logged and monitored. This should include access to encryption keys and security logs themselves. Protecting and managing data is not easy, but will provide your organization with a bounty of advantages that could help your reputation and save you time and money in the long run.

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was adopted in March of 2022 and is an outgrowth of the National Infrastructure Protection Plan (NIPP) that has been around since 2013. What this means to organizations that are covered critical infrastructure entities it that they will be required to report cyber incidents and ransomware attacks to the Cybersecurity and Infrastructure Security Agency (CISA) in a very short time frame. Specifically, these organizations must:

• Report any “covered cyber incident” within 72 hours of determining that the incident has occurred to the CISA
• Report issuance of a ransomware payment to the CISA within 24 hours
• Provide CISA with supplemental information when substantial or new information regarding the incident becomes available to the entity

A question that immediately occurs to one upon reading these requirements is, what is a “covered cyber incident” under CIRCIA? Covered cyber incident under this law must meet any one or all of the following criteria. A covered cyber incident causes or creates:

• “Substantial loss of confidentiality, integrity, or availability” in information systems or “serious impact on the safety and resiliency” of operations
• “Disruption of business or industrial operations,” including service denials, ransomware attacks, or exploitation of “zero-day vulnerabilities)”
• “Unauthorized access or disruption of business or industrial operations” from the loss of services facilitated through or caused by a third-party data hosting provider or supplier

What business sectors are considered critical infrastructure in the U.S.? Critical infrastructure includes the following 16 sectors:

1. The Chemical sector
2. The Commercial Facilities sector
3. The Communications sector
4. The Critical Manufacturing sector
5. The Dams sector
6. The Defense Industrial Base sector
7. The Emergency Services sector
8. The Energy sector
9. The Financial Services sector
10. The Food and Agriculture sector
11. The Government Facilities sector
12. The Healthcare and Public Health sector
13. The Information Technology sector
14. The Nuclear Reactors, Materials and Waste sector
15. The Transportation Systems sector
16. The Water and Wastewater Systems sector

So, how are you to know if your organization is included under this new law? That is being determined now by the CISA. To define a covered entity under the law, they are considering three factors:

1. The consequences that a particular cyber incident might have on national or economic security, public health and safety
2. The likelihood that the entity could be targeted for attack
3. The extent to which an incident is likely to disrupt the reliable operation of critical infrastructure

These criteria not only cover critical infrastructure organizations, they cover organizations that support the security and resiliency of critical infrastructure.

Luckily, organizations in this sector will have some time to get ready for these new requirements. The deadline for the publication of the Notice of Proposed Rulemaking is not until March 15, 2024, and the deadline for issuance of the Final Rule is slated for September 15, 2025. My advice is to take advantage of this time and prepare!