R-CISC BLOG

Third Party Vendor Risks

The threat landscape has transformed significantly over the last decade. As organizations have invested in security controls, tools and personnel to combat threats, threat actors have found other ways to infect systems and ultimately compromise organizations. As a result, threat actor groups have begun to target third-party vendors. Organizations rely heavily on their third-party vendors for improved profitability, faster time to market, competitive advantage, and decreased costs. However, third-party relationships come with multiple risks, which threat actors have leveraged to target organizations.

Retail Sector Third Party Vendor Breaches:

Over the last couple of months, the retail sector has observed a number of third-party vendor compromises affecting large big-box retailers. Earlier this week, software provider Inbenta’s live chat widget was compromised and used to deliver malicious software to Ticketmaster users. The malicious software logged and exfiltrated customer details. The data breach included names, addresses, email addresses, telephone numbers, payment details, and Ticketmaster login details. A couple of months prior, a similar breach affected software provider [24]7.ai’s live chat widget and was used to breach Sears, Delta, and BestBuy.

Overview

These small-company-to-large-enterprise breaches are the result of smaller shops not having the necessary security controls in place to ensure that their data and their partners’ data is secured at all times. The focus on the business is always on the service being rendered and making sure the service is of the highest quality, performance and, uptime. The administration of daily business affairs follows as the next priority— with trust put into the contractors and internal IT teams that all configurations are set with the utmost care to ensure consistent performance. Information security is the last priority. These business service concepts are especially true when it comes to the recent new wave of tech startups which are basing their entire models on lightweight, rapid development and deployment of automated business services.

Conclusion

A continuous communication loop between security teams of partner organizations is essential for the positioning of an effective defensive security posture. When business is being conducted on a large scale, there is a mutual interest in maintaining the integrity of all transactions and related customer data. Ongoing assessment of external resources, internal devices, continuous monitoring of the hacker underground, and a culture of security awareness creates an ecosystem where threats can be identified, remediated, and then collaboratively prevented. All parties should share the responsibility of protecting their resources and establish a collaborative workflow for the execution of action based on incoming threat intelligence.

Learn More at the Summit on Third-Party Risk brought to you by the Global Resilience Federation:https://r-cisc.org/events/events_detail/third-party-risk/ ‎

 

 

 

 

Sources:

https://www.bleepingcomputer.com/news/security/ticketmaster-announces-data-breach-affecting-5-percent-of-all-users/

https://www.communitybankingconnections.org/articles/2017/i1/third-party

https://www.mckinsey.com/~/media/mckinsey/dotcom/client_service/risk/working%20papers/46_third_party_risk.ashx

https://www.metricstream.com/insights/best-practices-third-party-mgmt-program.htm