At the end of September, it was reported an IT service provider, Tyler Technology (a Texas-based company that bills itself as the largest provider of software and technology services to the United States public sector), was hit with ransomware and now assumed to have had Tyler credentials that manage their customers exfiltrated.
In response to the interest of answering many questions related to ‘how do I know I’m safe from this 3rd party breach”, the SANS Institute has come out with some general recommendations for how to manage remote access for Partners and Contractors.
Here are some tips to increase the operations security when working with third-parties.
- Know « who’s behind the keyboard ». Are the third-party employees on the payroll, dedicated to you (read: they know you and your business). Are they also contractors? Are they located in the same country as yours?
- When it's not mandatory, do not keep the remote access open 24x7. All access requests must be approved following a procedure.
- Do not grant full access to your infrastructure. Restrict the third-party rights to the minimum resources to perform its job (least privilege). Keep segmentation in mind. Restrict its access to a jump host that will be used to enforce more security controls.
- Keep logs of who did what, when, why, and from where. Log everything, all connections, all commands. Example: Detect an unforeseen connection from an unusual location outside the business hours.
- Keep an inventory of your partners and installed software. Force them to upgrade them and audit the settings.
- Enable security settings available in the deployed tools Example: Enable MFA, activate client-side certificates, provide security tokens.
Link to the article can be found here
Managing Remote Access for Partners and Contractors
.png)
Welcome!
If you are reading this guide, you are about to embark on a process that will help your organization harness the potential of technology to deliver your mission and best serve your community. Proactively planning for technology is about more than replacing old computers (although that might be part of your plan!). This process will help your organization fundamentally shift the way you approach technology investments toward greater mission achievement and community impact. It will identify opportunities for technology to help you control costs, reduce risk, raise funds, and empower staff.
Strategic technology planning – much like any strategic planning process – is a comprehensive look at the current state and the desired future state for your organization. If you just need some new computers, this may not be the right process. But if you are ready to treat technology as a mission-critical investment that can accelerate your organization’s impact, you are in the right place! Your nonprofit has much to gain from appropriately integrating technology into your operations, communications, fundraising, and service delivery. This guide offers step-by-step support to help you lead your organization through technology planning, resulting in a roadmap to smart technology use.
Acknowledgements
This guide has been produced through the generous support of the Rasmuson Foundation, a private foundation that works as a catalyst to promote a better life for Alaskans. Learn more at www.rasmuson.org. It was written and edited by Lindsay Bealko of Toolkit Consulting, who helps mission-minded organizations design creative communications, engaging education, and powerful programs. Learn more at www.toolkitconsulting.com.
Special thanks to Orion Matthews and Jeremiah Dunham of DesignPT for their substantial contributions to and reviews of this guide to make it as useful as possible to nonprofit organizations who are ready to harness the strategic potential of technology. Learn more and request help with your strategic technology plan at www.designpt.com.