They say that an organization is only as secure as its weakest link. That's true, but it's important to consider the "links" that lie outside the organization. Indeed, partners can be one of the biggest security threats an organization faces.
Hollywood films have long presented computer hackers in an unrealistic way. These films always seem to show some elite hacker effortlessly breaking into a seemingly impenetrable system in a matter of seconds.
Real life is, of course, very different from the way that it is so often portrayed in the movies. Hacks against hardened systems take time--and often must traverse on-prem and cloud systems. Perhaps more importantly, seasoned hackers typically do not try to break into their ultimate target straight away. Instead, a hacker will more often begin by simply trying to gain access to a seemingly insignificant system on the target network. This allows the hacker to establish a presence on the victim’s network. From there, the hacker may spend some time gathering information, and watching administrative and user behaviors, before attacking another seemingly insignificant system. The hacker’s goal is to make small gains until the he or she is eventually in a good position to take over the ultimate target.
The important takeaway from this method is that before hackers can compromise network servers, they need a point of entry into the network. This point of entry can be almost anything. It could be an insecure Web application, an IoT device, a network workstation that has not been properly secured, any of the above, all of the above, and more.
It’s the security administrator’s job to keep these and other systems from being exploited as a point of entry. Large, enterprise-class organizations spend vast sums of money ensuring that the resources on their networks are as secure as possible. Systems are hardened, and users are subjected to burdensome measures, all in the name of keeping the organization secure.
Given the effort and attention that enterprise organizations put into their cyber defenses, a hacker may decide that the best way to attack the organization is to leverage outside resources that are outside of the organization’s direct control. In some cases, this may mean attacking a partner organization in an effort to gain entry into the primary target organization.
Nearly every large organization depends on various partner organizations. These partner organizations may include vendors, distributors, outside legal council and more. These partner organizations, by their very nature, are often far smaller than the organizations that they serve. The food services provider that keeps an enterprise's employee cafeteria running, for example, might itself be an SMB.
The reason why this is so important is that while an enterprise-class organization might have a multimillion-dollar cybersecurity budget, an SMB-class organization probably does not. In fact, an SMB might not even have a dedicated IT staff. From a hacker’s prospective, it is going to be far easier and less risky to hack into a small business than to hack into a major enterprise.
This raises the question of whether a partner organization can give hackers the foothold needed to gain entry into the organization that they are actually targeting. The answer is that it depends on the organization’s policies, procedures and relationship with the partner organization.
A hacker might not have much to gain by hacking into the company that runs an organization’s employee cafeteria. However, a supplier who provides parts to a manufacturing facility might make a worthwhile target.
Depending on the partner’s organization’s function, some of its employees might be given credentials that can be used to log into the enterprise network. Similarly, some enterprise's have been known to establish Active Directory trusts with partner organizations. In the case of the supplier that provides parts to a manufacturing facility, a hacker might be able to circumvent the manufacturing facility’s endpoint defenses by hacking into its supplier instead of hacking into one of the facility’s own systems.
Interestingly, the security challenge that is presented by partner organizations really isn’t all that different than the security challenges that arose as a result of the so-called BYOD revolution. At that time, trusted users demanded to be able to work from untrusted, personal devices. IT professionals have largely addressed this challenge by requiring device enrollment. The enrollment process applies security policies to user devices that the users probably never would have applied by themselves. Similarly, BYOD devices are sometimes confined to operating only on certain network segments or accessing specific resources.
Like employees who are working from personal devices, employees in partner organizations are essentially trusted users who are accessing an enterprise network by way of an untrusted device. Enterprise IT should shore up its defenses by requiring partner organizations to adhere to certain minimum security standards and enforcing device-level security in a manner similar to that implemented for BYOD users.