CHF31.80
Download steht sofort bereit
Move beyond the checklist and fully protect yourself from third-party cybersecurity risk
Over the last decade, there have been hundreds of big-name organizations in every sector that have experienced a public breach due to a vendor. While the media tends to focus on high-profile breaches like those that hit Target in 2013 and Equifax in 2017, 2020 has ushered in a huge wave of cybersecurity attacks, a near 800% increase in cyberattack activity as millions of workers shifted to working remotely in the wake of a global pandemic.
The 2020 SolarWinds supply-chain attack illustrates that lasting impact of this dramatic increase in cyberattacks. Using a technique known as Advanced Persistent Threat (APT), a sophisticated hacker leveraged APT to steal information from multiple organizations from Microsoft to the Department of Homeland Security not by attacking targets directly, but by attacking a trusted partner or vendor. In addition to exposing third-party risk vulnerabilities for other hackers to exploit, the damage from this one attack alone will continue for years, and there are no signs that cyber breaches are slowing.
Cybersecurity and Third-Party Risk delivers proven, active, and predictive risk reduction strategies and tactics designed to keep you and your organization safe. Cybersecurity and IT expert and author Gregory Rasner shows you how to transform third-party risk from an exercise in checklist completion to a proactive and effective process of risk mitigation.
Understand the basics of third-party risk management
Conduct due diligence on third parties connected to your network
Keep your data and sensitive information current and reliable
Incorporate third-party data requirements for offshoring, fourth-party hosting, and data security arrangements into your vendor contracts
Learn valuable lessons from devasting breaches suffered by other companies like Home Depot, GM, and Equifax
The time to talk cybersecurity with your data partners is now.
Cybersecurity and Third-Party Risk is a must-read resource for business leaders and security professionals looking for a practical roadmap to avoiding the massive reputational and financial losses that come with third-party security breaches.
Autorentext
GREGORY C. RASNER is the lead of Cyber Third-Party Risk at Truist Financial Corporation. He has extensive experience in cybersecurity and technology leadership in banking, biotech, software, telecom, and manufacturing. He is the author of several published articles on Third Party Risk and is a sought-after keynote speaker in this area.
Klappentext
STRENGTHEN THE WEAKEST LINKS IN YOUR CYBERSECURITY CHAIN
Across the world, the networks of hundreds of different world-class organizations have been breached in a seemingly never-ending stream of attacks that targeted the trusted vendors of major brands. From Target to Equifax, Home Depot, and GM, it seems as if no company is safe from a third-party incident or breach, regardless of size. And the advanced threats are now exploiting the intersection of weaknesses in cybersecurity and third-party risk management.
In Cybersecurity and Third-Party Risk, veteran cybersecurity specialist Gregory Rasner walks readers through how to lock down the vulnerabilities posed to an organization's network by third parties. You'll discover how to move beyond a simple checklist and create an active, effective, and continuous system of third-party cybersecurity risk mitigation.
The author discusses how to conduct due diligence on the third parties connected to your company's networks and how to keep your information about them current and reliable. You'll learn about the language you need to look for in a third-party data contract whether you're offshoring or outsourcing data security arrangements.
Perfect for professionals and executives responsible for securing their organizations' systems against external threats, Cybersecurity and Third-Party Risk is an indispensable resource for all business leaders who seek to:
Inhalt
Foreword xvi
Introduction xviii
Section 1 Cybersecurity Third-Party Risk
Chapter 1 What is the Risk? 1
The SolarWinds Supply-Chain Attack 4
The VGCA Supply-Chain Attack 6
The Zyxel Backdoor Attack 9
Other Supply-Chain Attacks 10
Problem Scope 12
Compliance Does Not Equal Security 15
Third-Party Breach Examples 17
Third-Party Risk Management 24
Cybersecurity and Third-Party Risk 27
Cybersecurity Third-Party Risk as a Force Multiplier 32
Conclusion 33
Chapter 2 Cybersecurity Basics 35
Cybersecurity Basics for Third-Party Risk 38
Cybersecurity Frameworks 46
Due Care and Due Diligence 53
Cybercrime and Cybersecurity 56
Types of Cyberattacks 59
Analysis of a Breach 63
The Third-Party Breach Timeline: Target 66
Inside Look: Home Depot Breach 68
Conclusion 72
Chapter 3 What the COVID-19 Pandemic Did to Cybersecurity and Third-Party Risk 75
The Pandemic Shutdown 77
Timeline of the Pandemic Impact on Cybersecurity 80
Post-Pandemic Changes and Trends 84
Regulated Industries 98
An Inside Look: P&N Bank 100
SolarWinds Attack Update 102
Conclusion 104
Chapter 4 Third-Party Risk Management 107
Third-Party Risk Management Frameworks 113
ISO 27036:2013+ 114
NIST 800-SP 116
NIST 800-161 Revision 1: Upcoming Revision 125
NISTIR 8272 Impact Analysis Tool for Interdependent Cyber Supply-Chain Risks 125
The Cybersecurity and Third-Party Risk Program Management 127
Kristina Conglomerate (KC) Enterprises 128
KC Enterprises' Cyber Third-Party Risk Program 131
Inside Look: Marriott 140
Conclusion 141
Chapter 5 Onboarding Due Diligence 143
Intake 145
Data Privacy 146
Cybersecurity 147
Amount of Data 149
Country Risk and Locations 149
Connectivity 150
Data Transfer 150
Data Location 151
Service-Level Agreement or Recovery Time Objective 151
Fourth Parties 152
Software Security 152
KC Enterprises Intake/Inherent Risk Cybersecurity Questionnaire 153
Cybersecurity in Request for Proposals 154
Data Location 155
Development 155
Identity and Access Management 156
Encryption 156
Intrusion Detection/Prevention System 157
Antivirus and Malware 157
Data Segregation 158
Data Loss Prevention 158
Notification 158
Security Audits 159
Cybersecurity Third-Party Intake 160
Data Security Intake Due Diligence 161
Next Steps 167
Ways to Become More Efficient 173
Systems and Organization Controls Reports 174
Chargebacks 177
Go-Live Production Reviews 179
Connectivity Cyber Reviews 179
Inside Look: Ticketmaster and Fourth Parties 182
Conclusion 183
Chapter 6 Ongoing Due Diligence 185
Low-Risk Vendor Ongoing Due Diligence 189
Moderate-Risk Vendor Ongoing Due Diligence 193
High-Risk Vendor Ongoing Due Diligence 196
Too Big to Care 197
A Note on Phishing 200
Intake and Ongoing Cybersecurity Personnel 203
Ransomware: A History and Future 203
Asset Management 205
Vulnerability and Patch Management 206
802.1x or Network Access Control (NAC) 206
Inside Look: GE Breach 207
Conclusion 208
Chapter 7 On-site Due Diligence 211
On-site Security Assessment 213
Scheduling Phase 214
Investigation Phase 215 Assessment Phase 217</p&g...