What’s Missing in Third-Party Risk Assessments
Assessments are important. You’d be hard pressed to find any cybersecurity professional who would argue they aren’t needed, but the problem with third-party risk assessments is that they are far from comprehensive. Understanding the hygiene and potential vulnerabilities of an organization is incredibly important. But it doesn’t reveal the full picture.
Point-in-time assessment of an organization is not enough because it doesn’t offer an exhaustive understanding of the risks. There are dynamic–and often undetected–problems specific to malware delivered by extremely sophisticated and versatile threat actors. These actors have the ability to gain access into an organization, but they also lurk undetected for extended periods of time. That’s the problem, and that’s the blind spot of a point-in-time risk assessment.
The Flaws of Third-Party Assessment
In order to figure out what malicious actors are doing once they get in, you need pattern analysis. Simply trying to identify the potential for exploitability doesn’t go far enough, which is why third-party risk can’t be treated like a pen-testing problem. What is needed is real-time visibility into the threats that are lurking in third-party ecosystems. That visibility isn’t possible with assessments and penetration testing. Why? There are a couple of reasons.
First, you have to point and train your crosshairs to look at a specific organization, but you may not even understand exactly what surface you are looking at. To really be effective, you need to know whether what you are seeing is only the tip of the iceberg versus the whole picture. It’s possible what you’re looking at isn’t even the right organization. That sounds somewhat outlandish, but it actually happens a lot.
Let’s consider an alternative scenario: You know what you are looking at and you are able to give an all clear. You might think, “they’ve done a great job with patching! The survey came back great. The CISO says they do everything for patch management to the T. They are in compliance. They are in good shape!”
What you don’t see is the activity from six-months ago when there was an infestation and a beaconing of malware coming from an IP range that belongs to the organization. Given the strong possibility that the malware got there through a phishing expedition, a risk assessment won’t reveal any exploitation of a vulnerability. But something is still there–it’s just been dormant for months.
How to Determine a Supplier Risk Score
Using only a vulnerability assessment and gauging the potential for exploitability misses an entire dimension of risk. If you are looking for the possibility of a web server being exploited because it’s running an old version of IIS or Apache, that’s bad. What’s worse, though, is that some threat actors have been able to infiltrate and lurk in ways that very stealthy–quiet and outside the pattern of things that can be recognized by the organization’s security tools. All the while, it’s successfully communicating with an adversary.
The current third-party risk assessments are founded on two main things. The first is asking the organization how they are doing. In this case, you have to take them at their word. The second founding principal is to say, I can only take you at your word to a certain degree, so I’m going to do my own level of testing to assess the level of vulnerability here.
Historically, third-party risk assessments have ended there. In order to assess the risk and be able to authentically apply an acceptable ‘score’ to your suppliers, vendors and partners, you need to have visibility into their Stages of Compromise.