Third-Party Vendor Security
Security
March 14, 2024
Third-party vendors and service providers used by businesses and organizations continue to be targets of threat actors to conduct substantial cyberattacks. These providers may serve as an entry point for threat actors to target multiple organizations with social engineering campaigns, deliver ransomware, and breach sensitive data. Many organizations depend on third-party providers, which, in turn, implies that security is only as strong as the security protections those third parties have put in place to protect data and privileged access. Additionally, threat actors have been quick to develop exploits of newly identified vulnerabilities.
Unpatched software services exploited in both private and public networks can lead to subsequent attacks, resulting in multiple downstream victims. For example, the MOVEit data breach subsequently impacted over 136 organizations, including third-party banking technology services, IMS systems , and the National Student Clearinghouse (NSC), impacting nearly 900 schools and thousands of students and staff. Additionally, a ransomware attack impacting Change Healthcare, one of the largest healthcare technology companies in the US, crippled pharmacies across the nation, including military pharmacies , CVS Health, and Walgreens, causing a significant backlog of unprocessed prescriptions. American Express also suffered a data breach after a third-party service provider engaged by numerous merchants experienced unauthorized access to its systems.
According to the National Security Agency (NSA), traditional network security has emphasized a defense-in-depth approach; however, most networks primarily invest in perimeter defense. Once inside the network perimeter, end users, applications, and other entities are often given broad access to multiple corporate resources. Ideally, organizations should manage, monitor, and restrict internal and external traffic flows. The NSA recently published a cybersecurity information sheet highlighting the need for internal and perimeter defense security controls under the Zero Trust security model, including implementation recommendations.
The NJCCIC recommends that organizations adopt a third-party management program, implement security protections and controls provided in the NJ Statewide Information Security Manual, and review the NJCCIC product Supply Chain: Compromise of Third-Parties Poses Increasing Risk. We also advise users to conduct cybersecurity training for employees, keep systems patched and up to date, and maintain cybersecurity best practices, including physical security.
Additionally, organizations are urged to implement a defense-in-depth strategy, segment networks, apply the Principle of Least Privilege, enable multi-factor authentication (MFA) where available, encrypt sensitive data at rest and in transit, use a virtual private network (VPN), create and test continuity of operations plans and incident response plans, and establish a comprehensive data backup plan that includes performing scheduled backups regularly, keeping an updated copy offline in a separate and secure location, and testing regularly. Furthermore, the This is Security post “Supply Chain Security” provide users with information on the risks associated with the supply chain and potential cascading impacts of cyberattacks.
Users who suspect their personally identifiable information (PII) has been compromised should review the Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources. If victimized, report the activity to the respective platform or entity, local police department, the FTC, the FBI’s IC3 , and the NJCCIC.