Table of Contents Cover Title Page Introduction Who Will Benefit Most from This Book Special Features Chapter 1: What Is the Risk? The SolarWinds Supply‐Chain Attack The VGCA Supply‐Chain Attack The Zyxel Backdoor Attack Other Supply‐Chain Attacks Problem Scope Compliance Does Not Equal Security Third‐Party Breach Examples Conclusion Chapter 2: Cybersecurity Basics Cybersecurity Basics for Third‐Party Risk Cybersecurity Frameworks Due Care and Due Diligence Cybercrime and Cybersecurity Conclusion Chapter 3: What the COVID‐19 Pandemic Did to Cybersecurity and Third‐Party Risk The Pandemic Shutdown SolarWinds Attack Update Conclusion Chapter 4: Third‐Party Risk Management Third‐Party Risk Management Frameworks The Cybersecurity and Third‐Party Risk Program Management Kristina Conglomerate (KC) Enterprises Conclusion Chapter 5: Onboarding Due Diligence Intake Cybersecurity Third‐Party Intake Conclusion Chapter 6: Ongoing Due Diligence Low‐Risk Vendor Ongoing Due Diligence Moderate‐Risk Vendor Ongoing Due Diligence High‐Risk Vendor Ongoing Due Diligence “Too Big to Care” A Note on Phishing Intake and Ongoing Cybersecurity Personnel Ransomware: A History and Future Conclusion Chapter 7: On‐site Due Diligence On‐site Security Assessment On‐site Due Diligence and the Intake Process Conclusion Chapter 8: Continuous Monitoring What Is Continuous Monitoring? Enhanced Continuous Monitoring Third‐Party Breaches and the Incident Process Conclusion Chapter 9: Offboarding Access to Systems, Data, and Facilities Conclusion Chapter 10: Securing the Cloud Why Is the Cloud So Risky? Conclusion Chapter 11: Cybersecurity and Legal Protections Legal Terms and Protections Cybersecurity Terms and Conditions Conclusion Chapter 12: Software Due Diligence The Secure Software Development Lifecycle On‐Premises Software Cloud Software Open Web Application Security Project Explained Open Source Software Mobile Software Conclusion Chapter 13: Network Due Diligence Third‐Party Connections Zero Trust for Third Parties Conclusion Chapter 14: Offshore Third‐Party Cybersecurity Risk Onboarding Offshore Vendors Country Risk KC's Country Risk Conclusion Chapter 15: Transform to Predictive The Data Level Set A Mature to Predictive Approach The Predictive Approach at KC Enterprises Conclusion Chapter 16: Conclusion Index Copyright Dedication (ISC)2® About the Author About the Technical Editor Acknowledgments Foreword End User License Agreement List of Tables Chapter 12 TABLE 11.1 CVE/CVSS SCORES List of Illustrations Chapter 2 FIGURE 2.1 The CIA Triad FIGURE 2.2 The NIST Cybersecurity Framework FIGURE 2.3 The Five Steps to a Breach Chapter 4 FIGURE 4.1 The Four Pillars of ICT SCRM FIGURE 4.2 The Calculation Flow FIGURE 4.3 The Four Lines of Defense Model Chapter 5 FIGURE 5.1 The Cyber TPR Lifecycle FIGURE 5.2 The RFP to IRQ to Intake Process FIGURE 5.3 Masking or De‐Identifying Tests in Lower‐Level Environments Chapter 7 FIGURE 7.1 The On‐site Assessment Lifecycle Chapter 8 FIGURE 8.1 The Continuous Monitoring Process Chapter 10 FIGURE 10.1 SaaS, PaaS, and IaaS Stacks FIGURE 10.2 The Shared Responsibility Model Chapter 13 FIGURE 13.1 The Vendor Connection Lifecycle FIGURE 13.2 Vendor Enclaves in ZT for Third Parties FIGURE 13.3 An SDP Gateway FIGURE 13.4 The TPM Process Chapter 15 FIGURE 15.1 The Data Funnel to Reporting FIGURE 15.2 Red, Yellow, and Green Vendors Cybersecurity and Third‐Party Risk Third Party Threat Hunting Gregory C. Rasner Introduction Third‐party risk (or supply‐chain security) are not new disciplines, and there have been frameworks, regulatory directives, professional certifications, and organizations that all attest to its maturity. Cybersecurity could be considered more mature, since it has been around in some form since computing came of age in the 1970s. Nowadays, it's even more complex in terms of frameworks, disciplines, certifications, regulatory guidance and directives, and avenues of study. Why do the surveys, time after time, indicate that well over 50 percent of organizations do not perform any type of Third‐Party Risk Management (TPRM), and even fewer have anything other than an ad hoc cybersecurity due diligence program for vendors? Reasons for this lack of attention and collaboration can be found in hundreds, if not thousands, of breaches and security incidents that were the result of poor third‐party oversight and a lack of any due diligence and due care for the vendors' cybersecurity. This book is designed to provide a detailed look into the problems and risks, then give specific examples of how to create a robust and active Cybersecurity Third‐Party Risk Management program. It begins by covering the basics of the due diligence processes and the vendor lifecycle, with models and illustrations on how to create these basic but necessary steps. Then it goes more in depth about the next parts in the creation of a mature program: cyber legal language, offshore vendors, connectivity security, software security, and use of a predictive reporting dashboard. The book is designed to not only help you build a program, but to take an existing program from one of compliance checkbox work to an active threat‐hunting practice. Many programs that do currently exist are designed and run as an obligation to “check a box” for a regulator or an internal auditor. Yet, no one has ever secured their network or data by doing only what the regulators told them to do. Security is an ongoing activity that requires its application in third‐party risk to be equally active and ongoing. Its activities and results should emulate a cyber operations or threat operations team that focuses its efforts on reducing cybersecurity threats externally at the suppliers. Get away from checking boxes and filling out remote questionnaires and take a risk‐based approach that engages your highest risk and/or most critical third parties in conversations to build trust and collaboration to lower risk for both your organization and the vendor. Who Will Benefit Most from This Book A superset of cybersecurity, third‐party risk, and executive leadership will benefit the most from reading this book. On the cybersecurity side, analysts to senior leadership will be able to take their information security knowledge and experience to perform the hands‐on work and management of third‐party risk, while third‐party risk professionals will better understand and appreciate the need to include a more robust cybersecurity risk domain. Executive and senior leadership in business who are not focused on cybersecurity or third‐party risk will gain an understanding of the risk, practice, and frameworks, and how to lower their risk for a cybersecurity event at their vendors. Looking Ahead in This Book This book is divided into two sections. Section 1, titled “The Basics,” lays the case for the need of a robust and active Cybersecurity Third‐Party Risk Management program as well as the necessary and basic due diligence activities and processes needed. These are not basic as in “simple,” but in terms that they are the foundation necessary to building a mature program, which is covered in Section 2, titled “Next Steps.” This section details what comes next, after you have built the basic foundation. This “Next Steps” section describes cyber legal language, cloud security, software security, connectivity security, offshore vendors, and how to build predictive reporting that focuses on the highest risk vendors. Chapter 1 opens with a detailed description of risk by using examples of the SolarWinds and other supply‐chain attacks, which happened in late 2020, as prime examples of how the threat actors have evolved both in their identity and tactics. Examples are also provided in a long list of companies who have lost their data due to a vendor that did not take due care with their data. Chapter 2 provides some basics on cybersecurity. This book does not require the reader to be a cybersecurity or third‐party risk expert, but it does require that a few concepts are defined and frameworks are covered for both topics to ensure all readers are at a set level. Chapter 3 delves into how the COVID‐19 pandemic affected the security landscape and how quickly the attackers adapted to new opportunities. What happens when the pandemic is over and how it will change behaviors and business in ways that will become the new normal will mean a continued increase in cybercriminal activity. Chapter 4 is an in‐depth look at Third‐Party Risk Management (TPRM) and is included to provide a set level for the readers as well as to tie the cybersecurity and TPRM concepts together, as both domains are aimed at identifying and managing risk. Chapters 5 through 9 cover the vendor lifecycle of intake, ongoing security, and offboarding due diligence activities Chapter 5 reviews the activities and requirements for vetting and performing security assessments of new vendors or services from existing suppliers. Chapter 6 describes ongoing cybersecurity due diligence activities such as remote assessments. Chapter 7 is then devoted to the important complex topic of on‐site assessments, which are essential due diligence processes for the physical validation of security controls at a vendor site and the gold standard for assurance. Chapter 8 covers the Continuous Monitoring (CM) program and how it is a crucial security control for vendors for the times in between the point‐ in‐time assessments. Building a robust CM program means taking a set of tools and internal data to engage vendors on potential real threats that they may be unaware of and reducing risk collaboratively. Chapter 9, the last chapter on the vendor lifecycle, discusses offboarding. Many firms overlook this part of the lifecycle, so this chapter covers the critical steps and due diligence that must be done to ensure there's no risk to the data or connectivity from a vendor. Section 2 begins with Chapter 10, which discusses the large topic of the cloud. The shared responsibility model is discussed and how it affects the security controls that your vendor is responsible for and what they have outsourced to the Cloud Service Provider (CSP). Cybersecurity, offshore vendors, cloud and privacy legal language and process is covered in Chapter 11; and then Chapter 12 details in depth the possible ways to test