• United States



by David Geer

How to audit external service providers

Apr 01, 20166 mins
Disaster RecoverySecurity

What to audit is at least half of how to do it.

Credit: Thinkstock

News of or firsthand experience with breaches that attackers managed to achieve using external service providers such as POS vendors reminds enterprises that the federated enterprise makes a bulletproof perimeter no longer possible.

Failure to audit your providers is like neglecting to audit your internal enterprise, culminating in similar ramifications. In both cases, you can’t close holes you don’t know exist. But knowing what to audit can be the lion’s share of how to get it done right.

In this fourth installment of a five part series designed to harden and remove vulnerabilities in incident response itself, CSO tips you off on what to audit inside those who conduct trade so closely with you and what resources to use.

Appropriate controls depend on the service provider, their industry, their geographical location, applicable laws in their jurisdiction, and the kinds of services they provide to you. In the state of California, the Attorney General endorses the Center for Internet Security’s (CIS) Critical Security Controls as the minimum level of reasonable security measures that service providers should have in effect, says M. Scott Koller, Counsel, BakerHostetler.

With California as an exception, states don’t usually give their seal of approval to specific security standards. That being said, Massachusetts sets forth its standard in a statute, i.e., 201 CMR 17.00, adds Koller, but that is their own guide, not an external set of controls.

[ MORE FROM THIS PACKAGE: How to review and test backup procedures to ensure data restoration | How to conduct a table top exercise | Reviewing incident response plans for data risk preparedness ]

Some industry standards for information security controls and information about how to audit for these emanate from authorities such as the PCI Security Standards Counsel (for the retail industry), the Financial Regulatory Authority, the U.S. Department of Health and Human Services, and the NIST Cybersecurity Framework (for the energy/utilities industries), says Koller.

CSO also has this “Security Laws, Regulations, And Guidelines Directory”.

The easiest way to apply the correct information security standard is simply to look at those that you must follow and expect the same from your external service providers. “For example, both the merchant and the POS vendor that serves it should adhere to the PCI DSS security standard for retail operations security,” explains Koller.

Specific technical approaches

If you demand these protections and routinely audit to ensure they are in place, you will go a long way toward hardening your external vendor.

To limit external service provider access, segment your networks and segregate network access using VLANs and other technologies and approaches, says Koller.

The Australian Government’s Department of Defense publishes “Information Security Advice For All Levels Of Government”, which includes this section on “Network Segmentation And Segregation” with techniques and technologies that transfer well for use in networks around the world.

The Australian DOD recommends implementing DMZs and gateways using traffic flow filters, network, application, and host-based firewalls, NAC, unidirectional security gateways, application and service proxies, user and service authentication and authorization, and content filters, according to the same document.

The Australian Government publication further encourages using domain and server isolation supported by IPsec and storage-based segmentation and filtering using encryption and LUN masking, the document says.

“Use a single username across the entire third-party provider so that you can disable it and access across that firm when they are not using it. Limit remote access to a set of approved, whitelisted IP addresses within your organization and disable the list when not in use,” says Koller, speaking of broad, simple methods of access control.

You should permit and provide remote access for external service vendors only on demand, automatically disabling these tools using time-based and other rule sets such as those covered by policies. The enterprise can enforce these policies by using technology like firewalls to drop connections and/or close ports for the given period or under a set of circumstances under which the vendor should not connect. “If you allow remote access via LogMeIn or RDP, consider simply disabling those programs when the service provider is not using them,” says Koller.

The enterprise may have to disable some remote access tools manually by closing the program or temporarily voiding the company’s user credentials, explains Koller. “Test the remote access service during the period when the vendor should not connect to ensure they cannot,” adds Koller.

For any and all of these technical controls that you require of your vendors, you will have to audit regularly to assure yourself of compliance.

Contract-based approaches

Enterprises should ensure that contracts include critical cyber liability insurance provisions, limitations on liability, and indemnifications, says Koller. The targets of these will be unique to each type of service provider and the service they supply. The enterprise should seek the advice of internal counsel or an attorney expert in these matters.

For these provisions to work in a repeatable manner without undo strain to either party, you must balance the amount and the value of the data and the risk level with the amount of access the external provider has and the potential costs of a data breach involving that provider, says Koller. Ensure the provider carries enough insurance to cover the greatest possible loss. Ensure that the vendor is liable for the appropriate risk related items. “Limitation of liability provisions commonly limit damages to the total fees paid under the service agreement. However, if the incident affects all of your data, those fees may not cover everything,” explains Koller.

These criteria should be met before you execute any agreement with the vendor. “The size of the service provider and the amount of business you can bring to them are key factors in their bargaining position and yours.

Ensure that the vendor has the financial wherewithal to indemnify your enterprise in the case of a breach by measuring the worst possible breach aftermath against the backdrop of the external vendor’s size and resources. If the company is too small to have these resources, they are probably too small to be working with you. Cyber risk liability coverage is an option so long as the vendor can afford it. “If they are unwilling to accept liability, your organization can also acquire cyber insurance against vendor related loss. Make sure that insurance covers exactly that,” says Koller.

Keep your approach friendly but firm when setting up contracts, technical controls, and auditing for external vendors.

See part 2 of this series: How to review and test backup procedures to ensure data restoration