Going Viral: The Challenges and Urgency of Managing Third-Party Risk

WHITE PAPER

2GOING VIRAL: THE CHALLENGES AND URGENCY OF MANAGING THIRD-PARTY RISK

More than 50 years ago, Bob Thomas at BBN Technologies wrote the Creeper program, regarded by many as the world’s first computer virus. Named for the Scooby Doo cartoon villain,1 Creeper was an experiment – a program that was deployed in an isolated environment to examine the potential and behavior of a self-replicating piece of code.

Creeper was an innocuous program in a confined system. But as we know too well, subsequent computer viruses have become increasingly malicious and sophisticated, using their ability to self-replicate and pass infections from host to host to plague organizations on a global scale.

Today, a “computer virus” covers the broad category of modern cyber threats – malware, bugs, spyware, Trojan horses, bots, viruses, worms, etc. These are the vehicles that threat actors use to spread infection by exploiting a host’s internal information security weaknesses and publicly recognized common vulnerabilities and exposures (CVEs) in software, hardware, or infrastructure.

Modern cyber threats such as data breaches and attacks can have significant productivity and financial effects on the business, ranging from unexpected system downtime and business interruption to system damage and data loss.

Managing these code-driven threats becomes more challenging and urgent as businesses expand their ecosystems – and their attack surface – through their reliance on third parties. Business leaders recognize the exposure: 62 percent note that it is difficult to control indirect cyber attacks that are targeted at their organization but initiated through partner organizations.2

As a result, cyber threats – and the vulnerabilities they exploit – are top concerns for modern organizations worldwide.

Going Viral

62%of business leaders

note that it is difficult to control

indirect cyber attacks that are targeted at their organization

but initiated through partner

organizations.2

3GOING VIRAL: THE CHALLENGES AND URGENCY OF MANAGING THIRD-PARTY RISK

Over the past decade, as technology has continued to advance, the threat landscape has become more aggressive and sophisticated. It’s not surprising, then, that the number of reported vulnerabilities and infections have increased year over year.

Vulnerabilities are weaknesses, for instance in an application’s code, that create a security gap – one that can be exploited by a cyber threat (virus) or threat actors. Some are internal exposures, others are publicly recognized and reported CVEs. In the past few years, the numbers of CVEs – as well as their severity – have seen marked increases.

In 2017, an average of 40 vulnerabilities per day was reported, up from 17 per day the previous year.3 In 2018, the annual volume of vulnerabilities reached an all-time high of 16,555 CVEs (see Table 1),4 indicating an environment of unprecedented risk for organizations around the world.

These rising trends are expected to continue and it is clear that – regardless of industry, size, or geographic location – no modern organization is immune to vulnerabilities or cyber threats.

Risky Exposure

In 2018, the annual volume of vulnerabilities

reached an all-time high of 16,555 CVEs.4

Table 1. Vulnerabilities Are on the Rise4

Num

ber o

f Vul

nera

bilit

ies

Year

4GOING VIRAL: THE CHALLENGES AND URGENCY OF MANAGING THIRD-PARTY RISK

Despite the increasing volume of CVEs being reported, it is important to look at the number of those that have the potential of being exploited, and therefore, that would pose the highest risk to any organization. According to Gartner, though, the number of vulnerabilities exploited during the past decade has remained flat (see Table 2), indicating that “more threats are leveraging the same small set of vulnerabilities.”5

In addition, not all exposures apply to every organization. For instance, some vulnerabilities are inherent only in a particular industry, or may exist in an application or software that an organization isn’t even using.

Understanding the context of CVEs in terms of if and how they apply to an organization, their exploitation potential and severity, and the impact to the business if exploited can help organizations prioritize and address their exposures internally – as well as assess the security risks associated with third-party providers.

Table 2. Number of Vulnerabilities Exploited During the Past Decade5

Num

ber o

f Vul

nera

bilit

ies

Year

5GOING VIRAL: THE CHALLENGES AND URGENCY OF MANAGING THIRD-PARTY RISK

Interestingly, the vulnerabilities and infections that persist and continue to pose the most risk actually are ones that the security industry has known about for a year or more.

According to Gartner, “99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident.”5

But if a weakness for infection is known and remediable, why does it persist?

The Padding Oracle On Downgraded Legacy Encryption (POODLE) exploit provides a helpful explanation.

A man-in-the-middle exploit, POODLE takes advantage of Internet and security software clients’ fallback to SSL v3.06 and allows hackers to exploit a security hole in the protocol of any server and client that supports SSL v3.0.

This vulnerability was disclosed publicly more than four years ago in October 2014. Manufacturers of browser and web servers corrected the exposure by removing the support for SSL v3.0, and provided updated versions of their products to their customers.

These measures should have enabled the eradication of POODLE on a global scale. Yet POODLE is detected today in approximately 50 percent of organizations that BitSight tracks, and has a CVSS v3.0 base score of “medium.”7 (See call-out box, What Is CVSS?)

Existing Vulnerabilities: Indicator of Poor Cybersecurity Hygiene

What Is CVSS?“The Common Vulnerability Scoring System (CVSS) is a published standard that provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.

When translated into a qualitative representation (low, medium, high, and critical), the numerical score helps organizations properly assess and prioritize their vulnerability management processes.”7

CVSS Score Ranges

0-1

1-2

2-3

3-4

5-6

6-7

7-8

8-9

9-104-5

6GOING VIRAL: THE CHALLENGES AND URGENCY OF MANAGING THIRD-PARTY RISK

POODLE’s presence in a modern environment likely is driven by several factors, all the result of poor security hygiene. Some organizations may not have implemented the updated software versions provided by the manufacturers, or are falling short on other maintenance best practices.

Another possibility is that SSL v3.0 is being enabled intentionally in some cases, since removing SSL v3.0 on a legacy system could impact its functionality or shut out users. Both scenarios contribute to the persistence of this older known vulnerability as a viable risk, and compound the risks posed by current CVEs.

BitSight data shows that POODLE isn’t the only vulnerability organizations are failing to remediate (see Table 3). More than 24 percent of the organizations BitSight monitors have an average remediation time of two years; 38 percent take one year to remediate; and 46 percent take six months.

The range of data indicates that the window for those vulnerabilities and infections to continue to plague organizations (through third-party relationships or their own infrastructure) can be many years.

Table 3. The Persistence of Vulnerabilities Over Time

More than 24% of the organizations

BitSight monitors have an average remediation time

of 2 years.

% C

urat

ed E

ntiti

es A

ffec

ted

(log

scal

e)

Years Since Publication Date

CVSS v3.0 Base Score

Low Medium High

7GOING VIRAL: THE CHALLENGES AND URGENCY OF MANAGING THIRD-PARTY RISK

Organizations collectively spend millions of dollars each year in efforts to eliminate a vulnerability or infection from their own systems. Even more budget goes toward improving internal cybersecurity best practices and strengthening security posture.

Still, vulnerabilities and infections persist and new ones are discovered each day. Now a new market dynamic is broadening the organization’s attack surface and the spread of known vulnerabilities and infections – a reliance on third parties.

Today, 70 percent of organizations have a “moderate” to “high” dependency on external organizations (3rd, 4th, 5th parties).8

While the business opportunities of extending the organization’s ecosystem to an external provider may be significant, outsourcing to a third party who has vulnerabilities or an infection puts the organization at risk of exposure or even being infected through shared IT connections and data transfers.

It is difficult enough for organizations to have their own internal vulnerabilities in check, but even more challenging to ensure that every vendor across their supply chain has strong security practices in place. Eighty percent of business leaders say that protecting their companies from “weaknesses in third parties is increasingly difficult given the complexity of today’s sprawling Internet ecosystems.”2

That protection, though, is becoming more urgent as cyber security incidents involving third parties continue to increase.

According to one recent study, 59 percent of organizations said they have experienced a data breach caused by one of their vendors or third parties.9

In fact, there have been several high-profile indirect exposures. In 2018, for instance, a data breach that impacted nearly 5 percent of Ticketmaster’s global customer base was caused by maliciously manipulated code created by the company that develops its customer support software; an industrial automation services vendor’s poorly protected data transfer protocol led to a breach that put 157 GB of data at risk including the vital trade secrets of major automotive manufacturers including GM, Ford, Tesla, Toyota, and Volkswagen.10

Digital Transformation: More Outsourcing Means A Broader Attack Surface

59% of organizations

have experienced a data breach caused

by one of their vendors or third

parties.9

8GOING VIRAL: THE CHALLENGES AND URGENCY OF MANAGING THIRD-PARTY RISK

As we mentioned, organizations invest heavily in solutions that help them manage vulnerabilities and infections across their own environments. These solutions are well-established.

Adding external providers to the ecosystem, though, introduces additional vulnerabilities. Yet only 15 percent of organizations have taken basic steps to protect against threats coming through third parties.11

Why hasn’t there been more investment in managing the risk associated with third-parties or the supply chain of an organization?

It comes down to visibility.

Internally, an organization has the tools and data access it needs in order to diagnose, respond to, and remediate a vulnerability or infection in its systems. But when it comes to another organization’s environment, it becomes more challenging.

The organization’s visibility into its third-parties’ security policies, vulnerabilities, and threats is limited: 64 percent of large organizations and 67 percent of smaller organizations have no visibility into the risks in their third-parties’ environments.11

Unless a vendor allows an organization to do an onsite assessment or install vulnerability management solutions within their environment, the critical security information resides behind closed doors. Thirty-six percent of organizations rely on externally observable data sources to determine the risks of their third parties.11 These may include security ratings, external network scans, threat intelligence feeds, and independent assessments such as SOC 2 attestations and ISO 27001/ISO 27018 compliance that define point-in-time internal security controls and processes.

Providers who examine this data, such as BitSight, are able to inform an organization of the vulnerabilities and infections across their supply chain. According to BitSight data, all of which is externally observable, of the organizations continuously monitored by BitSight:

• 52.15 percent have at least one vulnerability with a CVSS rating of 4+

• 3.25 percent have at least one vulnerability with a CVSS rating of 7+

• 3.03 percent have at least one vulnerability with a CVSS rating of 9+

Although these statistics are not confirmation that a vulnerability actually exists, they provide enough data to require further vendor assessment and monitoring. Having this perspective across all third-party organizations enables the risks they pose to be monitored on a global scale.

Limited VisibilityMakes It Difficult to Assess Risk

64% of large

organizations have

no visibility into their

third-parties’ environments.11

9GOING VIRAL: THE CHALLENGES AND URGENCY OF MANAGING THIRD-PARTY RISK

With the acknowledgment that vulnerabilities and infections continue to persist, and reliance on third parties expands the organization’s attack surface, it’s safe to say that third-party risk management (TPRM) no longer is an option; it is a requirement for organizations to protect their reputation, intellectual property, data, and competitive advantage.

Yet many organizations are unsure where to begin.

Of those that have a TPRM program in place, many lack confidence in their approach, and 65 percent rate their program as less than highly effective.9

Compounding the complexities of restricted visibility and limited influence over an external entity’s security policies, only 37 percent of organizations have sufficient resources to manage third-party relationships,9 which helps to explain these statistics:

• 56 percent do not monitor the security and privacy practices of vendorswith whom they share sensitive or confidential information12

• Only 34 percent keep a comprehensive inventory of all of theirthird parties9

It is clear that more due diligence is needed in order to mitigate exposure to third party risk.

“Where to begin” though, depends on many, often disparate factors. Each company, for instance, is unique in its requirements for managing third-party risk, its available resources, even the size of its vendor population.

Despite the organizational diversity, there are some aspects of effective third-party risk management that are common to any effort. These include the use of objective and reliable tools such as security ratings which are vital to limiting exposure to third-party risk. Our ebook, An Expanding Attack Surface: 5 Tips to Manage Third Party Risk, offers five highly actionable best practices that are foundational to any effective TPRM program.

Whether an organization has one vendor or thousands, often the hardest part of managing third-party risk is just getting started. But it also is the most important.

Limiting Exposure

65% of organizations

rate their TPRM program as less than

highly effective.9

10GOING VIRAL: THE CHALLENGES AND URGENCY OF MANAGING THIRD-PARTY RISK

REFERENCES

1 https://www.techspot.com/trivia/130-what-first-computer-virus/2 https://www.accenture.com/_acnmedia/Thought-Leadership-Assets/pdf/Accenture-

Securing-the-Digital-Economy-Reinventing-the-Internet-for-Trust3 https://www.welivesecurity.com/2018/02/05/vulnerabilities-reached-historic-peak-2017/ 4 https://www.cvedetails.com/browse-by-date.php 5 https://www.databreachtoday.com/whitepapers/gartner-report-vulnerability-

management-via-risk-based-approach-w-48106 https://en.wikipedia.org/wiki/POODLE7 www.first.org/cvss/8 https://www.slideshare.net/DeloitteUS/as-organizational-reliance-on-third-parties-

increases-extended-enterprise-risk-management-to-be-a-focus-in-20199 https://www.marketwatch.com/press-release/opus-ponemon-institute-announce-results-

of-2018-third-party-data-risk-study-59-of-companies-experienced-a-third-party-data-breach-yet-only-16-say-they-effectively-mitigate-third-party-risks-2018-11-15

10 https://www.darkreading.com/attacks-breaches/6-eye-raising-third-party-breaches/d/d-id/1332522?image_number=5

11 https://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2018-19/$FILE/ey-global-information-security-survey-2018-19.pdf

12 https://cdn2.hubspot.net/hubfs/2575983/Ponemon_report_Final%20(1).pdf

About BitSightBitSight transforms how organizations manage information cybersecurity risk with objective, verifiable and actionable Security Ratings. Founded in 2011, the company built its Security Ratings Platform to continuously analyze vast amounts of data on security issues. Seven of the top 10 largest cyber insurers, 25 percent of Fortune 500 companies, and four out of the top five investment banks rely on BitSight to manage cyber risks. For more information, please visit www.BitSight.com, read our blog or follow @BitSight on Twitter.

BitSight111 Huntington AvenueSuite 2010Boston MA 02199+1.617.245.0469 © 2019 BitSight. All Rights Reserved.

BitSight Security Ratings Can Help You Manage Your Third-Party Risk.Learn How.

www.BitSight.com/security- ratings-vendor-risk-management