Third-party Risk Assessments, Current Challenges
How we helped our client make wise business decisions to protect their sensitive assets
A methodological approach is required to evaluate the third-party vendor and uncover potential integration risks. This case study highlights a few priority key points that should be considered during a third-party vendor assessment.
Overview
As a consulting company specializing in penetration testing we are trained to find the weakest link in a third party vendor and compromise it. By doing so, we help our customers make wise business decisions that will protect their systems and sensitive assets.
​
Over the past few years, we have tested hundreds of the industry’s finest vendors for third-party risks on our customers' behalf. We perform these reviews to harden their security posture from the emerging threat of supply chain attacks. Today, attacks are more prevalent than ever before. For example, according to a Forrester report, in 2020 alone, 94% of organizations suffered a cyber attack.
​
When assessing 3rd-party vendors for security risks, it is common practice to review their security questionnaire.
​
When a company asks a vendor to fill out this questionnaire, it tries to understand their security practices and cyber security maturity and the potential impact of using them on the company’s attack surface. Therefore, it is essential to consider the vendor’s internal security practices and the security of the systems of the vendor, and data to which the vendor will have access.
​
Having said that, when evaluating some vendors, the questionnaire may suffice. However, one may require more scrutiny when testing Tier 1 vendors with access to customer data or critical resources.
One of the biggest problems when assessing a vendor through a security questionnaire is the difficulty of validating the answers. Often, as Alfred Korzybski succinctly stated, “the map is not the territory, and the word is not the thing”.
Semantics aside, how do we uncover the truth? The following case study will shed light on how we deal with this problem to assist our clients and prevent them from making potentially catastrophic mistakes.
​
Case Study
Lessons learned
So what can one do?
A methodological approach is required to evaluate the third-party vendor and uncover potential integration risks. Here are a few priority key points that should be considered during a third-party vendor assessment:
​
-
The devil is in the details
Ask questions and audit problematic answers. If something is missing in the questionnaire or intentionally was avoided - you should ask about it.
-
Evaluate the vendor’s type
Is the provided service on-prem or external?
-
Evaluate the vendor’s technologies
Is the third-party vendor using vulnerable components or tools?
-
Evaluate and classify the data exchanged between parties
What data will the parties transfer? Is it considered sensitive? Does it contain personally identifiable information or financial data?
-
Evaluate the technological integration with the vendor
A few weeks ago, we assessed a prominent vendor in the telecommunications industry. Their on-premise software-based solution aims to ease the process of backing up and recording phone calls within organizations.
At first glance, the reported security questionnaire was flawless. The vendor had all the required certifications, an excellent penetration testing report summary, a robust and secure development life-cycle methodology, and a strong network and physical security posture. All boxes checked!
However, the questionnaire did not disclose the hidden risks of the integration itself with the vendor’s solution. No, a totally different approach was required to understand these!
While it may seem laborious, every component should be manually inspected and analyzed while considering multiple aspects of best practices and the customer’s requirements.
After manually inspecting the entire operation flow and each component, we identified several supply chain risks.
For example, the vendor had not secured their software update processes. Instead, they were conducting them manually with no file verification or integrity. As a result, our customer was at risk of malicious software updates via file execution.
Additionally, the service included multiple untracked and not regularly updated open-source tools. Therefore, the vendor is vulnerable to different types of CVEs, one of which was a Java component vulnerable to a Log4Shell exploit.
This vulnerability significantly impacted the integration as it raised the issue of risk mitigation, such as network segmentation and possibly applying a patch management system to handle susceptible components.
All these risks remained hidden when looking at the questionnaire alone.
When we perform an integration assessment, we look at the technical level of the integration implemented with the vendor, what technology stack the vendor relies on, and the integration risks.
Finally, we deliver specific recommendations on how to mitigate the risks involved with using this vendor.
In sum, one cannot base a third-party risk assessment on reviewing questionnaires and scanning results alone. The devil is in the details of the integration and the vendor's day-to-day operations, which may create a surprising risk where least expected.
Contact us for more information.