Cybersecurity and Third-Party Risk. Gregory C. Rasner

Cybersecurity, like many technology‐based careers, is complex and typically takes a good deal of training, studying, and immersion in the field to become proficient. The basic cybersecurity triad of Confidentiality, Integrity and Availability can serve as guideposts for any risk discussion around data protection and third parties. Information security focuses on ensuring that data stays restricted to those authorized to access it, protected so it is not altered, and accessible to those permitted to get to access it. Cybersecurity can cover a wide spectrum of activities in most enterprise networks, and will be the basis for how due diligence and due care activities are to be performed in upcoming chapters.

      Cybersecurity frameworks provide organizations with guides to how to lower their risk to security incidents. Frameworks to focus on include NIST‐CSF, ISO 27001 and 27002, NIST‐853, Federal Information Security Management Act of 2002 (FISMA), New York Department of Financial Services (NYDFS), and any that are applicable to the industry, country, or region where business is conducted. The adoption and adherence to one or more of these structures informs the customer how the vendor approaches this risk reduction. Speaking to them in their “language” by understanding their framework adoption can ease discussions about gap analysis and remediation steps.

      The types of cybercrime and cyber threats are always evolving. Advanced Persistent Threats (APTs) and cybercriminal organizations pose the largest threat to others as they tend to have near infinite time, resources, and energy. The types of attacks are equally varied, but the ones that are most often impactful or seen recently have been phishing and ransomware attacks. Social engineering using fake emails to fool an insider to give away their credentials, or to download malware that encrypts all their files, is often that path of least resistance for a hacker.

Understanding how a breach is performed was broken down into the five steps—research, intrusion, lateral movement, privilege escalation, and exfiltration—and we included a walkthrough of how it was accomplished at Target. The five steps (i.e., phases) illustrated how most of the APTs and cybercriminals approach their work and how the steps are important to when and how a breach can be stopped. If the cybersecurity team's detective work can catch a breach in the intrusion or lateral movement stages, there is a good chance of containing the effects with minimal damage and data loss. However, if their detection isn't until the exfiltration phase (which is often when detection occurs as the damage the hackers have done becomes known), then there's zero chance to stop the loss of data and damage. This is why cybersecurity professionals push tools like as IDS/IPS and DLP, among others, to amp up the detection capability.