Helping a customer analyze their portfolio of vendors not too long ago I saw quite clearly the advantages of a standardized question set and assessing as many vendors as possible. While this strategy allows for very complex analytics across both individual assessments, benchmarking across industries, and finding interesting patterns in how hackers and exploits work in varying environments, it also lends itself to some simple solutions. Things start to light right up, simple facts become easy, and there’s low hanging fruit for mitigation efforts.
A question stood out right away with some basic analysis (no it wasn’t “what is the matrix?”<grin>) The question was: do you implement data in use (memory) protection? The lack of implementation of this control across an important sector of financial services pointed to a systemic weakness within an ecosystem of these similar businesses. Since many of the newer infamous exploits like Notpetya and Spectre use weaknesses in this particular control to gain a foothold, it is pretty much a no-brainer to emphasize coming up with a mitigation strategy with your vendors to protect this area of architecture as a group.
Another simple find was to sort the vendors by the number of high-risk gaps based on known attack vectors in their industry. It’s a simple thought that lack of security implementation in the most vulnerable areas creates even more risk, and that idea is an additive one, the more missing controls you have in critical areas, the more risk you have. Lack of complexity does not lessen the elegance of reducing risk in the easiest way possible by requiring those who are not really trying to control risk to do better. That standardized question set made this discernment a simple one.
A final simplistic catch is that with a good tool you can see the logical inconsistencies in a standardized question set. By looking at the common sense of how a vendor (or a whole group of vendors) answers questions you can see a lot. It is astounding to me how many people who say they have good configuration management, patch management, or a good virus definition update program will also admit to not having good asset management, or not logging all the various types of endpoints on their networks. How can someone tell what is vulnerable when they don’t even know what they have in their architecture and whether or not it is in good enough repair to report on itself? It becomes just a finger-crossed hope that they are keeping everything in their environment secure, because the truth is without good asset management they really don’t know!
Some obvious keys here are to standardize the questions we assess with, make sure we assess as many vendors as possible, and really compare the answers to the assessments both internal to the individual vendor and across as many other assessments in that industry as we can. In this world of ever-increasing complexity, interdependence, and technology reliance across all of our business relationships it is important to remember that not every problem (or solution) is complex. Sometimes just taking a common sense look at the data you accumulate can give straightforward, actionable steps to mitigating vendor security risk.
THIRD PARTY RISK SPECIALIST – SME SECURITY CONTROLS