For other enterprises an important lesson is to ensure that third parties have no way to reach those portions of the network, he advised. "Microsegmentation of your environment, as well as many other tools designed to keep traffic from co-mingling, can stop or at the very least, slow down an attacker, giving your security teams valuable time to detect and respond to an incident," he said.
While it's not possible to avoid third parties, Javvad Malik, security advocate at AlienVault, said there are many fundamental security practices that can help mitigate the risks. Examples of such would include:
- Knowing your assets - by understanding your assets, particularly critical ones, it can be easier to determine effectively what systems third parties should have access to and restricting it to those.
- Monitoring controls - having in place effective monitoring to determine whether third parties are only accessing systems they should and in a manner they should. Behavioral monitoring can help in this regard by highlighting where activity falls outside of normal parameters.
- Segregation - by segregating networks and assets, one can contain any breaches to one specific area.
- Assurance - proactively seek out regular assurance that the security controls implemented are working as intended.
Jeremy Koppen, FireEye principal consultant, said there are four security controls that should be discussed regarding third-party access:
- Assign a unique user account to each vendor user to better monitor each account and identify abnormal activity.
- Require two-factor authentication for access to applications and resources that could provide direct or indirect access to the internal network. This protects an organization in case the vendor's user credentials are compromised.
- Restrict all third-party accounts to only allow access to systems and networks required.
- Disable all accounts within the environment upon termination of third-party relationship.
In the enterprise application development world, Jerbi sees many companies being caught off guard by third-party use of emerging technologies such as virtual containers. If a company is using containerized applications from a third party, that application should be vetted for container-specific security risks such as vulnerabilities in container images, hard-coded secrets and configuration flaws.
Baker said there are plenty of best practices to look for when choosing a vendor: how transparent is their security? Do they have third-party security testing? Do they share the results of that testing? "In the end, choosing a secure vendor alone won't necessarily prevent another Target, but it will prevent the third-party firms you work with from being the weak link," he said.
Sign up for Computerworld eNewsletters.