I want a "Red Teaming"
Michael Schneider
Even though companies make considerable effort to deal with IT risks and their management there are security related topics that often get overlooked due to their nature. They appear to fly under the IT risk radar. One such topic is that of critical third party applications (C3PA).
From an internal point of view, a company focuses on the services its business is built around, their own infrastructure, networks and applications. During normal operations along those lines, companies access C3PA. Those are applications that are not proprietary to the company’s IT resources. However, they’re used to – among other things – handle financially and/or legally binding transactions. A prime example of a C3PA would be access to e-banking that is used to manage company accounts.
It is access to these C3PA that is done without much thought. Credentials are passed on among employees without second thought, informally and without any processes. This despite the fact that companies maintain a strict regime when it comes to the management of privileges as there are processes, controls, mechanisms et cetera in place that ensure the accountability and administration when account privileges are handed out.
Due to the fact that this application type is often overlooked, important adequate and recognized security principles that are usually respected by companies and enforced internally are not enforced in any kind of satisfactory way when it comes to C3PA.
Security mechanisms that tend to be overlooked include but are not limited to:
Neglecting these crucial factors leads to a permanent high-risk situation and non-transparency regarding the use of C3PA in a company.
When dealing with C3PA and their management, responsible parties need to ask themselves questions that help ensure a thorough process when implementing measures to manage C3PA and their security aspects.
Before any of these questions can be answered, C3PA need to be defined. This resulting definition needs to be limited to understanding.
Generally, C3PA are recognizable by the following functions
In this context, the following type of application is considered to be a third party application:
Even if an application is developed by a third party but hosted on an internal server, it is to be considered a third party application.
Following this definition C3PA have the power to generate financial contracts or collect data from external sources that is being processed in the financial context of the company. Critical third party applications are applications that can directly influence the financial success and the integrity of the company and impact its business.
The main problem in terms of these C3PA is the result of the way employees deal with them. Employees who are granted an account in a C3PA environment automatically receive high privileges of execution. If they misuse these privileges can lead to financial damage or a legal obligation that leads to financial damage.
The issuing of privileges can depend on external factors that can’t be influenced by the company. For example: If a company has to rely on external parties to grant or deny access to an application and that process isn’t bound to any kind of internal process the scenario that former employees retain their privileges even after their work contracts have expired. This enables them to initiate and perform critical transactions in the name of the company even after they are no longer part of the company.
Further, the uncoupling of company processes from privilege management leads to non-transparency regarding C3PA. Depending on the size of the company, it is close to impossible to accurately determine which and how many C3PA are deployed in what department of the company under whose authority and which processes and protection mechanisms may or may not have been implemented. This leads to risks.
The following risks describe scenarios that can come out of dealing with C3PA.
Scenario: The attacker manages to gain money without the company noticing. In order to stay undetected and not to trigger any controls, he or she funnels money into his or her own account over a longer period of time. This flow of money is slow and continuous.
Comment: It is likely that established security, standards and controls in financial applications such as e-banking at least detect fraudulent transfer of money. Today’s e-banking solutions and financial institutes are under constant pressure to protect themselves against even the most sophisticated threats. This is in their own interest. Gaps in security that have been discovered during previous attempts of fraud, regardless of their success, have been addressed. Among others, there have been confirmation mechanisms for transactions implemented. There are logs and reports that ensure non-repudiation and traceability.
Scenario: An attacker funnels a large sum of money into his or her own account or abuses his or her privileges to create a big, legally binding financial obligation for the company. This leads to lack of liquid funds and risks in terms of refinancing due to the fact that funds that are required short term are no longer available or can only be acquired at a high cost.
Comment: In order to conduct transactions and obligations in critical height, there are protection mechanisms in place so that business that exceeds a certain amount of money requires the approval or supervision of several people
Scenario: An attacker uses his or her privileges to enter into a long term legally binding agreement.
Comment: Employees in various areas of business have permission to place order or have access to license keys in order to acquire software and hardware, to perform upgrades or download programs. Often these permissions are not centrally handled by company procurement but, based on contracts, handled in a decentralised department and in autonomous areas.
Scenario: Due to non-transparency when handling privileges in C3PA, an incident such as the careless passing on of credentials leaves the integrity of the C3PA in regards to business operations vulnerable.
Comment: Incidents such as this one rarely get publicised, the most likely sequence upon an employee leaving the company is this: The employee leaves the company, his or her account remains active without consequence. There is no damage to the company. During the next routine check of accounts or when a successor to the employee starts working using the privileges, the old account gets noticed. This situation is dealt with and the account gets deleted. If an additional factor of authentication such as a token for e-banking has been given to the former employee has not returned it to the company.
There is no established and explicitly defined process, resulting in a conscious situation of neglect. However, this laisser faire attitude does not result in damage yet.
A worst-case scenario for each of the risks can look as follows:
Risk | Description | Affected Areas | Damage | Frequency |
---|---|---|---|---|
R1 | Slow, continuous, unnoticed drain | CFO, Trading, Controlling, Pension fund, Treasury | High | 50 years |
R2 | Massive drain of finances | CFO, Trading, Pension Fund, Treasury, Legal | Catastrophic | Irrelevant |
R3 | Costly long term obligations | Autonomous departments, Procurement, Legal | Low | 20 years |
R4 | Non-Transparency leading to carelessness | All Areas | Irrelevant | 10 years |
Meanwhile it can be assumed that a manager in C3PA related areas will have established adequate processes to manage C3PA accounts. However, these might not be known or established throughout the entire company. This is because they are the most suited to recognise and mitigate risks in their own department. On the other hand, there is the distinct possibility of willingly or accidentally turning a blind eye on the obvious and occasionally turning a blind eye on the act of turning a blind eye.
Combining time and damage, the following matrix emerges:
Damage | |||||
---|---|---|---|---|---|
Frequency | Irrelevant | Low | High | Critical | Catastrophic |
5 years | - | - | - | - | - |
10 years | R4 | - | - | - | - |
20 years | - | R3 | - | - | - |
50 years | - | - | R1 | - | - |
Irrelevant (100 years) | - | - | - | - | R2 |
It is time to have a look at possible, pragmatic measures and to classify them. These measures seek to lower or even eliminate the non-transparency regarding C3PA and to sustainably control the process of granting as well as removing access rights.
Measure | Description |
---|---|
M1 | Accepting the status quo (do nothing) |
M2 | Declaring the principles when dealing with C3PA in corresponding policies |
M3 | C3PA self-declaration |
M4 | Addendum to employee file (HR Tools) specifying if employee has, based on their function, an account for a C3PA |
M5 | Addendum to employee termination process: Check if employee has access to C3PA |
M6 | Annual or periodical check of accounts with focus on C3PA: Request account list from operator of C3PA and check it for timeliness: Findings are being communicated and mitigated |
M7 | Random checks for C3PA, active pursuing of accounts |
M8 | Roll out reference model |
The following table tries to show how the measures listed above are to be rated in terms of quality. The main goal is to give a brief overview focusing on practicability.
Benefit | ||||
---|---|---|---|---|
Effort | Large | Medium | Small | |
Small | M3, M5 | M2, M7 | M1 | |
Medium | - | M6, M8 | - | |
Large | M4 | - | - |
When looking at the situation of C3PA there are three measures that stick out that seem reasonable to pursue in order to have the best benefit with the least possible effort.
Due to the fact that accurate information regarding C3PA isn’t available without much effort, it’s recommended to have departments using C3PA report their use and functionality. This could be part of the implementation of measures M3, M5.
Our experts will get in contact with you!
Michael Schneider
Marisa Tschopp
Michèle Trebo
Andrea Covello
Our experts will get in contact with you!