Details

Cybersecurity and Third-Party Risk

Cybersecurity and Third-Party Risk

Third Party Threat Hunting
1. Aufl.

von: Gregory C. Rasner

27,99 €

Verlag: Wiley
Format: EPUB
Veröffentl.: 11.06.2021
ISBN/EAN: 9781119809562
Sprache: englisch
Anzahl Seiten: 480

In den Warenkorb
Als Gutschein
DRM-geschütztes eBook, Sie benötigen z.B. Adobe Digital Editions und eine Adobe ID zum Lesen.

Beschreibungen

Titelbeschreibung

<p><b>Move beyond the checklist and fully protect yourself from third-party cybersecurity risk</b></p> <p>Over the last decade, there have been hundreds of big-name organizations in every sector that have experienced a public breach due to a vendor. While the media tends to focus on high-profile breaches like those that hit Target in 2013 and Equifax in 2017, 2020 has ushered in a huge wave of cybersecurity attacks, a near 800% increase in cyberattack activity as millions of workers shifted to working remotely in the wake of a global pandemic.</p> <p>The 2020 SolarWinds supply-chain attack illustrates that lasting impact of this dramatic increase in cyberattacks. Using a technique known as Advanced Persistent Threat (APT), a sophisticated hacker leveraged APT to steal information from multiple organizations from Microsoft to the Department of Homeland Security not by attacking targets directly, but by attacking a trusted partner or vendor. In addition to exposing third-party risk vulnerabilities for other hackers to exploit, the damage from this one attack alone will continue for years, and there are no signs that cyber breaches are slowing.</p> <p><i>Cybersecurity and Third-Party Risk</i> delivers proven, active, and predictive risk reduction strategies and tactics designed to keep you and your organization safe. Cybersecurity and IT expert and author Gregory Rasner shows you how to transform third-party risk from an exercise in checklist completion to a proactive and effective process of risk mitigation.</p> <ul> <li>Understand the basics of third-party risk management</li> <li>Conduct due diligence on third parties connected to your network</li> <li>Keep your data and sensitive information current and reliable</li> <li>Incorporate third-party data requirements for offshoring, fourth-party hosting, and data security arrangements into your vendor contracts</li> <li>Learn valuable lessons from devasting breaches suffered by other companies like Home Depot, GM, and Equifax</li> </ul> <p>The time to talk cybersecurity with your data partners is now.</p> <p><i>Cybersecurity and Third-Party Risk</i> is a must-read resource for business leaders and security professionals looking for a practical roadmap to avoiding the massive reputational and financial losses that come with third-party security breaches.</p>

Inhaltsverzeichnis

<p>Foreword xvi</p> <p>Introduction xviii</p> <p><b>Section 1 Cybersecurity Third-Party Risk</b></p> <p><b>Chapter 1 What is the Risk? 1</b></p> <p>The SolarWinds Supply-Chain Attack 4</p> <p>The VGCA Supply-Chain Attack 6</p> <p>The Zyxel Backdoor Attack 9</p> <p>Other Supply-Chain Attacks 10</p> <p>Problem Scope 12</p> <p>Compliance Does Not Equal Security 15</p> <p>Third-Party Breach Examples 17</p> <p>Third-Party Risk Management 24</p> <p>Cybersecurity and Third-Party Risk 27</p> <p>Cybersecurity Third-Party Risk as a Force Multiplier 32</p> <p>Conclusion 33</p> <p><b>Chapter 2 Cybersecurity Basics 35</b></p> <p>Cybersecurity Basics for Third-Party Risk 38</p> <p>Cybersecurity Frameworks 46</p> <p>Due Care and Due Diligence 53</p> <p>Cybercrime and Cybersecurity 56</p> <p>Types of Cyberattacks 59</p> <p>Analysis of a Breach 63</p> <p>The Third-Party Breach Timeline: Target 66</p> <p>Inside Look: Home Depot Breach 68</p> <p>Conclusion 72</p> <p><b>Chapter 3 What the COVID-19 Pandemic Did to Cybersecurity and Third-Party Risk 75</b></p> <p>The Pandemic Shutdown 77</p> <p>Timeline of the Pandemic Impact on Cybersecurity 80</p> <p>Post-Pandemic Changes and Trends 84</p> <p>Regulated Industries 98</p> <p>An Inside Look: P&N Bank 100</p> <p>SolarWinds Attack Update 102</p> <p>Conclusion 104</p> <p><b>Chapter 4 Third-Party Risk Management 107</b></p> <p>Third-Party Risk Management Frameworks 113</p> <p>ISO 27036:2013+ 114</p> <p>NIST 800-SP 116</p> <p>NIST 800-161 Revision 1: Upcoming Revision 125</p> <p>NISTIR 8272 Impact Analysis Tool for Interdependent Cyber Supply-Chain Risks 125</p> <p>The Cybersecurity and Third-Party Risk Program Management 127</p> <p>Kristina Conglomerate (KC) Enterprises 128</p> <p>KC Enterprises’ Cyber Third-Party Risk Program 131</p> <p>Inside Look: Marriott 140</p> <p>Conclusion 141</p> <p><b>Chapter 5 Onboarding Due Diligence 143</b></p> <p>Intake 145</p> <p>Data Privacy 146</p> <p>Cybersecurity 147</p> <p>Amount of Data 149</p> <p>Country Risk and Locations 149</p> <p>Connectivity 150</p> <p>Data Transfer 150</p> <p>Data Location 151</p> <p>Service-Level Agreement or Recovery Time Objective 151</p> <p>Fourth Parties 152</p> <p>Software Security 152</p> <p>KC Enterprises Intake/Inherent Risk Cybersecurity Questionnaire 153</p> <p>Cybersecurity in Request for Proposals 154</p> <p>Data Location 155</p> <p>Development 155</p> <p>Identity and Access Management 156</p> <p>Encryption 156</p> <p>Intrusion Detection/Prevention System 157</p> <p>Antivirus and Malware 157</p> <p>Data Segregation 158</p> <p>Data Loss Prevention 158</p> <p>Notification 158</p> <p>Security Audits 159</p> <p>Cybersecurity Third-Party Intake 160</p> <p>Data Security Intake Due Diligence 161</p> <p>Next Steps 167</p> <p>Ways to Become More Efficient 173</p> <p>Systems and Organization Controls Reports 174</p> <p>Chargebacks 177</p> <p>Go-Live Production Reviews 179</p> <p>Connectivity Cyber Reviews 179</p> <p>Inside Look: Ticketmaster and Fourth Parties 182</p> <p>Conclusion 183</p> <p><b>Chapter 6 Ongoing Due Diligence 185</b></p> <p>Low-Risk Vendor Ongoing Due Diligence 189</p> <p>Moderate-Risk Vendor Ongoing Due Diligence 193</p> <p>High-Risk Vendor Ongoing Due Diligence 196</p> <p>“Too Big to Care” 197</p> <p>A Note on Phishing 200</p> <p>Intake and Ongoing Cybersecurity Personnel 203</p> <p>Ransomware: A History and Future 203</p> <p>Asset Management 205</p> <p>Vulnerability and Patch Management 206</p> <p>802.1x or Network Access Control (NAC) 206</p> <p>Inside Look: GE Breach 207</p> <p>Conclusion 208</p> <p><b>Chapter 7 On-site Due Diligence 211</b></p> <p>On-site Security Assessment 213</p> <p>Scheduling Phase 214</p> <p>Investigation Phase 215</p> <p>Assessment Phase 217</p> <p>On-site Questionnaire 221</p> <p>Reporting Phase 227</p> <p>Remediation Phase 227</p> <p>Virtual On-site Assessments 229</p> <p>On-site Cybersecurity Personnel 231</p> <p>On-site Due Diligence and the Intake Process 233</p> <p>Vendors Are Partners 234</p> <p>Consortiums and Due Diligence 235</p> <p>Conclusion 237</p> <p><b>Chapter 8 Continuous Monitoring 239</b></p> <p>What is Continuous Monitoring? 241</p> <p>Vendor Security-Rating Tools 241</p> <p>Inside Look: Health Share of Oregon’s Breach 251</p> <p>Enhanced Continuous Monitoring 252</p> <p>Software Vulnerabilities/Patching Cadence 253</p> <p>Fourth-Party Risk 253</p> <p>Data Location 254</p> <p>Connectivity Security 254</p> <p>Production Deployment 255</p> <p>Continuous Monitoring Cybersecurity Personnel 258</p> <p>Third-Party Breaches and the Incident Process 258</p> <p>Third-Party Incident Management 259</p> <p>Inside Look: Uber’s Delayed Data Breach Reporting 264</p> <p>Inside Look: Nuance Breach 265</p> <p>Conclusion 266</p> <p><b>Chapter 9 Offboarding 267</b></p> <p>Access to Systems, Data, and Facilities 270</p> <p>Physical Access 274</p> <p>Return of Equipment 275</p> <p>Contract Deliverables and Ongoing Security 275</p> <p>Update the Vendor Profile 276</p> <p>Log Retention 276</p> <p>Inside Look: Morgan Stanley</p> <p>Decommissioning Process Misses 277</p> <p>Inside Look: Data Sanitization 279</p> <p>Conclusion 283</p> <p><b>Section 2 Next Steps </b></p> <p><b>Chapter 10 Securing the Cloud 285</b></p> <p>Why is the Cloud So Risky? 287</p> <p>Introduction to NIST Service Models 288</p> <p>Vendor Cloud Security Reviews 289</p> <p>The Shared Responsibility Model 290</p> <p>Inside Look: Cloud Controls Matrix by the Cloud Security Alliance 295</p> <p>Security Advisor Reports as Patterns 298</p> <p>Inside Look: The Capital One Breach 312</p> <p>Conclusion 313</p> <p><b>Chapter 11 Cybersecurity and Legal Protections 315</b></p> <p>Legal Terms and Protections 317</p> <p>Cybersecurity Terms and Conditions 321</p> <p>Offshore Terms and Conditions 324</p> <p>Hosted/Cloud Terms and Conditions 327</p> <p>Privacy Terms and Conditions 331</p> <p>Inside Look: Heritage Valley Health vs. Nuance 334</p> <p>Conclusion 335</p> <p><b>Chapter 12 Software Due Diligence 337</b></p> <p>The Secure Software Development Lifecycle 340</p> <p>Lessons from SolarWinds and Critical Software 342</p> <p>Inside Look: Juniper 344</p> <p>On-Premises Software 346</p> <p>Cloud Software 348</p> <p>Open Web Application Security Project Explained 350</p> <p>OWASP Top 10 350</p> <p>OWASP Web Security Testing Guide 352</p> <p>Open Source Software 353</p> <p>Software Composition Analysis 355</p> <p>Inside Look: Heartbleed 355</p> <p>Mobile Software 357</p> <p>Testing Mobile Applications 358</p> <p>Code Storage 360</p> <p>Conclusion 362</p> <p><b>Chapter 13 Network Due Diligence 365</b></p> <p>Third-Party Connections 368</p> <p>Personnel Physical Security 368</p> <p>Hardware Security 370</p> <p>Software Security 371</p> <p>Out-of-Band Security 372</p> <p>Cloud Connections 374</p> <p>Vendor Connectivity Lifecycle Management 375</p> <p>Zero Trust for Third Parties 379</p> <p>Internet of Things and Third Parties 385</p> <p>Trusted Platform Module and Secure Boot 388</p> <p>Inside Look: The Target Breach (2013) 390</p> <p>Conclusion 391</p> <p><b>Chapter 14 Offshore Third-Party Cybersecurity Risk 393</b></p> <p>Onboarding Offshore Vendors 397</p> <p>Ongoing Due Diligence for Offshore Vendors 399</p> <p>Physical Security 399</p> <p>Offboarding Due Diligence for Offshore Vendors 402</p> <p>Inside Look: A Reminder on Country Risk 404</p> <p>Country Risk 405</p> <p>KC’s Country Risk 406</p> <p>Conclusion 409</p> <p><b>Chapter 15 Transform to Predictive 411</b></p> <p>The Data 414</p> <p>Vendor Records 415</p> <p>Due Diligence Records 416</p> <p>Contract Language 416</p> <p>Risk Acceptances 417</p> <p>Continuous Monitoring 417</p> <p>Enhanced Continuous Monitoring 417</p> <p>How Data is Stored 418</p> <p>Level Set 418</p> <p>A Mature to Predictive Approach 420</p> <p>The Predictive Approach at KC Enterprises 420</p> <p>Use Case #1: Early Intervention 423</p> <p>Use Case #2: Red Vendors 425</p> <p>Use Case #3: Reporting 426</p> <p>Conclusion 427</p> <p><b>Chapter 16 Conclusion 429</b></p> <p>Advanced Persistent Threats Are the New Danger 431</p> <p>Cybersecurity Third-Party Risk 435</p> <p>Index 445</p>

Autorenportrait

<p><b>GREGORY C. RASNER</b> is the lead of Cyber Third-Party Risk at Truist Financial Corporation. He has extensive experience in cybersecurity and technology leadership in banking, biotech, software, telecom, and manufacturing. He is the author of several published articles on Third Party Risk and is a sought-after keynote speaker in this area.</p>

Back cover copy

<p><b>STRENGTHEN THE WEAKEST LINKS IN YOUR CYBERSECURITY CHAIN</b></p><p>Across the world, the networks of hundreds of different world-class organizations have been breached in a seemingly never-ending stream of attacks that targeted the trusted vendors of major brands. From Target to Equifax, Home Depot, and GM, it seems as if no company is safe from a third-party incident or breach, regardless of size. And the advanced threats are now exploiting the intersection of weaknesses in cybersecurity and third-party risk management.</p><p>In <i>Cybersecurity and Third-Party Risk</i>, veteran cybersecurity specialist Gregory Rasner walks readers through how to lock down the vulnerabilities posed to an organization’s network by third parties. You’ll discover how to move beyond a simple checklist and create an active, effective, and continuous system of third-party cybersecurity risk mitigation.</p><p>The author discusses how to conduct due diligence on the third parties connected to your company’s networks and how to keep your information about them current and reliable. You’ll learn about the language you need to look for in a third-party data contract whether you’re offshoring or outsourcing data security arrangements.</p><p>Perfect for professionals and executives responsible for securing their organizations’ systems against external threats, <i>Cybersecurity and Third-Party Risk</i> is an indispensable resource for all business leaders who seek to:</p><ul><li>Understand the fundamentals of third-party risk management</li><li>Conduct robust intake and ongoing due diligence</li><li>Perform on-site due diligence and close vendor risks</li><li>Secure your software supply chain</li><li>Utilize cloud and on-premises software securely</li><li>Continuously monitor your third-party vendors and prevent breaches</li></ul>

Country of final manufacture

US

Diese Produkte könnten Sie auch interessieren:

From Grids To Service and Pervasive Computing
From Grids To Service and Pervasive Computing
von: Thierry Priol, Marco Vanneschi
PDF ebook
96,29 €
Grid Computing
Grid Computing
von: Sergei Gorlatch, Paraskevi Fragopoulou, Thierry Priol
PDF ebook
149,79 €
Autonomic Communication
Autonomic Communication
von: Athanasios V. Vasilakos, Manish Parashar, Stamatis Karnouskos, Witold Pedrycz
PDF ebook
149,79 €