Data integration, data sharing, and APIs have driven recent advances in digital innovation and customer experience. Consumers expect instantaneous response to their service requests, and leveraging multiple data sources is key to delivering the experience they demand. Data sharing also facilitates supplier, contractor, and subcontractor relationships. When not effectively governed, however, providing third parties with access to privileged sites and information can expose companies to greater risk of data theft, with all the financial and reputational costs such breaches bring.
Unfortunately, this is a growing problem. 59% of respondents in a 2017 survey said their organization had experienced a data breach caused by one of their vendors, up 7% from the previous year.1 23% percent said that they had suffered a data breach caused by a contractor to one of their vendors (an Nth party).
Troubling, but not shocking
The growing risk of a data breach from third party access is troubling, but not surprising.
It turns out that three of the 2017 OWASP Top Ten relate to data access.
OWASP Top Ten: #2 – Broken authentication
This web security risk arises from incorrectly implemented authentication and session management functions. The simplest examples of this vulnerability are either storing user credentials without encryption or allowing them to be easily guessed. Other examples include using session IDs in the URL and enabling unreasonably long session timeouts.
The risk of a third party mishandling their credentials to your privileged systems is always there. The more third parties, the greater the risk one of them will slip up.
1. Data Risk in the Third-Party Ecosystem, Second Annual Study, September 2017. Independently conducted by Ponemon Institute LLC
OWASP Top Ten: #3 – Sensitive data exposure
Many web technologies weren’t designed to handle financial or personal data transfers. When data is stored or transferred as plain text, older/weaker encryption is used, or if data is decrypted carelessly, bad actors can take advantage. Wireless routers with their notoriously poor data protections are one known weak point. Researchers recently found that the cryptography protecting WPA2, the industry standard, exposes data and allows it to be read or manipulated as it’s wirelessly transferred.
Third parties with access to sensitive data may not handle it appropriately, leading to greater exposure. One way this can happen is when a third party houses sensitive data in misconfigured cloud storage, such as Amazon S3. An S3 bucket that is publicly exposed allows anyone with an Internet connection to access the data inside them. These exposed buckets have caused major data breaches when bad guys found them.
OWASP Top Ten: #5 – Broken access control
This risk emerges through improper enforcement of what authenticated users are allowed to do. Access control, or authorization, is the mechanism used by web apps to determine which users should have access to specific content, data, or functions. Sometimes, gaining unauthorized access is as simple as manually entering an unlinked URL in a browser, such as http://example.com/admin. As with other vulnerabilities, attackers can gain access to (and modify) data, accounts, and functions that they shouldn’t.
Third-party access can exacerbate this risk if a bad actor hijacks a third party’s credentials and then exploits your poorly configured authorization to steal data.
Third party related breaches: causes and trajectory
Poor governance programs of third-party access, and/or poor visibility into who has access, contribute to the growth of this risk area. A minority of companies (16%) in the recent Ponemon survey said they audit the security practices of third parties with which they do business. Even fewer, only 13%, require third parties to provide a self-assessment.2
The situation is worse for so-called Nth parties – vendors and contractors to a company’s vendor. Only 18% of survey respondents know how their data is being used by these vendors once-removed.
2. Data Risk in the Third Party Ecosystem, Second Annual Study, September 2017. Independently conducted by Ponemon Institute LLC
While factors like lack of accountability to the Board and fragmented departmental oversight contribute to the problem, the leading cause is lack of resources. Again, troubling but, given the growth in partnering and data sharing, not shocking.
How hacker-powered security helps
Hacker-powered security programs like HackerOne Bounty let you focus tens to thousands of security researchers on the precise systems you care about most. Through careful design of the program page and bounty table, which tells hackers how much they will be paid to find different types of vulnerabilities in different systems, you can concentrate the HackerOne community on hardening the applications, authentication, and access control systems that third parties use.
Of course, even the most mature security posture on your part won’t protect from sloppiness by a third party. But it can mitigate the potential damage should a breach occur.
To address the security practices of vendors and others with whom you share sensitive data, logging and tracking who has access is an important first step. Whenever you discontinue work with a given vendor or partner, be sure to shut off their data access as a routine business process.
Requiring all vendors to provide a security self-assessment is another great step. If they are not sufficiently secure, encourage them to look into a bug bounty program as a great way to cost-effectively harden their applications.
If you’re like most businesses, you have an extensive (and growing) network of partners and vendors with which you share data, some of it sensitive. Getting a handle on how well these third parties protect this data, and who else they may be sharing it with, is a security must.
Downloading the HackerOne Third Party Risk Checklist is a great first step to shoring up this emerging attack surface.