Three Steps for Management and Remediation of Security Vulnerabilities with Third Parties

Over the years, security organizations have had to deal with many vulnerabilities that required quick response and remediation. Some examples that come to mind include Heartbleed, Shellshock, numerous specific vendor product vulnerabilities, and as we saw recently: WannaCry. All of these advisories require our organizations to quickly assess the exposure and impact; however, many of us stop at our own infrastructure. As we have seen with mobile, cloud and continued outsourcing, maintaining focus within our own virtual walls is not enough. There is significant risk and exposure to information if we have decided to leverage a service offering or third party.  

So, what are the different approaches organizations are taking when they realize they need to understand the exposure of a vulnerability to a third-party provider? My answer is, there are three common or leading approaches:  

1. Understand your third-party risk program and ensure that program assessments are conducted on schedule or when developing a relationship with a new third party.  
2. Have a specific questionnaire sent out whenever there is a vulnerability that needs to be assessed. 
3. Organizations must have continuous vulnerability monitoring your third parties and/or assess the third parties for the vulnerability. 

In this article we will review each approach and the benefits and challenges with them when used independently.

Third-Party Assessments

For many of us, we use our third-party risk management program to assess our vendors or have our third parties attest to their controls; then we review, validate or document those controls. While this approach is a valid practice, it does not address cases when a vulnerability is released and is missing valuable details on if the vulnerability is being addressed. When you are evaluating whether the vendor is adequately responding to the vulnerability, you will need to build and maintain a program where new vulnerabilities can be addressed in a timely and consistent model.  As an example, you may be looking at a third-party software to install in your organization, or you may be validating a software as-a-service offering, where you may want to be more focused on how software is developed or patched, or how vulnerabilities are assessed and reviewed.

Program reviews are beneficial to understand the processes and procedures used to protect the organization when a vulnerability is announced, however, they do not provide insight regarding the exposure to the vulnerability and what the action plan is for addressing it. For this, many organizations will send off a simple questionnaire out asking questions specifically about the vulnerability. 

Questionnaires and Vulnerability Monitoring

Sending a specific questionnaire is effective for understanding the specifics of the issue or vulnerability at hand, but it is only one piece of the puzzle. Once the questionnaire is completed, organizations can still struggle, as the factors are not brought in to a standard interface for risk and issues management, making the process very manual and difficult to track. To address this, organizations have started to leverage solutions that will monitor third parties for common external vulnerabilities. Leveraging these monitoring solutions helps scale and provides an effective way to get information. However, these only show external vulnerabilities and do not dig into “behind the firewall” or vulnerabilities in products like CVE-2017-6867 - Siemens SIMATIC WinCC. If you require knowledge about your vendors’ treatment of vulnerabilities in their internal networks, you still need a questionnaire. The manual questionnaire approach supports many valuable items, such as information about a vendor’s remediation plan.  

Over the years I have learned that necessity drives innovation. To ensure their vulnerability response programs are effective, organizations must understand their third-party risk programs and execute timely program reviews. Be prepared to distribute vulnerability specific questionnaires and continually monitor your third parties. In order to effectively scale and manage all the pieces and parts that come along with running a third-party risk management program, the ability to aggregate all information into a single repository is key to success.