Third Party and Vendor Management in new age of Cyber Island Hopping

So as threats have ever changed and evolved, so has the methods to compromise and monetize invoicing and ACH systems and business processes. Majority of the time this new methods have used e-mails and Business Email Compromise (BEC) technique to get accounting departments to pay fake invoices or to change ACH (Automated clearing house) banking information such as routing numbers and accounts. This is how bad actors aka hackers, have made large sums of money tricking businesses into giving them money.

The first paragraph describes some well documented methods used by hackers and these type of business attacks usually go unreported due to the fact that some of the amounts involved may not meet a businesses standard of a material breach. I truly believe that billions of dollars every year simply vanish from the economy due to fake invoices. Sometimes you can avoid these issues by having really good security awareness training, however the hackers have found creative ways to trick even the most well trained employees. The latest method involves compromising Cloud e-mail accounts of companies your business does business with and use that trusted account to send fake invoices to your company's accounts payable department. Now your business does not have a compromised or breached network, but if you pay the invoice you become the victim of what is termed an Island hopping attack. The attack vector can be very hard to detect and defend against.

So the questions security professional are struggling with is how do you assess and what remediation can be done with regards to third parties you do business with? Many security tech companies are working on selling solutions that will claim to address this problem, however in most cases it only solves a part of the issue. You can do security assessments of your third party vendors, but this can be very expensive and who will do the work? Do you really want to pay your expensive security experts to do this type of work? Can you really afford not to address or defend against this type of attack? Most articles I read these days do not give you answers how to address complicated attack vectors that I have described up to this point.

One idea to solve the issue would be to use SharePoint Online and assign your vendors an User ID your company would control, then require MFA (Multi-factor authentication) be used to access the area you assign to have the vendor drop their invoices. A secured drop off location such as this one can also incorporate workflows that can help accounting insure that invoices are being processed in a timely manner or at least have notes on them with descriptions if there is any issues. The accounting managers will now have a process that will be easier to manage and operate; and IT department can easily re-mediate and reset an account to cut off an attacker if they happen to compromise an account. No e-mails involved in this solution and eliminates an attack vector. You always have to account for exceptions and what to do with a vendor who is waiting to be setup on the system. Being flexible and ready to adapt the process is also key! Review the process at least once a year. Cloud providers such as Microsoft, Amazon and Google, also provide great logging tools that help to monitor such processes. NOTE: Remember to monitor administrator activities, because if an admin account gets compromised, these addition protections will not help.

https://cloudtweaks.com/

Remember solutions have to fit the company and allow them to produce revenue. Don't be the guy above, just sayin!

I am in no way saying you should not get a risk score for your third party vendors, there are plenty of tech companies that can help with that process. These scores may help identify other weakness that a vendor in your supply chain may have and allow you to develop processes to eliminate or reduce the risks. Your risk and security team can assist with understanding the risk scores and then developing solutions. After all that is why you hired a information security professional who is skilled and certified, correct?

In conclusion, today the threats in many cases still involve tricking users and not some fancy tech like malware you see in the movies that lets the hacker take over the world. Sometimes solutions can be creative and lead to better security at a risk reduction level that will be acceptable to most SMBs or even major corporations. Most companies have the tools to address many threat vectors such as Island Hopping, but lack the well trained information security professional to reduce the risks. So my recommendation is to hire trained certified information security professional. One who can help lead your company to lower risk threshold and save you millions of dollars in the future because you will be a slim target with a well trained and prepared IT Staff that a hacker will just avoid because you are too much trouble for them. The hacker will simple slip by to the next business that decided to ignore this recommendation and they left their doors and windows open.