Zero-Day and Third-Party Risk Management (TPRM)
What is a Zero-day vulnerability?
Security vulnerabilities are not discovered immediately. The third parties may conduct annual vulnerability assessments and Penetration Tests but these are just in time through which, identification of vulnerability doesn’t happen in a straightforward way. It takes any time from a few weeks to a few months for developers to write code to fix the vulnerability. The time that is spent in developing the code is the timeframe when attackers exploit the vulnerability.
The term “zero-day” refers to the fact that the vendor or developer has only just learned of the flaw – which means they have “zero days” to fix it – Kaspersky
When such a zero-day flaw is exploited, organizations suffer an incident or a security breach affecting their reputation, stock prices, and client trust, subject to regulatory fines and financial loss.
Almost every company relies on its Third Parties for services and products. These Third Parties in turn outsource their work in total or partial to their Third Parties. These are called Fourth Parties. A report from Gartner says 71% of organizations have an average of 1000 Third Parties. For every third-party vendor in their supply chain, organizations typically have indirect relationships with 60 to 90 times that number of fourth-party relationships – Security Scorecard
Organizations often have a tough time getting to know who their Third Parties and Fourth Parties are not well-prepared to face the consequences. Challenges faced by organizations:
- Lack of a robust and up-to-date Third Party inventory – Organizations lacking a proper inventory struggle to find the categories of Third Parties affected by the zero-day
- Contacts with outdated terms and SLAs – Incident notification is not included in the contracts so organizations cannot contractually oblige Third Parties to notify
- Delay in applying updates (software, hardware, firmware) – Once a vulnerability patch is released not all users implement it quickly.
- Lack of Vulnerability Assessment – Periodic VA and PT reports are not requested from Third Parties which showcase their security practices.
- Inefficient communication channel to Third parties – Not every organization has a dedicated incident response team and an effective Incident communication process causing delays in taking any action
- Third Party Certifications – Be it software or hardware, organizations do not exercise diligence to ask for a SAST, DAST, Common Criteria, Code review, ISO 27001, SOC2, etc.
55 zero-day vulnerabilities were exploited in 2022 – Mandiant. Many Third Parties, suppliers, clients and partners do not notify when they are a victim of a security breach giving attacks the time to launch new attacks.
Defentrix can work with you to get a strong grip on potential vulnerabilities and security flaws from your Third Parties and strengthen your Third Party Risk Management (TPRM) practices
- Build a Third-Party Risk Management (TPRM) program supported by the top management to manage all Third Parties
- Build or enhance the Third Party Incident Response strategy and process
- Initial Triage – understand the length and breadth of the incident
- Evidence collection – Incident reports and investigation reports
- Analysis – Impact on your organization
- Action – Immediate response actions to curtail the impact of the incident
- Assessment – Third Party Risk Assessment of the affected service or product
- Contract review – Adequate coverage in the contract to manage liability
- Create a customized baseline security standard enabling you to vet the security posture of Third Parties
- Identify security and privacy risks you are exposed to and provide guidance on remediation
- Equip with skills and required tools to manage the program
- Reduce the probability of risk from Third Parties
- Provide services where you allow Defentrix to own the responsibility of managing the entire program