Hi, folks, Ed Amoroso here and I want to talk to you in this video about something called third party security. Now, what do I mean by third party, party is sort of entity, business entity. And The first party is you. So you're running a business. You call yourself the first party and it's all the things that you own and operate. The second party is your customer, whoever's buying, whoever you're doing deals with to sell services, products, or whatever. Third parties are organizations that sit in support of your mission to your customer. Do you follow? It could be a lawyer, it could be a context center, it could be your vendor, it could be an auditor, it could be marketing experts, it could be consultants. These are all third parties that only exist to help you serve your customer. Now, here's a basic concept that you need to keep in mind as you learn more about cyber security. To you, the first party, the third party looks like an external organization that you're connected to, that's off doing its thing. But to the second party, to your customer, you, the first party and your third party appear as one. When you go to your local phone store and you sign up for 5G service and you come out with your nice iPhone and you're all set and you've got whatever. Do you know or care or have one iota of concern about who their third party tech center is that's supporting some aspect of their infrastructure couldn't care less? And if they got hacked and as a result your information was lost, do you agree that the customer doesn't care that it was the third party, they care that they did the deal with you? I walked into your store. I bought your phone. I bought your service. You're my vendor. If you decide you want to use a third party, well, that's your problem. That's something that I think is very poorly captured a lot of times in our industry. Sometimes, you'll see a first party having a third party hacked. They'll blame the third party, call it their hack. I think that's nonsense. Now, how does this happen? It happens when a third party requires access to the company. Let's have some company orders.company.com and they need accessing, who knows what they're doing, they're supporting some aspect of ordering and they come in and what has to happen is the enterprise firewall perimeter has to provide access to some gateway. The gateway probably is going to check their IP address, maybe ask for password, do whatever. Once they're okay, it drops them on a land and allows them to sort of forward their access to some production system. And really, they're supposed to get to the protection system and turn upward to the order server. But what's to stop them from turning downward to your finance server? You could say, well, I'd have security and that's the whole point. If you have some security, then do it. And what is it you would put there, what are the tools we've spent so much time talking about? Cryptography, authentication, firewall, intrusion detection, log files, a SIEM. You [INAUDIBLE] something and figure out what you're going to do. And it's not so obvious what you do because you're inside this big blob of a perimeter where you've decided that the things inside are trusted, the things outside are not, and most of your security is on that demilitarized zone, that DMZ, between out and in. But if you're letting outsiders in, then you have basically the possibility that you could have a compromised insider, a disgruntled angry third party. Now they could also be in your company, insiders could be anywhere. You could have somebody who just doesn't like you as a boss and is going to go hit your finance server. But in this case of third parties, it's kind of an intense case. Because you're allowing groups of individuals you don't manage. You don't know where they come from. You have no idea what the hiring practice is. You may have no idea what their local area network looks like. Maybe you do some risk management, maybe you make them fill out some compliance forms, whatever. But you don't know a lot about them. You're letting them come in, they get on to your network and they can steer pretty much anywhere they want. We've seen some colossal attacks that have occurred as a result of this weakness. So I hope that's something that you kind of get, first, second, third party. Third parties look like part of you, the first party to a second party. Third parties gain access to the enterprise through specifically open ports to gateways. Once they've authenticated, they've accessed to the whole place and instead of steering to the order network where they’re suppose to go, they can steer to some other thing like a finance server. That’s the basic template through which third party security attacks have tended to occur. Kind of the best answer here I think is the first one. Maybe you could argue a little bit around the BFC. There might be some element there. But really A is an important one. This idea that a third party involves infrastructure, people, process that you just can't control as a first party, you can try but you're not going to be able to do it very effectively. So I hope this has been useful, I hope it gives you a clear insight into the way third party cyber security attacks have been occurring to so many businesses around the world. I'll see you in the next video.
