42,20 €*
Versandkostenfrei per Post / DHL
Lieferzeit 1-2 Wochen
STRENGTHEN THE WEAKEST LINKS IN YOUR CYBERSECURITY CHAIN
Across the world, the networks of hundreds of different world-class organizations have been breached in a seemingly never-ending stream of attacks that targeted the trusted vendors of major brands. From Target to Equifax, Home Depot, and GM, it seems as if no company is safe from a third-party incident or breach, regardless of size. And the advanced threats are now exploiting the intersection of weaknesses in cybersecurity and third-party risk management.
In Cybersecurity and Third-Party Risk, veteran cybersecurity specialist Gregory Rasner walks readers through how to lock down the vulnerabilities posed to an organization's network by third parties. You'll discover how to move beyond a simple checklist and create an active, effective, and continuous system of third-party cybersecurity risk mitigation.
The author discusses how to conduct due diligence on the third parties connected to your company's networks and how to keep your information about them current and reliable. You'll learn about the language you need to look for in a third-party data contract whether you're offshoring or outsourcing data security arrangements.
Perfect for professionals and executives responsible for securing their organizations' systems against external threats, Cybersecurity and Third-Party Risk is an indispensable resource for all business leaders who seek to:
- Understand the fundamentals of third-party risk management
- Conduct robust intake and ongoing due diligence
- Perform on-site due diligence and close vendor risks
- Secure your software supply chain
- Utilize cloud and on-premises software securely
- Continuously monitor your third-party vendors and prevent breaches
STRENGTHEN THE WEAKEST LINKS IN YOUR CYBERSECURITY CHAIN
Across the world, the networks of hundreds of different world-class organizations have been breached in a seemingly never-ending stream of attacks that targeted the trusted vendors of major brands. From Target to Equifax, Home Depot, and GM, it seems as if no company is safe from a third-party incident or breach, regardless of size. And the advanced threats are now exploiting the intersection of weaknesses in cybersecurity and third-party risk management.
In Cybersecurity and Third-Party Risk, veteran cybersecurity specialist Gregory Rasner walks readers through how to lock down the vulnerabilities posed to an organization's network by third parties. You'll discover how to move beyond a simple checklist and create an active, effective, and continuous system of third-party cybersecurity risk mitigation.
The author discusses how to conduct due diligence on the third parties connected to your company's networks and how to keep your information about them current and reliable. You'll learn about the language you need to look for in a third-party data contract whether you're offshoring or outsourcing data security arrangements.
Perfect for professionals and executives responsible for securing their organizations' systems against external threats, Cybersecurity and Third-Party Risk is an indispensable resource for all business leaders who seek to:
- Understand the fundamentals of third-party risk management
- Conduct robust intake and ongoing due diligence
- Perform on-site due diligence and close vendor risks
- Secure your software supply chain
- Utilize cloud and on-premises software securely
- Continuously monitor your third-party vendors and prevent breaches
GREGORY C. RASNER is the lead of Cyber Third-Party Risk at Truist Financial Corporation. He has extensive experience in cybersecurity and technology leadership in banking, biotech, software, telecom, and manufacturing. He is the author of several published articles on Third Party Risk and is a sought-after keynote speaker in this area.
Foreword xvi
Introduction xviii
Section 1 Cybersecurity Third-Party Risk
Chapter 1 What is the Risk? 1
The SolarWinds Supply-Chain Attack 4
The VGCA Supply-Chain Attack 6
The Zyxel Backdoor Attack 9
Other Supply-Chain Attacks 10
Problem Scope 12
Compliance Does Not Equal Security 15
Third-Party Breach Examples 17
Third-Party Risk Management 24
Cybersecurity and Third-Party Risk 27
Cybersecurity Third-Party Risk as a Force Multiplier 32
Conclusion 33
Chapter 2 Cybersecurity Basics 35
Cybersecurity Basics for Third-Party Risk 38
Cybersecurity Frameworks 46
Due Care and Due Diligence 53
Cybercrime and Cybersecurity 56
Types of Cyberattacks 59
Analysis of a Breach 63
The Third-Party Breach Timeline: Target 66
Inside Look: Home Depot Breach 68
Conclusion 72
Chapter 3 What the COVID-19 Pandemic Did to Cybersecurity and Third-Party Risk 75
The Pandemic Shutdown 77
Timeline of the Pandemic Impact on Cybersecurity 80
Post-Pandemic Changes and Trends 84
Regulated Industries 98
An Inside Look: P&N Bank 100
SolarWinds Attack Update 102
Conclusion 104
Chapter 4 Third-Party Risk Management 107
Third-Party Risk Management Frameworks 113
ISO 27036:2013+ 114
NIST 800-SP 116
NIST 800-161 Revision 1: Upcoming Revision 125
NISTIR 8272 Impact Analysis Tool for Interdependent Cyber Supply-Chain Risks 125
The Cybersecurity and Third-Party Risk Program Management 127
Kristina Conglomerate (KC) Enterprises 128
KC Enterprises' Cyber Third-Party Risk Program 131
Inside Look: Marriott 140
Conclusion 141
Chapter 5 Onboarding Due Diligence 143
Intake 145
Data Privacy 146
Cybersecurity 147
Amount of Data 149
Country Risk and Locations 149
Connectivity 150
Data Transfer 150
Data Location 151
Service-Level Agreement or Recovery Time Objective 151
Fourth Parties 152
Software Security 152
KC Enterprises Intake/Inherent Risk Cybersecurity Questionnaire 153
Cybersecurity in Request for Proposals 154
Data Location 155
Development 155
Identity and Access Management 156
Encryption 156
Intrusion Detection/Prevention System 157
Antivirus and Malware 157
Data Segregation 158
Data Loss Prevention 158
Notification 158
Security Audits 159
Cybersecurity Third-Party Intake 160
Data Security Intake Due Diligence 161
Next Steps 167
Ways to Become More Efficient 173
Systems and Organization Controls Reports 174
Chargebacks 177
Go-Live Production Reviews 179
Connectivity Cyber Reviews 179
Inside Look: Ticketmaster and Fourth Parties 182
Conclusion 183
Chapter 6 Ongoing Due Diligence 185
Low-Risk Vendor Ongoing Due Diligence 189
Moderate-Risk Vendor Ongoing Due Diligence 193
High-Risk Vendor Ongoing Due Diligence 196
"Too Big to Care" 197
A Note on Phishing 200
Intake and Ongoing Cybersecurity Personnel 203
Ransomware: A History and Future 203
Asset Management 205
Vulnerability and Patch Management 206
802.1x or Network Access Control (NAC) 206
Inside Look: GE Breach 207
Conclusion 208
Chapter 7 On-site Due Diligence 211
On-site Security Assessment 213
Scheduling Phase 214
Investigation Phase 215
Assessment Phase 217
On-site Questionnaire 221
Reporting Phase 227
Remediation Phase 227
Virtual On-site Assessments 229
On-site Cybersecurity Personnel 231
On-site Due Diligence and the Intake Process 233
Vendors Are Partners 234
Consortiums and Due Diligence 235
Conclusion 237
Chapter 8 Continuous Monitoring 239
What is Continuous Monitoring? 241
Vendor Security-Rating Tools 241
Inside Look: Health Share of Oregon's Breach 251
Enhanced Continuous Monitoring 252
Software Vulnerabilities/Patching Cadence 253
Fourth-Party Risk 253
Data Location 254
Connectivity Security 254
Production Deployment 255
Continuous Monitoring Cybersecurity Personnel 258
Third-Party Breaches and the Incident Process 258
Third-Party Incident Management 259
Inside Look: Uber's Delayed Data Breach Reporting 264
Inside Look: Nuance Breach 265
Conclusion 266
Chapter 9 Offboarding 267
Access to Systems, Data, and Facilities 270
Physical Access 274
Return of Equipment 275
Contract Deliverables and Ongoing Security 275
Update the Vendor Profile 276
Log Retention 276
Inside Look: Morgan Stanley
Decommissioning Process Misses 277
Inside Look: Data Sanitization 279
Conclusion 283
Section 2 Next Steps
Chapter 10 Securing the Cloud 285
Why is the Cloud So Risky? 287
Introduction to NIST Service Models 288
Vendor Cloud Security Reviews 289
The Shared Responsibility Model 290
Inside Look: Cloud Controls Matrix by the Cloud Security Alliance 295
Security Advisor Reports as Patterns 298
Inside Look: The Capital One Breach 312
Conclusion 313
Chapter 11 Cybersecurity and Legal Protections 315
Legal Terms and Protections 317
Cybersecurity Terms and Conditions 321
Offshore Terms and Conditions 324
Hosted/Cloud Terms and Conditions 327
Privacy Terms and Conditions 331
Inside Look: Heritage Valley Health vs. Nuance 334
Conclusion 335
Chapter 12 Software Due Diligence 337
The Secure Software Development Lifecycle 340
Lessons from SolarWinds and Critical Software 342
Inside Look: Juniper 344
On-Premises Software 346
Cloud Software 348
Open Web Application Security Project Explained 350
OWASP Top 10 350
OWASP Web Security Testing Guide 352
Open Source Software 353
Software Composition Analysis 355
Inside Look: Heartbleed 355
Mobile Software 357
Testing Mobile Applications 358
Code Storage 360
Conclusion 362
Chapter 13 Network Due Diligence 365
Third-Party Connections 368
Personnel Physical Security 368
Hardware Security 370
Software Security 371
Out-of-Band Security 372
Cloud Connections 374
Vendor Connectivity Lifecycle Management 375
Zero Trust for Third Parties 379
Internet of Things and Third Parties 385
Trusted Platform Module and Secure Boot 388
Inside Look: The Target Breach (2013) 390
Conclusion 391
Chapter 14 Offshore Third-Party Cybersecurity Risk 393
Onboarding Offshore Vendors 397
Ongoing Due Diligence for Offshore Vendors 399
Physical Security 399
Offboarding Due Diligence for Offshore Vendors 402
Inside Look: A Reminder on Country Risk 404
Country Risk 405
KC's Country Risk 406
Conclusion 409
Chapter 15 Transform to Predictive 411
The Data 414
Vendor Records 415
Due Diligence Records 416
Contract Language 416
Risk Acceptances 417
Continuous Monitoring 417
Enhanced Continuous Monitoring 417
How Data is Stored 418
Level Set 418
A Mature to Predictive Approach 420
The Predictive Approach at KC Enterprises 420
Use Case #1: Early Intervention 423
Use Case #2: Red Vendors 425
Use Case #3: Reporting 426
Conclusion 427
Chapter 16 Conclusion 429
Advanced Persistent Threats Are the New Danger 431
Cybersecurity Third-Party Risk 435
Index 445
| Erscheinungsjahr: | 2021 |
|---|---|
| Fachbereich: | Datenkommunikation, Netze & Mailboxen |
| Genre: | Importe, Informatik |
| Rubrik: | Naturwissenschaften & Technik |
| Medium: | Taschenbuch |
| Inhalt: | 480 S. |
| ISBN-13: | 9781119809555 |
| ISBN-10: | 111980955X |
| Sprache: | Englisch |
| Einband: | Kartoniert / Broschiert |
| Autor: | Rasner, Gregory C |
| Hersteller: | Wiley |
| Verantwortliche Person für die EU: | Wiley-VCH GmbH, Boschstr. 12, D-69469 Weinheim, product-safety@wiley.com |
| Maße: | 225 x 152 x 26 mm |
| Von/Mit: | Gregory C Rasner |
| Erscheinungsdatum: | 21.07.2021 |
| Gewicht: | 0,634 kg |
GREGORY C. RASNER is the lead of Cyber Third-Party Risk at Truist Financial Corporation. He has extensive experience in cybersecurity and technology leadership in banking, biotech, software, telecom, and manufacturing. He is the author of several published articles on Third Party Risk and is a sought-after keynote speaker in this area.
Foreword xvi
Introduction xviii
Section 1 Cybersecurity Third-Party Risk
Chapter 1 What is the Risk? 1
The SolarWinds Supply-Chain Attack 4
The VGCA Supply-Chain Attack 6
The Zyxel Backdoor Attack 9
Other Supply-Chain Attacks 10
Problem Scope 12
Compliance Does Not Equal Security 15
Third-Party Breach Examples 17
Third-Party Risk Management 24
Cybersecurity and Third-Party Risk 27
Cybersecurity Third-Party Risk as a Force Multiplier 32
Conclusion 33
Chapter 2 Cybersecurity Basics 35
Cybersecurity Basics for Third-Party Risk 38
Cybersecurity Frameworks 46
Due Care and Due Diligence 53
Cybercrime and Cybersecurity 56
Types of Cyberattacks 59
Analysis of a Breach 63
The Third-Party Breach Timeline: Target 66
Inside Look: Home Depot Breach 68
Conclusion 72
Chapter 3 What the COVID-19 Pandemic Did to Cybersecurity and Third-Party Risk 75
The Pandemic Shutdown 77
Timeline of the Pandemic Impact on Cybersecurity 80
Post-Pandemic Changes and Trends 84
Regulated Industries 98
An Inside Look: P&N Bank 100
SolarWinds Attack Update 102
Conclusion 104
Chapter 4 Third-Party Risk Management 107
Third-Party Risk Management Frameworks 113
ISO 27036:2013+ 114
NIST 800-SP 116
NIST 800-161 Revision 1: Upcoming Revision 125
NISTIR 8272 Impact Analysis Tool for Interdependent Cyber Supply-Chain Risks 125
The Cybersecurity and Third-Party Risk Program Management 127
Kristina Conglomerate (KC) Enterprises 128
KC Enterprises' Cyber Third-Party Risk Program 131
Inside Look: Marriott 140
Conclusion 141
Chapter 5 Onboarding Due Diligence 143
Intake 145
Data Privacy 146
Cybersecurity 147
Amount of Data 149
Country Risk and Locations 149
Connectivity 150
Data Transfer 150
Data Location 151
Service-Level Agreement or Recovery Time Objective 151
Fourth Parties 152
Software Security 152
KC Enterprises Intake/Inherent Risk Cybersecurity Questionnaire 153
Cybersecurity in Request for Proposals 154
Data Location 155
Development 155
Identity and Access Management 156
Encryption 156
Intrusion Detection/Prevention System 157
Antivirus and Malware 157
Data Segregation 158
Data Loss Prevention 158
Notification 158
Security Audits 159
Cybersecurity Third-Party Intake 160
Data Security Intake Due Diligence 161
Next Steps 167
Ways to Become More Efficient 173
Systems and Organization Controls Reports 174
Chargebacks 177
Go-Live Production Reviews 179
Connectivity Cyber Reviews 179
Inside Look: Ticketmaster and Fourth Parties 182
Conclusion 183
Chapter 6 Ongoing Due Diligence 185
Low-Risk Vendor Ongoing Due Diligence 189
Moderate-Risk Vendor Ongoing Due Diligence 193
High-Risk Vendor Ongoing Due Diligence 196
"Too Big to Care" 197
A Note on Phishing 200
Intake and Ongoing Cybersecurity Personnel 203
Ransomware: A History and Future 203
Asset Management 205
Vulnerability and Patch Management 206
802.1x or Network Access Control (NAC) 206
Inside Look: GE Breach 207
Conclusion 208
Chapter 7 On-site Due Diligence 211
On-site Security Assessment 213
Scheduling Phase 214
Investigation Phase 215
Assessment Phase 217
On-site Questionnaire 221
Reporting Phase 227
Remediation Phase 227
Virtual On-site Assessments 229
On-site Cybersecurity Personnel 231
On-site Due Diligence and the Intake Process 233
Vendors Are Partners 234
Consortiums and Due Diligence 235
Conclusion 237
Chapter 8 Continuous Monitoring 239
What is Continuous Monitoring? 241
Vendor Security-Rating Tools 241
Inside Look: Health Share of Oregon's Breach 251
Enhanced Continuous Monitoring 252
Software Vulnerabilities/Patching Cadence 253
Fourth-Party Risk 253
Data Location 254
Connectivity Security 254
Production Deployment 255
Continuous Monitoring Cybersecurity Personnel 258
Third-Party Breaches and the Incident Process 258
Third-Party Incident Management 259
Inside Look: Uber's Delayed Data Breach Reporting 264
Inside Look: Nuance Breach 265
Conclusion 266
Chapter 9 Offboarding 267
Access to Systems, Data, and Facilities 270
Physical Access 274
Return of Equipment 275
Contract Deliverables and Ongoing Security 275
Update the Vendor Profile 276
Log Retention 276
Inside Look: Morgan Stanley
Decommissioning Process Misses 277
Inside Look: Data Sanitization 279
Conclusion 283
Section 2 Next Steps
Chapter 10 Securing the Cloud 285
Why is the Cloud So Risky? 287
Introduction to NIST Service Models 288
Vendor Cloud Security Reviews 289
The Shared Responsibility Model 290
Inside Look: Cloud Controls Matrix by the Cloud Security Alliance 295
Security Advisor Reports as Patterns 298
Inside Look: The Capital One Breach 312
Conclusion 313
Chapter 11 Cybersecurity and Legal Protections 315
Legal Terms and Protections 317
Cybersecurity Terms and Conditions 321
Offshore Terms and Conditions 324
Hosted/Cloud Terms and Conditions 327
Privacy Terms and Conditions 331
Inside Look: Heritage Valley Health vs. Nuance 334
Conclusion 335
Chapter 12 Software Due Diligence 337
The Secure Software Development Lifecycle 340
Lessons from SolarWinds and Critical Software 342
Inside Look: Juniper 344
On-Premises Software 346
Cloud Software 348
Open Web Application Security Project Explained 350
OWASP Top 10 350
OWASP Web Security Testing Guide 352
Open Source Software 353
Software Composition Analysis 355
Inside Look: Heartbleed 355
Mobile Software 357
Testing Mobile Applications 358
Code Storage 360
Conclusion 362
Chapter 13 Network Due Diligence 365
Third-Party Connections 368
Personnel Physical Security 368
Hardware Security 370
Software Security 371
Out-of-Band Security 372
Cloud Connections 374
Vendor Connectivity Lifecycle Management 375
Zero Trust for Third Parties 379
Internet of Things and Third Parties 385
Trusted Platform Module and Secure Boot 388
Inside Look: The Target Breach (2013) 390
Conclusion 391
Chapter 14 Offshore Third-Party Cybersecurity Risk 393
Onboarding Offshore Vendors 397
Ongoing Due Diligence for Offshore Vendors 399
Physical Security 399
Offboarding Due Diligence for Offshore Vendors 402
Inside Look: A Reminder on Country Risk 404
Country Risk 405
KC's Country Risk 406
Conclusion 409
Chapter 15 Transform to Predictive 411
The Data 414
Vendor Records 415
Due Diligence Records 416
Contract Language 416
Risk Acceptances 417
Continuous Monitoring 417
Enhanced Continuous Monitoring 417
How Data is Stored 418
Level Set 418
A Mature to Predictive Approach 420
The Predictive Approach at KC Enterprises 420
Use Case #1: Early Intervention 423
Use Case #2: Red Vendors 425
Use Case #3: Reporting 426
Conclusion 427
Chapter 16 Conclusion 429
Advanced Persistent Threats Are the New Danger 431
Cybersecurity Third-Party Risk 435
Index 445
| Erscheinungsjahr: | 2021 |
|---|---|
| Fachbereich: | Datenkommunikation, Netze & Mailboxen |
| Genre: | Importe, Informatik |
| Rubrik: | Naturwissenschaften & Technik |
| Medium: | Taschenbuch |
| Inhalt: | 480 S. |
| ISBN-13: | 9781119809555 |
| ISBN-10: | 111980955X |
| Sprache: | Englisch |
| Einband: | Kartoniert / Broschiert |
| Autor: | Rasner, Gregory C |
| Hersteller: | Wiley |
| Verantwortliche Person für die EU: | Wiley-VCH GmbH, Boschstr. 12, D-69469 Weinheim, product-safety@wiley.com |
| Maße: | 225 x 152 x 26 mm |
| Von/Mit: | Gregory C Rasner |
| Erscheinungsdatum: | 21.07.2021 |
| Gewicht: | 0,634 kg |
Ähnliche Produkte
Lieferzeit 1-2 Werktage
Lieferzeit 1-2 Werktage
Lieferzeit 4-7 Werktage
Lieferzeit 2-4 Werktage