Go ahead and add “Develop a better security strategy” to your list of New Year's resolutions. In addition to dissecting recent cyberattacks, we go in-depth on vendor risk management and why it's critical to your security posture.

1. Cyberattacks and Vendor Risk
Management
Chris Goettl and Phil Richards
January 23, 2020

2. Agenda Items
 That’s a mean Curveball
 Microsoft seizes domains, sues North Korean hackers
 Ransomware recovery gone seriously wrong
 The essential guide to vendor risk management

3. Curveball
• Overhyped or Serious Threat?
• This vulnerability can bypass
trusted security features
• Proof of concepts available
• Threat actors could use trusted
vendors to take advantage of this
• We’ll dive more into vendor risk
management here in a second

4. Situation Analysis Recommendations
Exploit Type:
Exposure: Attack Vectors:Impact:
Phishing Education
Application Control
Microsoft is suing a pair of Thallium workers, accusing them of
targeting U.S. companies with a spear fishing campaign utilizing
BabyShark, and KimJongRat malware to access information relating
to nuclear proliferation and human rights. Microsoft is asking orgs with
Thallium domains to hand over credentials to their sites.
Social Engineering
Microsoft v. North Korean Hackers
50+
Thallium
domains,
government,
higher ed
Data and
credentials likely
stolen
Email, social
media, fake
websites
Multi-factor Authentication
Continuous Vulnerability Management

6. Situation Analysis Recommendations
Exploit Type:
Exposure: Attack Vectors:Impact:
Application Control
An Arkansas-based telemarketing firm laid off more than 300 workers
before Christmas after recovery efforts from a recent ransomware
attack didn’t go as planned. The CEO of The Heritage Company said
they paid threat actors for a key to get their data back, but recovery
didn’t go as planned.
Ransomware Attack
Company shutters due to ransomware
300
Employees out
of work
Data Loss,
Loss of
Business-Critical
Systems
Undisclosed
Ransomware
Incident Response Plan
Backup and Restore (Recovery)
Continuous Vulnerability Management

7. Why is Vendor Risk Management a Concern?
• 2013 data breach
• Over 40 million credit card
numbers
• Settlement for $18.5M
• Total estimate cost of breach
$202M
• Attacker entered through the
HVAC Vendor

8. What Risks do Third Party Vendors Pose?
• Regulatory Compliance breaches, especially in highly regulated
verticals (Government, Finance, Healthcare, etc)
• Privacy Law infringement (HIPAA, PHI, GDPR)
• Legal issues like lawsuits, class actions, loss of work or termination of
relationships
• Information security and data security risks
• Loss of intellectual property

9. Privacy is a growing concern! Are Third Parties exposing you
to risk?
Data firm got its hands on 50 million Facebook users’ information—
and then reportedly lied about deleting it.

10. VRM is a journey, not a destination.
VRMMM from Shared Assessments

11. Vendor Information Gathering
• Who is a part of your approval process?
• Requestor’s Manager, Security, IT, Privacy Officer, HR, Legal, etc
• Preliminary Information:
• Relationship Manager
• Description of services vendor provides
• Primary vendor-contact information
• Expected length of contract
• Additional Due Diligence will vary based on nature of the partner. If
the relationship requires access to Data & Product Code, access to
core business applications, etc.

12. Vendor and Partner Classification
• Classification of partners by type of relationship and level of access to
sensitive data or systems.
• Is the partners access custodial? Example an HVAC vendor. In this case the
partner should be limited in access to company systems or data.
• Does the partner require access to sensitive systems or data? Example Managed
Service Provider handling customer payments.
• The level of due diligence and frequency of evaluation of relationship
or audit of the partner will be dependent on this classification.

13. Vendor and Partner Classification Example

14. Risk Assessment of Vendors or Partners
• Vendors should be assessed on a frequency based on their tier.
• Assessments may take the form of a basic questionnaire or could
require more in depth site tour, audit, or additional certifications or
third party evaluations.
• Assess vendorpartners use of adequate security controls
• Assess vendorpartners compliance with regulatory frameworks or privacy acts
(HIPAA, PCI, GDPR, Privacy Shield, etc)
• Assessment will be assigned a grade and may result in additional follow up by
Security or additional due diligence requirements to be met

15. Risk Assessment Frequency Example

16. Due Diligence and Third-Party Selection
• Tier IV partners may require very little external due diligence, but
internal due diligence may still be necessary.
• Tier II and Tier III partners may be handled by questionnaires and by
providing adequate certifications or documentation.
• Tier I vendors may require more in depth evaluation including site
visits, third party auditsassessments, certifications (FedRAMP, SOC,
Common Criteria, etc)
• Reputation of the Third Party and who may have done independent
assessments of the Third Party warrant scrutiny.

17. A Good Reputation Doesn’t Remove Risk
Who is in your wallet? Former Amazon employee with specialized knowledge was
able to access Capital One and other AWS customers through a misconfigured
web application firewall.

18. When Nation States Clash
Binding Operational Directive 17-01
September 13, 2017
Removal of Kaspersky-branded Products

19. And Speaking of Geo Political Curve Balls
On June 27th, 2017 a Nation State funded threat actor called Sandworm
launched an attack using a sophisticated ransomware called NotPetya. This
attack was targeted at the Ukraine and utilized a piece of software call M.E.Doc
which is the Ukrainian equivalent of TurboTax as a backdoor to spread across
the nation across all services and industries in a coordinated ransomware attack.

20. Q&A

21. Get the latest updates at: ivanti.com/ThreatThursday
Thank You!