Third party threat!

Illustration:

A company named "example pvt ltd" has outsourced their development/Infra(IT) to third party vendors eg "example consultancy". If an attacker want to hack "example ltd" then he could enter through the "example consultancy".

Reasoning:

As we can see an attacker can enter through third party organizations , we need to re-assess our organization policies with respect to third party vendor verifications. Consider this real time incident: One of the Indian prestigious organization(Manufacturing) has opened bids for the "supplying of PLC" to their motors. If an attacker want to hack this company, then they can bid very low price to get that tender. Now the tender scope says that "Vendor should also give computer along with the electrical material". This is a serious issue. Any company can insert some hardware chip insider computer which can send entire data to their servers. May be the prestigious organization has secured their computers and networks but we don't know about the third party organizations. Finally the prestigious billion dollar organization can be compromised by hacking their third party vendors and entering through it. Similar example showcased in "Tom Clancy's Jack Ryan" where military people allowed third party vendors to import dead bodies, an attacker enters into military base as a dead body and exploit inside to rescue their leader.

Conclusion:

It's always important to remember that trust cannot assure security. Security needs proper assessments such as creating isolated network, giving less privileges, auditing every communication and even verifying the employees who work behalf of all third party vendors.

Impressum

RebornInfosec

I have planned this blog to express my view on Information security and will try to learn/help from/for other security minds. All views expressed here are strictly from personal view. This blog is neither an organization nor affiliated to any organization with respect to the blog posts.

Varun Kondagadapa

Hi.. Myself Varun Kondagadapa and I am Information Security Specialist having 2+ years of experience in Securing organizations. From startups to MNC I have work experience in all scales of Infra.

Write your comment…

Be the first one to comment