At the end of September, it was reported an IT service provider, Tyler Technology (a Texas-based company that bills itself as the largest provider of software and technology services to the United States public sector), was hit with ransomware and now assumed to have had Tyler credentials that manage their customers exfiltrated.
In response to the interest of answering many questions related to ‘how do I know I’m safe from this 3rd party breach”, the SANS Institute has come out with some general recommendations for how to manage remote access for Partners and Contractors.
Here are some tips to increase the operations security when working with third-parties.
- Know « who’s behind the keyboard ». Are the third-party employees on the payroll, dedicated to you (read: they know you and your business). Are they also contractors? Are they located in the same country as yours?
- When it's not mandatory, do not keep the remote access open 24x7. All access requests must be approved following a procedure.
- Do not grant full access to your infrastructure. Restrict the third-party rights to the minimum resources to perform its job (least privilege). Keep segmentation in mind. Restrict its access to a jump host that will be used to enforce more security controls.
- Keep logs of who did what, when, why, and from where. Log everything, all connections, all commands. Example: Detect an unforeseen connection from an unusual location outside the business hours.
- Keep an inventory of your partners and installed software. Force them to upgrade them and audit the settings.
- Enable security settings available in the deployed tools Example: Enable MFA, activate client-side certificates, provide security tokens.
Link to the article can be found here