Anatomy of a Third-Party Vendor Assessment: What to Look for and Why

Businesses today rely on a complex network of third-party vendors for essential services, from cloud hosting to software development. While this collaboration boosts efficiency, it also introduces significant security risks. Understanding the vulnerabilities that arise from these relationships is crucial for any organization aiming to protect its assets and data.

In this blog, we will delve into the most common attack paths adversaries exploit through third parties and explore the essential internal preparations organizations must make before engaging with any vendor.

» Ensure your cybersecurity is up to standard with KELA

Common Third-Party Attack Paths

Adversaries often exploit third-party weaknesses. These routes are particularly effective compared to direct attacks on a primary organization.

• VPNs: VPNs are tempting targets because they offer vast access once a connection is established and because of the exposure of the VPN servers.

• Stolen/shared credentials: Highly effective, stolen credentials allow attackers to simply log in and move laterally through a network under the radar, as seen in the Home Depot breach. These are often acquired through phishing or brute-force attacks.

• Software supply chain attacks: These attacks, like the SolarWinds incident, involve injecting malicious code into valid software updates, affecting a large number of downstream users.

These routes work well because third-party vendors are often seen as the weakest links. They are frequently less mature in their security posture and less rigorous in their due diligence process compared to larger primary organizations.

This greatly increases the overall attack surface for the primary organization, creating numerous unmonitored entry points.

» Understand the difference between leaked credentials and compromised accounts to better protect your organization

AI-Powered Third-Party Risk Management

Stop struggling to track every vendor manually—let KELA’s AI-driven TPRM platform handle it.

Continuous monitoring to catch threats in real-time

Identify high-risk vendors for faster remediation

Achieve full visibility into your vendors’ security posture

Contact Us



Essential Internal Preparations

Before engaging with any third-party vendor, organizations must establish a strong internal baseline of security and governance measures. These preparations are essential for containing the impact of a breach or failure.

Key Measures Should Include:

• A comprehensive vendor inventory and risk categorization system: This assesses and prioritizes vendor risks based on factors like data access and service criticality.

• Adopting cybersecurity frameworks: Using frameworks like NIST-CSF or ISO 27001 can guide the development of a strong internal security posture and help in assessing vendor compliance.

• Clearly defined internal policies: Create clear policies for data classification, access control, encryption, and incident response.

• A governance structure: Establish a structure for risk management and oversight involving senior management.

These preparations are critical for containing the "blast radius" of a breach on sensitive data, ensuring regulatory compliance, and maintaining business continuity.

» Here's everything you need to know about third-party risk management

The Security Assessment Framework: Key Areas and Red Flags

Security Architecture and Access Management

Evaluating a vendor's security architecture is crucial for preventing unauthorized access and limiting the movement of attackers within a network. Analysts must assess the enforcement of key controls, including:

• Multi-Factor Authentication (MFA): Especially for privileged accounts, MFA is a non-negotiable measure that significantly reduces the risk of unauthorized access from stolen credentials.

• Privileged Access Management (PAM): PAM solutions are essential for controlling, monitoring, and providing just-in-time access to highly sensitive accounts used by developers and administrators. This limits the "blast radius" of a compromise.

• Network segmentation: Network and micro-segmentation deter attackers' lateral movement by creating isolated zones and restricting traffic to only what's explicitly permitted, thereby reducing the attack surface.

• Principle of least privilege: This principle ensures that users have only the access necessary for their roles, limiting the potential impact of a breach.

Red flags for weak access management

• Demanding root or super-user access for vendor software is a major flaw in security.

• Old security policies (e.g., not reviewed annually) denote apparent negligence of such practices.

• Rejections of security audits or evidence of controls in production tend to exhibit a lack of clarity and possible weaknesses.

» Learn how supply chain threat intelligence strengthens your security posture

Data Protection and Encryption Standards

A vendor's approach to data protection and encryption is fundamental to ensuring the confidentiality and integrity of your sensitive information. A thorough review should cover data in all states: in transit, at rest, and in use.

Key areas to examine include:

• Encryption strength: Evaluate the strength of the encryption used (e.g., AES-256 or higher).

• Key management: Assess procedures for key rotation and segregation, which is especially important in multi-tenant environments where customer data must be isolated.

• Data classification: Understand how the vendor classifies its data to ensure it correctly identifies and handles sensitive information.

Proper encryption is the foundation for confidentiality, as it renders data unreadable to unauthorized parties. Strong key management practices, alongside robust encryption, protect data integrity by preventing unauthorized alterations and ensuring the information can be trusted.

Red flags that indicate weaknesses in data protection

• No encryption for data at rest, in transit, or in use.
• Use of obsolete encryption protocols (e.g., outdated TLS versions, SHA-1).
• Absence of a data loss prevention (DLP) solution.

Incident Detection and Response Capabilities

A vendor's ability to detect, investigate, and respond to threats effectively is crucial for limiting the impact of an incident. Organizations must evaluate a vendor's plans and capabilities.

• Proactive detection: Look for the use of modern security tools like Security Information and Event Management (SIEM) and Intrusion Detection/Prevention Systems (IDS/IPS), coupled with threat intelligence feeds and automated alerts.

• Communication protocols: A strong plan includes clear protocols for notifying clients and regulators promptly and securely.

• Recovery procedures: Assess a vendor's comprehensive recovery process, including isolating affected systems, removing threats, and restoring from secure, tested backups. Regular testing of these plans is vital.

Red Flags for immature detection and response

• No defined incident response plan.
• Failure to conduct regular test drills to validate recovery procedures.
• Lack of continuous monitoring or automated alerts for anomalies.

» Worried about security? Here are the reasons you need cyber threat intelligence

Stay Ahead With KELA Cyber

KELA delivers real-time cyber threat intelligence to help you identify, monitor, and mitigate risks across your supply chain.

Learn More



Software Development Lifecycle and Supply Chain Hygiene

The integrity of a vendor's software development lifecycle (SDLC) is critical for preventing supply chain compromises. Organizations should examine the vendor's process to ensure security is built-in, not bolted on.

• Secure SDLC (SSDLC): Evaluate their documented process for assigning responsibilities, triaging vulnerabilities, and fixing bugs.

• Security testing: Look for evidence of various testing techniques, including static, dynamic, and fuzz testing.

• SBOM transparency: The vendor should provide a Software Bill of Materials (SBOM) detailing all components and dependencies, including open-source ones.

• Code signing: Confirm they use code signing to ensure the authenticity and integrity of their software.

A secure SSDLC can mitigate a significant percentage of critical vulnerabilities, protecting your organization's digital assets and network.

Red flags for poor supply chain hygiene

• A missing SBOM shows a lack of transparency in the vendor’s software components.
• The absence of a formal SSDLC indicates weak security practices during development.
• A refusal to perform vulnerability scans signals that risks may be ignored or undiscovered.
• The use of outdated or weak encryption algorithms leaves sensitive data exposed to attacks.

» Make sure you understand the difference between vulnerability, threat, and risk to strengthen your cybersecurity strategy

Compliance and Contractual Commitments

A vendor's compliance posture and contractual obligations are essential for establishing enforceable security accountability.

• Certifications and audits: Assess the vendor's compliance with relevant regulations (e.g., GDPR, HIPAA) and industry standards (e.g., SOC 2 Type II, ISO 27001). External audit reports provide independent verification of their security posture.

• Service Level Agreements (SLAs): Analyze SLAs for specific commitments on service delivery, incident response, and recovery time objective (RTO).

• Contractual clauses: Ensure contracts explicitly define security obligations, such as data encryption standards, MFA requirements, and the right to audit.

These specific terms are crucial for creating enforceable accountability and provide legal recourse in case of non-compliance. Without them, your organization is left to rely on good faith, which offers little protection.

» Learn more: Why Third-Party risk in healthcare demands immediate attention

Red flags for gaps in accountability

• Days-old or expired certifications or audit reports (e.g., a SOC 2 Type II report older than one year—ideally, it should be much more recent, within nine months).
• A vendor that refuses to address audit findings or denies on-site visits for auditors is a non-negotiable risk, especially with high-risk vendors.
• Fundamental security controls, such as encryption or MFA for privileged accounts, are missing.
• Vendor responses to questions are reluctant or rushed, suggesting a lack of transparency and poor security practices.

Business Continuity and Disaster Recovery Planning

A vendor's business continuity (BC) and disaster recovery (DR) plans are vital for ensuring resilience against disruptive incidents like ransomware attacks, outages, or geopolitical events.

• Documented plans: Evaluate the vendor's BC and DR plans to see if they can minimize downtime and ensure service continuity.

• Recovery procedures: Examine their procedures, which should include isolating affected systems, removing threats, and restoring from secure, tested backups.

• Testing and simulations: Look for evidence of regular testing and simulations of these plans. For example, a vendor should be able to demonstrate a successful ransomware recovery using data backups.

» See our complete guide to combating ransomware

Red flags for weak resilience

• No documented BC/DR plan.
• Failure to regularly test backup restoration.
• Reliance on a single data center without backups.

» Confused? Here's our guide to navigating third-party cyber threats

Strengthen Your Supply Chain Security with KELA Cyber

Supply chain threats can turn even trusted vendors into attack vectors, putting your organization at risk. Visibility into third- and fourth-party security posture is limited, making manual monitoring impractical. We at KELA monitor cybercrime activity, data breaches, and network vulnerabilities across your supply chain. By identifying high-risk vendors and back-door threats, we help you prioritize remediation and reduce exposure.

With actionable insights from our threat intelligence platform, you can make informed decisions and maintain stronger security across your entire vendor network.

» Ready to begin? Contact us to learn more about our third-party intelligence