Select Page
Five Best Practices to do Supply Chain Security Right

Five Best Practices to do Supply Chain Security Right

Sergej Epp

Supply chain attacks aren’t new. In fact, The National Institute of Standards and Technology (NIST) published their initial report on supply chain risk back in 2015. One of the most well-known supply chain attacks happened shortly after in 2017. NotPetya corrupted third-party software, initially using a backdoor, and distributed ransomware only a few months later to inflict serious harm on organizations all over the world.

Unfortunately, discussion focused primarily on the ransomware aspect, missing completely the original supply chain attack – a backdoor deployed across thousands of organizations for multiple months.

The potential for catastrophic supply chain attacks is mind-boggling when you consider a typical organization does business with hundreds, if not thousands, of third parties.

SolarStorm, the most impactful supply chain attack to date, or more accurately labeled by its technical term  “advanced persistent threat,” was a milestone event because it sabotaged a popular software product at the source code level and allowed the attackers to exfiltrate the crown jewels from multiple high-profile organizations across the security, technology and government sectors. Unfortunately, we still don’t know the full extent of the damage sustained and the hackers have hidden their tracks so well that we may never know for sure.

The potential for catastrophic supply chain attacks is mind-boggling when you consider a typical organization does business with hundreds, if not thousands, of third parties. Work with an outsourced payroll processing company? You’re at risk. Contract with a digital marketing agency? Be careful. Collaborate with channel partners over a cloud platform? Beware of unforeseen and undetected attacks.

The question isn’t whether your organization’s cyber threat vectors are expanding. You already know the answer is “yes.” The real question is what do you do about it?

Five Key Supply Chain Security Best Practices

Unless you can hire an army of security analysts, subscribe to every threat-detection service, buy every security tool on the market or stay off the digital grid, you need to understand how to detect cyber attacks, protect against them, and properly remediate their impact.

Here are five cybersecurity principles every business leader should know, and be ready to press your CISO, CIO or CTO about to mitigate a supply chain attack:

  1. Validate your vendors’ cybersecurity hygiene and practices. Although many large organizations have some safeguards in place to verify their vendors’ security maturity, my experience in working with countless organizations is that few, if any, check all the boxes when it comes to confidently vouching for vendor security.If your organization does not have a specific vendor risk management procedure, you can start by checking for certifications like Common Criteria, CIS, ISO27000, and SOC 2. NotPetya and Solarwinds nevertheless demonstrate that we have to embrace vendor risk management more broadly than ever before. We must measure cyber risk not only for vendors who process our data or in outsourcing scenarios, but for every single small application or IoT device in the network requiring connectivity to the cloud. The question isn’t whether your organization’s cyber threat vectors are expanding. You already know the answer is “yes.” The real question is what do you do about it?
  2. Take a long, hard look at automated patching policies and procedures. You can actually hear users and executives moan and groan about business disruption every time they receive a security patch notification. Automated patching policies and procedures ensure patches are applied in a timely manner. You should nevertheless study your organization’s automated patching because, if not implemented and managed properly, attackers have an easier time hacking into your organization. On the other hand, validating patches before deployment does not guarantee you’re protected, given the amount of work required to do it. Instead, you should assume that automated patching will not only continue, but likely will increase. Be sure your CISO is taking extra steps to validate the integrity of automated patching.

    The question isn’t whether your organization’s cyber threat vectors are expanding. You already know the answer is “yes.” The real question is what do you do about it?

  3. Commit to Zero Trust. The days of easy access to privileges and lax enforcement of access policies must end. Zero Trust—just like it sounds— is the big vision and should be your organization’s cybersecurity bedrock. Start by reducing the number of privileged users and access to applications, services and data, especially when it comes to third-party software that is increasingly prevalent in the organization. To get a better situational awareness, ask your organization a simple question: What is the number of assets or applications a cloud connected third party software can reach within our network once it’s been compromised? The answer will determine whether your technical cybersecurity programs like privileged access management, segmentation and hardening controls are being prioritized relative to the actual risk.Supply Chain Security
  4. Control security at the endpoint. “Shadow IT” makes organizations quite susceptible to supply chain attack. Smart, resourceful end users have long been bypassing IT approval (and IT security controls) to put in place their own systems and applications. Shadow IT risk dramatically accelerates as younger users (i.e., more technically comfortable and more impatient with IT backlogs) join the organization. Unsanctioned devices and applications could be malicious, or easily compromised, representing a time-bomb for not only the user and device, but to the entire organization. Endpoint security has historically been the most effective line of defense against cyber attacks focused on Shadow IT usage. Consequently, organizations must enforce endpoint security for all devices being connected to the network and controlled by the end users with no exceptions.

    What is the number of assets or applications a cloud connected third party software can reach within our network once it’s been compromised?

  5. Leverage digital forensics. Traditional incident response tactics are no longer sufficient as targeted attacks become more sophisticated and more frequent. Having a targeted attacker in your backyard means your business can be massively impacted by espionage or sabotage activities if you don’t get them out immediately. These sophisticated attackers typically leave backdoors, which they use repeatedly over an extended period of time. Most organizations nevertheless don’t conduct a digital forensics analysis of impacted environments to try and locate hidden backdoors. SolarWinds was clearly a wake-up call to raise awareness of this risk. If you deal with a targeted attack, digital forensics is a must.

While these best practices are cybersecurity-focused, cybersecurity is too big and important to abdicate ownership to any single individual – whether it’s your chief information security officer (CISO) or equivalent technology executive charged with protecting your organization, data and people against hackers.

The only safe assumption you can make about supply chain cybersecurity is that your organization is at risk, and you must do something about it now—not after a breach happens.

To keep an organization safe and resilient, cybersecurity ultimately is the responsibility of the entire C-suite and the board of directors. A CEO doesn’t ignore financial, engineering, marketing or legal issues because he or she has functional executives overseeing those areas. The same argument applies to cybersecurity.

The only safe assumption you can make about supply chain cybersecurity is that your organization is at risk, and you must do something about it now—not after a breach happens.

RELATED POSTS

Stagehand: S1 Episode 8

Stagehand: S1 Episode 8

Carl Timmons was given 24 hours to decide what he wanted to do. This was a tactic. Twenty four hours to sit alone and think about all the money he could want and the price he’d pay for it. And 24 hours to also contemplate what Andre Savin might do to him before...

Stagehand: S1 Episode 7

Stagehand: S1 Episode 7

Andre Savin and Lincoln Palmer had met on several occasions and had the type of relationship you’d expect between two men of their standings on the billionaire scale. Contemptuous but also understanding. They were both driven by the same desire—access to...

Stagehand: S1 Episode 6

Stagehand: S1 Episode 6

Belfast, New York - 1889 They called him The Boston Strong Boy—arguably the first real boxing star and one of the highest paid athletes of his time.  He’d always been good at school. He attended Boston College where his parents thought he might pursue...

What Is Zero Trust Anyway?

What Is Zero Trust Anyway?

About three minutes into planning this post, I had one of those “god, I am old” moments. Here is why I had the moment. I have worked in cybersecurity since 1994. My first job was at a big 3 working for the U.S. government through one of the world’s...

Stagehand: S1 Episode 5

Stagehand: S1 Episode 5

Kuwait, 1990 I’m launched out of a submarine a few miles off the coast of Kuwait City. When I swim to shore, I quickly change into my dry land clothes—a full burka. I was a six-foot-one Marine posing as a good Muslim woman. The catch, beneath the modest...

Ransomware: When Policy Matters Most

Ransomware: When Policy Matters Most

Most CISOs divide their approach to cyber defense into three pillars: people, technology, and processes. These pillars define a cybersecurity program’s defensive architecture and arsenal, available assets, and policies and procedures that together inform...

Selling to a CISO? Practice Empathy, Not Salesmanship

Selling to a CISO? Practice Empathy, Not Salesmanship

The cyber security marketplace is hot. Ask any candidate for a cybersecurity role. Better yet, ask any supplier to CISOs. The supplier audience is especially vast, and it’s continuing to grow. Just three years ago, there were estimated to be less than 2,000...

The Risk of Measuring Risk

The Risk of Measuring Risk

Automated measuring of control effectiveness is a very good idea conceptually. When you can combine control gaps with relevant threat information, you get a very good picture about the actual technical cyber risks your business faces. If done correctly, it provides...

Stagehand: S1 Episode 4

Stagehand: S1 Episode 4

Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no...

SecOps Needs More Democratization, Not Less SOC

SecOps Needs More Democratization, Not Less SOC

An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. I previously discussed the concept of a Fusion Center as an...

Measuring a Cyber Awareness Culture

Measuring a Cyber Awareness Culture

Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...

Good Enough Isn’t Good Enough Anymore

Good Enough Isn’t Good Enough Anymore

The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability.  In light of these increasing challenges, our cyber defenses...

Stagehand: S1 Episode 3

Stagehand: S1 Episode 3

Cyprus ~ 2006 Ali Hassan was a low-level operative in Hezbollah, but we had it on solid authority that he knew where three high-level leaders of the terrorist organization were hiding. Keith arrived fifty-seven hours into Hassan’s interrogation and by the looks of it,...

Mitre Disrupting Advanced Persistent Threats
Share This