The secret is out: If you want to attain protected data as a hacker, you do not attack a big company or organization that likely has good security. You go after a third party that more likely does not. Companies have created the equivalent of how to deter car thieves: Ensure that your car looks difficult enough to break into so that thieves move onto the automobile with its doors unlocked and keys in the ignition. When a burglar sees a car with a car alarm, they know that they can look and eventually find a target that isn't so well protected. Exploiting the weakest link is not new. A bank robber could go to the bank to steal money, but a softer target would likely be the courier service as they bring the money into and out of the bank.
- Learn what the risk is and how to assess the cyber risk
- Step-by-step guide on how to create a cyber-risk third-party risk management program without having to be a cyber or risk management expert
- Create a mature cyber-focused third-party risk management program that is predictive and less reactive
- Learn how to secure your data in a vendor's cloud and how to secure your software supply chain.
Author(s): Gregory C. Rasner
Edition: 1
Publisher: Wiley
Year: 2021
Language: English
Pages: 480
Cover
Title Page
Copyright Page
(ISC)
About the Author
About the Technical Editor
Acknowledgments
Contents
Foreword
Introduction
Who Will Benefit Most from This Book
Special Features
Chapter 1 What Is the Risk?
The SolarWinds Supply-Chain Attack
The VGCA Supply-Chain Attack
The Zyxel Backdoor Attack
Other Supply-Chain Attacks
Problem Scope
Compliance Does Not Equal Security
Third-Party Breach Examples
Third-Party Risk Management
Cybersecurity and Third-Party Risk
Cybersecurity Third-Party Risk as a Force Multiplier
Conclusion
Chapter 2 Cybersecurity Basics
Cybersecurity Basics for Third-Party Risk
Cybersecurity Frameworks
Due Care and Due Diligence
Cybercrime and Cybersecurity
Types of Cyberattacks
Analysis of a Breach
The Third-Party Breach Timeline: Target
Inside Look: Home Depot Breach
Conclusion
Chapter 3 What the COVID-19 Pandemic Did to Cybersecurity and Third-Party Risk
The Pandemic Shutdown
Timeline of the Pandemic Impact on Cybersecurity
Post-Pandemic Changes and Trends
Regulated Industries
An Inside Look: P&N Bank
SolarWinds Attack Update
Conclusion
Chapter 4 Third-Party Risk Management
Third-Party Risk Management Frameworks
ISO 27036:2013+
NIST 800-SP
NIST 800-161 Revision 1: Upcoming Revision
NISTIR 8272 Impact Analysis Tool for Interdependent Cyber Supply-Chain Risks
The Cybersecurity and Third-Party Risk Program Management
Kristina Conglomerate (KC) Enterprises
KC Enterprises’ Cyber Third-Party Risk Program
Inside Look: Marriott
Conclusion
Chapter 5 Onboarding Due Diligence
Intake
Data Privacy
Cybersecurity
Amount of Data
Country Risk and Locations
Connectivity
Data Transfer
Data Location
Service-Level Agreement or Recovery Time Objective
Fourth Parties
Software Security
KC Enterprises Intake/Inherent Risk Cybersecurity Questionnaire
Cybersecurity in Request for Proposals
Data Location
Development
Identity and Access Management
Encryption
Intrusion Detection/Prevention System
Antivirus and Malware
Data Segregation
Data Loss Prevention
Notification
Security Audits
Cybersecurity Third-Party Intake
Data Security Intake Due Diligence
Next Steps
Ways to Become More Efficient
Systems and Organization Controls Reports
Chargebacks
Go-Live Production Reviews
Connectivity Cyber Reviews
Inside Look: Ticketmaster and Fourth Parties
Conclusion
Chapter 6 Ongoing Due Diligence
Low-Risk Vendor Ongoing Due Diligence
Moderate-Risk Vendor Ongoing Due Diligence
High-Risk Vendor Ongoing Due Diligence
“Too Big to Care”
A Note on Phishing
Intake and Ongoing Cybersecurity Personnel
Ransomware: A History and Future
Asset Management
Vulnerability and Patch Management
802.1x or Network Access Control (NAC)
Inside Look: GE Breach
Conclusion
Chapter 7 On-site Due Diligence
On-site Security Assessment
Scheduling Phase
Investigation Phase
Assessment Phase
On-site Questionnaire
Reporting Phase
Remediation Phase
Virtual On-site Assessments
On-site Cybersecurity Personnel
On-site Due Diligence and the Intake Process
Vendors Are Partners
Consortiums and Due Diligence
Conclusion
Chapter 8 Continuous Monitoring
What Is Continuous Monitoring?
Vendor Security-Rating Tools
Inside Look: Health Share of Oregon’s Breach
Enhanced Continuous Monitoring
Software Vulnerabilities/Patching Cadence
Fourth-Party Risk
Data Location
Connectivity Security
Production Deployment
Continuous Monitoring Cybersecurity Personnel
Third-Party Breaches and the Incident Process
Third-Party Incident Management
Inside Look: Uber’s Delayed Data Breach Reporting
Inside Look: Nuance Breach
Conclusion
Chapter 9 Offboarding
Access to Systems, Data, and Facilities
Physical Access
Return of Equipment
Contract Deliverables and Ongoing Security
Update the Vendor Profile
Log Retention
Inside Look: Morgan Stanley Decommissioning Process Misses
Inside Look: Data Sanitization
Conclusion
Chapter 10 Securing the Cloud
Why Is the Cloud So Risky?
Introduction to NIST Service Models
Vendor Cloud Security Reviews
The Shared Responsibility Model
Inside Look: Cloud Controls Matrix by the Cloud Security Alliance
Security Advisor Reports as Patterns
Inside Look: The Capital One Breach
Conclusion
Chapter 11 Cybersecurity and Legal Protections
Legal Terms and Protections
Cybersecurity Terms and Conditions
Offshore Terms and Conditions
Hosted/Cloud Terms and Conditions
Privacy Terms and Conditions
Inside Look: Heritage Valley Health vs. Nuance
Conclusion
Chapter 12 Software Due Diligence
The Secure Software Development Lifecycle
Lessons from SolarWinds and Critical Software
Inside Look: Juniper
On-Premises Software
Cloud Software
Open Web Application Security Project Explained
OWASP Top 10
OWASP Web Security Testing Guide
Open Source Software
Software Composition Analysis
Inside Look: Heartbleed
Mobile Software
Testing Mobile Applications
Code Storage
Conclusion
Chapter 13 Network Due Diligence
Third-Party Connections
Personnel Physical Security
Hardware Security
Software Security
Out-of-Band Security
Cloud Connections
Vendor Connectivity Lifecycle Management
Zero Trust for Third Parties
Internet of Things and Third Parties
Trusted Platform Module and Secure Boot
Inside Look: The Target Breach (2013)
Conclusion
Chapter 14 Offshore Third-Party Cybersecurity Risk
Onboarding Offshore Vendors
Ongoing Due Diligence for Offshore Vendors
Physical Security
Offboarding Due Diligence for Offshore Vendors
Inside Look: A Reminder on Country Risk
Country Risk
KC’s Country Risk
Conclusion
Chapter 15 Transform to Predictive
The Data
Vendor Records
Due Diligence Records
Contract Language
Risk Acceptances
Continuous Monitoring
Enhanced Continuous Monitoring
How Data Is Stored
Level Set
A Mature to Predictive Approach
The Predictive Approach at KC Enterprises
Use Case #1: Early Intervention
Use Case #2: Red Vendors
Use Case #3: Reporting
Conclusion
Chapter 16 Conclusion
Advanced Persistent Threats Are the New Danger
Cybersecurity Third-Party Risk
Index
EULA
