42,25 €*
Versandkostenfrei per Post / DHL
Lieferzeit 1-2 Wochen
Over the last decade, there have been hundreds of big-name organizations in every sector that have experienced a public breach due to a vendor. While the media tends to focus on high-profile breaches like those that hit Target in 2013 and Equifax in 2017, 2020 has ushered in a huge wave of cybersecurity attacks, a near 800% increase in cyberattack activity as millions of workers shifted to working remotely in the wake of a global pandemic.
The 2020 SolarWinds supply-chain attack illustrates that lasting impact of this dramatic increase in cyberattacks. Using a technique known as Advanced Persistent Threat (APT), a sophisticated hacker leveraged APT to steal information from multiple organizations from Microsoft to the Department of Homeland Security not by attacking targets directly, but by attacking a trusted partner or vendor. In addition to exposing third-party risk vulnerabilities for other hackers to exploit, the damage from this one attack alone will continue for years, and there are no signs that cyber breaches are slowing.
Cybersecurity and Third-Party Risk delivers proven, active, and predictive risk reduction strategies and tactics designed to keep you and your organization safe. Cybersecurity and IT expert and author Gregory Rasner shows you how to transform third-party risk from an exercise in checklist completion to a proactive and effective process of risk mitigation.
* Understand the basics of third-party risk management
* Conduct due diligence on third parties connected to your network
* Keep your data and sensitive information current and reliable
* Incorporate third-party data requirements for offshoring, fourth-party hosting, and data security arrangements into your vendor contracts
* Learn valuable lessons from devasting breaches suffered by other companies like Home Depot, GM, and Equifax
The time to talk cybersecurity with your data partners is now.
Cybersecurity and Third-Party Risk is a must-read resource for business leaders and security professionals looking for a practical roadmap to avoiding the massive reputational and financial losses that come with third-party security breaches.
Over the last decade, there have been hundreds of big-name organizations in every sector that have experienced a public breach due to a vendor. While the media tends to focus on high-profile breaches like those that hit Target in 2013 and Equifax in 2017, 2020 has ushered in a huge wave of cybersecurity attacks, a near 800% increase in cyberattack activity as millions of workers shifted to working remotely in the wake of a global pandemic.
The 2020 SolarWinds supply-chain attack illustrates that lasting impact of this dramatic increase in cyberattacks. Using a technique known as Advanced Persistent Threat (APT), a sophisticated hacker leveraged APT to steal information from multiple organizations from Microsoft to the Department of Homeland Security not by attacking targets directly, but by attacking a trusted partner or vendor. In addition to exposing third-party risk vulnerabilities for other hackers to exploit, the damage from this one attack alone will continue for years, and there are no signs that cyber breaches are slowing.
Cybersecurity and Third-Party Risk delivers proven, active, and predictive risk reduction strategies and tactics designed to keep you and your organization safe. Cybersecurity and IT expert and author Gregory Rasner shows you how to transform third-party risk from an exercise in checklist completion to a proactive and effective process of risk mitigation.
* Understand the basics of third-party risk management
* Conduct due diligence on third parties connected to your network
* Keep your data and sensitive information current and reliable
* Incorporate third-party data requirements for offshoring, fourth-party hosting, and data security arrangements into your vendor contracts
* Learn valuable lessons from devasting breaches suffered by other companies like Home Depot, GM, and Equifax
The time to talk cybersecurity with your data partners is now.
Cybersecurity and Third-Party Risk is a must-read resource for business leaders and security professionals looking for a practical roadmap to avoiding the massive reputational and financial losses that come with third-party security breaches.
GREGORY C. RASNER is the lead of Cyber Third-Party Risk at Truist Financial Corporation. He has extensive experience in cybersecurity and technology leadership in banking, biotech, software, telecom, and manufacturing. He is the author of several published articles on Third Party Risk and is a sought-after keynote speaker in this area.
Foreword xvi
Introduction xviii
Section 1 Cybersecurity Third-Party Risk
Chapter 1 What is the Risk? 1
The SolarWinds Supply-Chain Attack 4
The VGCA Supply-Chain Attack 6
The Zyxel Backdoor Attack 9
Other Supply-Chain Attacks 10
Problem Scope 12
Compliance Does Not Equal Security 15
Third-Party Breach Examples 17
Third-Party Risk Management 24
Cybersecurity and Third-Party Risk 27
Cybersecurity Third-Party Risk as a Force Multiplier 32
Conclusion 33
Chapter 2 Cybersecurity Basics 35
Cybersecurity Basics for Third-Party Risk 38
Cybersecurity Frameworks 46
Due Care and Due Diligence 53
Cybercrime and Cybersecurity 56
Types of Cyberattacks 59
Analysis of a Breach 63
The Third-Party Breach Timeline: Target 66
Inside Look: Home Depot Breach 68
Conclusion 72
Chapter 3 What the COVID-19 Pandemic Did to Cybersecurity and Third-Party Risk 75
The Pandemic Shutdown 77
Timeline of the Pandemic Impact on Cybersecurity 80
Post-Pandemic Changes and Trends 84
Regulated Industries 98
An Inside Look: P&N Bank 100
SolarWinds Attack Update 102
Conclusion 104
Chapter 4 Third-Party Risk Management 107
Third-Party Risk Management Frameworks 113
ISO 27036:2013+ 114
NIST 800-SP 116
NIST 800-161 Revision 1: Upcoming Revision 125
NISTIR 8272 Impact Analysis Tool for Interdependent Cyber Supply-Chain Risks 125
The Cybersecurity and Third-Party Risk Program Management 127
Kristina Conglomerate (KC) Enterprises 128
KC Enterprises' Cyber Third-Party Risk Program 131
Inside Look: Marriott 140
Conclusion 141
Chapter 5 Onboarding Due Diligence 143
Intake 145
Data Privacy 146
Cybersecurity 147
Amount of Data 149
Country Risk and Locations 149
Connectivity 150
Data Transfer 150
Data Location 151
Service-Level Agreement or Recovery Time Objective 151
Fourth Parties 152
Software Security 152
KC Enterprises Intake/Inherent Risk Cybersecurity Questionnaire 153
Cybersecurity in Request for Proposals 154
Data Location 155
Development 155
Identity and Access Management 156
Encryption 156
Intrusion Detection/Prevention System 157
Antivirus and Malware 157
Data Segregation 158
Data Loss Prevention 158
Notification 158
Security Audits 159
Cybersecurity Third-Party Intake 160
Data Security Intake Due Diligence 161
Next Steps 167
Ways to Become More Efficient 173
Systems and Organization Controls Reports 174
Chargebacks 177
Go-Live Production Reviews 179
Connectivity Cyber Reviews 179
Inside Look: Ticketmaster and Fourth Parties 182
Conclusion 183
Chapter 6 Ongoing Due Diligence 185
Low-Risk Vendor Ongoing Due Diligence 189
Moderate-Risk Vendor Ongoing Due Diligence 193
High-Risk Vendor Ongoing Due Diligence 196
"Too Big to Care" 197
A Note on Phishing 200
Intake and Ongoing Cybersecurity Personnel 203
Ransomware: A History and Future 203
Asset Management 205
Vulnerability and Patch Management 206
802.1x or Network Access Control (NAC) 206
Inside Look: GE Breach 207
Conclusion 208
Chapter 7 On-site Due Diligence 211
On-site Security Assessment 213
Scheduling Phase 214
Investigation Phase 215
Assessment Phase 217
On-site Questionnaire 221
Reporting Phase 227
Remediation Phase 227
Virtual On-site Assessments 229
On-site Cybersecurity Personnel 231
On-site Due Diligence and the Intake Process 233
Vendors Are Partners 234
Consortiums and Due Diligence 235
Conclusion 237
Chapter 8 Continuous Monitoring 239
What is Continuous Monitoring? 241
Vendor Security-Rating Tools 241
Inside Look: Health Share of Oregon's Breach 251
Enhanced Continuous Monitoring 252
Software Vulnerabilities/Patching Cadence 253
Fourth-Party Risk 253
Data Location 254
Connectivity Security 254
Production Deployment 255
Continuous Monitoring Cybersecurity Personnel 258
Third-Party Breaches and the Incident Process 258
Third-Party Incident Management 259
Inside Look: Uber's Delayed Data Breach Reporting 264
Inside Look: Nuance Breach 265
Conclusion 266
Chapter 9 Offboarding 267
Access to Systems, Data, and Facilities 270
Physical Access 274
Return of Equipment 275
Contract Deliverables and Ongoing Security 275
Update the Vendor Profile 276
Log Retention 276
Inside Look: Morgan Stanley
Decommissioning Process Misses 277
Inside Look: Data Sanitization 279
Conclusion 283
Section 2 Next Steps
Chapter 10 Securing the Cloud 285
Why is the Cloud So Risky? 287
Introduction to NIST Service Models 288
Vendor Cloud Security Reviews 289
The Shared Responsibility Model 290
Inside Look: Cloud Controls Matrix by the Cloud Security Alliance 295
Security Advisor Reports as Patterns 298
Inside Look: The Capital One Breach 312
Conclusion 313
Chapter 11 Cybersecurity and Legal Protections 315
Legal Terms and Protections 317
Cybersecurity Terms and Conditions 321
Offshore Terms and Conditions 324
Hosted/Cloud Terms and Conditions 327
Privacy Terms and Conditions 331
Inside Look: Heritage Valley Health vs. Nuance 334
Conclusion 335
Chapter 12 Software Due Diligence 337
The Secure Software Development Lifecycle 340
Lessons from SolarWinds and Critical Software 342
Inside Look: Juniper 344
On-Premises Software 346
Cloud Software 348
Open Web Application Security Project Explained 350
OWASP Top 10 350
OWASP Web Security Testing Guide 352
Open Source Software 353
Software Composition Analysis 355
Inside Look: Heartbleed 355
Mobile Software 357
Testing Mobile Applications 358
Code Storage 360
Conclusion 362
Chapter 13 Network Due Diligence 365
Third-Party Connections 368
Personnel Physical Security 368
Hardware Security 370
Software Security 371
Out-of-Band Security 372
Cloud Connections 374
Vendor Connectivity Lifecycle Management 375
Zero Trust for Third Parties 379
Internet of Things and Third Parties 385
Trusted Platform Module and Secure Boot 388
Inside Look: The Target Breach (2013) 390
Conclusion 391
Chapter 14 Offshore Third-Party Cybersecurity Risk 393
Onboarding Offshore Vendors 397
Ongoing Due Diligence for Offshore Vendors 399
Physical Security 399
Offboarding Due Diligence for Offshore Vendors 402
Inside Look: A Reminder on Country Risk 404
Country Risk 405
KC's Country Risk 406
Conclusion 409
Chapter 15 Transform to Predictive 411
The Data 414
Vendor Records 415
Due Diligence Records 416
Contract Language 416
Risk Acceptances 417
Continuous Monitoring 417
Enhanced Continuous Monitoring 417
How Data is Stored 418
Level Set 418
A Mature to Predictive Approach 420
The Predictive Approach at KC Enterprises 420
Use Case #1: Early Intervention 423
Use Case #2: Red Vendors 425
Use Case #3: Reporting 426
Conclusion 427
Chapter 16 Conclusion 429
Advanced Persistent Threats Are the New Danger 431
Cybersecurity Third-Party Risk 435
Index 445
Erscheinungsjahr: | 2021 |
---|---|
Fachbereich: | Datenkommunikation, Netze & Mailboxen |
Genre: | Informatik |
Rubrik: | Naturwissenschaften & Technik |
Medium: | Taschenbuch |
Inhalt: | 480 S. |
ISBN-13: | 9781119809555 |
ISBN-10: | 111980955X |
Sprache: | Englisch |
Einband: | Kartoniert / Broschiert |
Autor: | Rasner, Gregory C. |
Hersteller: | John Wiley & Sons Inc |
Maße: | 225 x 152 x 26 mm |
Von/Mit: | Gregory C. Rasner |
Erscheinungsdatum: | 16.08.2021 |
Gewicht: | 0,634 kg |
GREGORY C. RASNER is the lead of Cyber Third-Party Risk at Truist Financial Corporation. He has extensive experience in cybersecurity and technology leadership in banking, biotech, software, telecom, and manufacturing. He is the author of several published articles on Third Party Risk and is a sought-after keynote speaker in this area.
Foreword xvi
Introduction xviii
Section 1 Cybersecurity Third-Party Risk
Chapter 1 What is the Risk? 1
The SolarWinds Supply-Chain Attack 4
The VGCA Supply-Chain Attack 6
The Zyxel Backdoor Attack 9
Other Supply-Chain Attacks 10
Problem Scope 12
Compliance Does Not Equal Security 15
Third-Party Breach Examples 17
Third-Party Risk Management 24
Cybersecurity and Third-Party Risk 27
Cybersecurity Third-Party Risk as a Force Multiplier 32
Conclusion 33
Chapter 2 Cybersecurity Basics 35
Cybersecurity Basics for Third-Party Risk 38
Cybersecurity Frameworks 46
Due Care and Due Diligence 53
Cybercrime and Cybersecurity 56
Types of Cyberattacks 59
Analysis of a Breach 63
The Third-Party Breach Timeline: Target 66
Inside Look: Home Depot Breach 68
Conclusion 72
Chapter 3 What the COVID-19 Pandemic Did to Cybersecurity and Third-Party Risk 75
The Pandemic Shutdown 77
Timeline of the Pandemic Impact on Cybersecurity 80
Post-Pandemic Changes and Trends 84
Regulated Industries 98
An Inside Look: P&N Bank 100
SolarWinds Attack Update 102
Conclusion 104
Chapter 4 Third-Party Risk Management 107
Third-Party Risk Management Frameworks 113
ISO 27036:2013+ 114
NIST 800-SP 116
NIST 800-161 Revision 1: Upcoming Revision 125
NISTIR 8272 Impact Analysis Tool for Interdependent Cyber Supply-Chain Risks 125
The Cybersecurity and Third-Party Risk Program Management 127
Kristina Conglomerate (KC) Enterprises 128
KC Enterprises' Cyber Third-Party Risk Program 131
Inside Look: Marriott 140
Conclusion 141
Chapter 5 Onboarding Due Diligence 143
Intake 145
Data Privacy 146
Cybersecurity 147
Amount of Data 149
Country Risk and Locations 149
Connectivity 150
Data Transfer 150
Data Location 151
Service-Level Agreement or Recovery Time Objective 151
Fourth Parties 152
Software Security 152
KC Enterprises Intake/Inherent Risk Cybersecurity Questionnaire 153
Cybersecurity in Request for Proposals 154
Data Location 155
Development 155
Identity and Access Management 156
Encryption 156
Intrusion Detection/Prevention System 157
Antivirus and Malware 157
Data Segregation 158
Data Loss Prevention 158
Notification 158
Security Audits 159
Cybersecurity Third-Party Intake 160
Data Security Intake Due Diligence 161
Next Steps 167
Ways to Become More Efficient 173
Systems and Organization Controls Reports 174
Chargebacks 177
Go-Live Production Reviews 179
Connectivity Cyber Reviews 179
Inside Look: Ticketmaster and Fourth Parties 182
Conclusion 183
Chapter 6 Ongoing Due Diligence 185
Low-Risk Vendor Ongoing Due Diligence 189
Moderate-Risk Vendor Ongoing Due Diligence 193
High-Risk Vendor Ongoing Due Diligence 196
"Too Big to Care" 197
A Note on Phishing 200
Intake and Ongoing Cybersecurity Personnel 203
Ransomware: A History and Future 203
Asset Management 205
Vulnerability and Patch Management 206
802.1x or Network Access Control (NAC) 206
Inside Look: GE Breach 207
Conclusion 208
Chapter 7 On-site Due Diligence 211
On-site Security Assessment 213
Scheduling Phase 214
Investigation Phase 215
Assessment Phase 217
On-site Questionnaire 221
Reporting Phase 227
Remediation Phase 227
Virtual On-site Assessments 229
On-site Cybersecurity Personnel 231
On-site Due Diligence and the Intake Process 233
Vendors Are Partners 234
Consortiums and Due Diligence 235
Conclusion 237
Chapter 8 Continuous Monitoring 239
What is Continuous Monitoring? 241
Vendor Security-Rating Tools 241
Inside Look: Health Share of Oregon's Breach 251
Enhanced Continuous Monitoring 252
Software Vulnerabilities/Patching Cadence 253
Fourth-Party Risk 253
Data Location 254
Connectivity Security 254
Production Deployment 255
Continuous Monitoring Cybersecurity Personnel 258
Third-Party Breaches and the Incident Process 258
Third-Party Incident Management 259
Inside Look: Uber's Delayed Data Breach Reporting 264
Inside Look: Nuance Breach 265
Conclusion 266
Chapter 9 Offboarding 267
Access to Systems, Data, and Facilities 270
Physical Access 274
Return of Equipment 275
Contract Deliverables and Ongoing Security 275
Update the Vendor Profile 276
Log Retention 276
Inside Look: Morgan Stanley
Decommissioning Process Misses 277
Inside Look: Data Sanitization 279
Conclusion 283
Section 2 Next Steps
Chapter 10 Securing the Cloud 285
Why is the Cloud So Risky? 287
Introduction to NIST Service Models 288
Vendor Cloud Security Reviews 289
The Shared Responsibility Model 290
Inside Look: Cloud Controls Matrix by the Cloud Security Alliance 295
Security Advisor Reports as Patterns 298
Inside Look: The Capital One Breach 312
Conclusion 313
Chapter 11 Cybersecurity and Legal Protections 315
Legal Terms and Protections 317
Cybersecurity Terms and Conditions 321
Offshore Terms and Conditions 324
Hosted/Cloud Terms and Conditions 327
Privacy Terms and Conditions 331
Inside Look: Heritage Valley Health vs. Nuance 334
Conclusion 335
Chapter 12 Software Due Diligence 337
The Secure Software Development Lifecycle 340
Lessons from SolarWinds and Critical Software 342
Inside Look: Juniper 344
On-Premises Software 346
Cloud Software 348
Open Web Application Security Project Explained 350
OWASP Top 10 350
OWASP Web Security Testing Guide 352
Open Source Software 353
Software Composition Analysis 355
Inside Look: Heartbleed 355
Mobile Software 357
Testing Mobile Applications 358
Code Storage 360
Conclusion 362
Chapter 13 Network Due Diligence 365
Third-Party Connections 368
Personnel Physical Security 368
Hardware Security 370
Software Security 371
Out-of-Band Security 372
Cloud Connections 374
Vendor Connectivity Lifecycle Management 375
Zero Trust for Third Parties 379
Internet of Things and Third Parties 385
Trusted Platform Module and Secure Boot 388
Inside Look: The Target Breach (2013) 390
Conclusion 391
Chapter 14 Offshore Third-Party Cybersecurity Risk 393
Onboarding Offshore Vendors 397
Ongoing Due Diligence for Offshore Vendors 399
Physical Security 399
Offboarding Due Diligence for Offshore Vendors 402
Inside Look: A Reminder on Country Risk 404
Country Risk 405
KC's Country Risk 406
Conclusion 409
Chapter 15 Transform to Predictive 411
The Data 414
Vendor Records 415
Due Diligence Records 416
Contract Language 416
Risk Acceptances 417
Continuous Monitoring 417
Enhanced Continuous Monitoring 417
How Data is Stored 418
Level Set 418
A Mature to Predictive Approach 420
The Predictive Approach at KC Enterprises 420
Use Case #1: Early Intervention 423
Use Case #2: Red Vendors 425
Use Case #3: Reporting 426
Conclusion 427
Chapter 16 Conclusion 429
Advanced Persistent Threats Are the New Danger 431
Cybersecurity Third-Party Risk 435
Index 445
Erscheinungsjahr: | 2021 |
---|---|
Fachbereich: | Datenkommunikation, Netze & Mailboxen |
Genre: | Informatik |
Rubrik: | Naturwissenschaften & Technik |
Medium: | Taschenbuch |
Inhalt: | 480 S. |
ISBN-13: | 9781119809555 |
ISBN-10: | 111980955X |
Sprache: | Englisch |
Einband: | Kartoniert / Broschiert |
Autor: | Rasner, Gregory C. |
Hersteller: | John Wiley & Sons Inc |
Maße: | 225 x 152 x 26 mm |
Von/Mit: | Gregory C. Rasner |
Erscheinungsdatum: | 16.08.2021 |
Gewicht: | 0,634 kg |