Third Party Risk Management (TPRM)

Third Party Risk Management (TPRM)
Does the concept of Attack Surface Management vs. Attack Surface Analysis make sense to you?

Top Answer: Speaking from a security standpoint the two terms mean different things and they should be distinguished. Attack Surface Analysis is an analysis of the number of exploitable vulnerabilities. It can be used by both sides to discover weaknesses in a system. You start by scanning the target for vulnerabilities and then checking which ones have exploits available, and you choose the attack vector. OWASP has an attack surface analysis cheat sheet. Attack Surface Management is the process of, discovering/resonance, inventorying, classification and monitoring of the systems. This is more on the offensive (attacker) side point of view. You are looking at what IT assets are exposed inside the organization and to the internet.

What do you hope the lasting impact of Log4j will be?

Top Answer: I hope the lasting conversation is around the supply chain itself. We keep forgetting that the internet is not inherently secure because it's open source. It's written by people in the same way that bespoke code is, so it's just as likely to be vulnerable. And that’s underpinning most of what we've built at this point — what are we doing about that? That is where the narrative has shifted. Talking to CISOs is like talking to policymakers. We’re seeing stuff come out of DC around how to legislate open source being secure, which is absurd, but it’s the right conversation to have. The focus has moved away from that specific vulnerability to why that happened, and how we can get better at preventing that from happening again. We need to realize that the internet is just a stack of turtles that are supported by one and a half people in North Dakota, because that's the truth of it. We rely on a lot of different software packages and systems that look a lot like Log4j. So it's not just about this particular piece of code and what it can do. It's about all the other stuff around it. How are we thinking about that from a risk management standpoint? It's an interesting time to be having that conversation because the pandemic has revealed to the average person how supply chains work and what they look like when they’re broken. This is not that different. It's conceptually a bit more abstract for non-technologists to get their head around, but it's quite similar.

What makes operational technology (OT) particularly vulnerable to cyber attacks?

Top Answer: PLCs and other 30-year-old equipment are running Windows CE or Windows 95, which can't be changed. You can't put EDR on them because it doesn't take an agent, so what do you do? You either have to take it off the network, put it in its own VLAN or segment it off the network to keep it from talking to anything. I always hear that the bad guys are just sitting in your network waiting, and it frustrates the heck out of me. That's why I came to Air Gap because we ring-fence every device on the network, and we're doing that for operational technology (OT) environments. But another factor is that at many manufacturing companies, there's an OT team and an IT team that are in conflict with each other all the time. The OT lead will say, "The IT team doesn't get it because our machines are running protocols that no longer exist in the IT world.” OT is running ISA cards in the machines and IT is telling them to upgrade to USB. But OT says, "No, because that will break the manufacturing line and then it will be your fault when production is down." It’s an interesting problem to solve: how can we get IT and OT to start working together, or be one group? It's not easy.

Are people still looking at Log4j code, or has everyone moved on from it?

Top Answer: I'm surprised that the roar over Log4j has dulled and gone quiet. I expected it to go on much longer than it did, and thought I would have seen a lot of security bug folks looking at the code even closer and finding a lot more issues than what’s been published. It’s almost like an afterthought now.

When cybersecurity incidents result from your third- or fourth-party providers, who ends up taking liability?

Top Answer: Sometimes companies have a third-party assessment organization that is responsible for managing its vendor relationships. Somewhere along the way, there could be a finding against that third party for their own failures. And there would likely be a contract penalty or clause that needs to be exercised in order to put them back in good graces. I'm not very knowledgeable about how those third-party assessment programs work. There are a lot of challenges with third parties because, how do you trust, but verify what a third party says to you about the security of their environment and the processes that they use? They can tell you that they patch, monitor and respond but there's a point where you can't verify that without being onsite, or on their network. 

How does third-party risk complicate your operations?

Top Answer: In a past role, there was malware that appeared on our network and we weren't sure how it got there at first. It was wormable and it had propagated itself to a number of systems. After investigating, we found our patient zero: a network sniffer that was portable. The sniffer was maintained by the network engineering team who had a contract with a third party. The third party would have these portable sniffers sitting on a shelf and they would ship them out to wherever they were needed. And they had a fourth party that was responsible for maintaining the image on those devices. They would get re-imaged each time they got sent back. But the fourth party had a malware compromise in their environment, so when they rebuilt the appliance on their network, it had the malware propagate to it. So that was a fun conversation to have with both the third and fourth party because we had to tell them, "You need to clean up your stuff."

Do you think your company does enough due diligence when performing vendor risk assessments?

Top Answer: Yes, our security team (part of risk mgmt, rather than its) is heavy involved in the process. We’ve got a questionnaire and documentation requests relating to PII and PCI data, backups, business continuity and such. The biggest thing I’d say we lack is a platform to management the vendors since right now it’s manually done by our finance team on their network share.

We are about to select Dow Jones RiskCenter Third Party API for screening of our business partners. Has anyone already experienced it? Any advice?

Top Answer: Sorry, I have not had any interaction with Dow Jones RiskCenter, nor used their Third Party API. 

Related Tags