Vulnerabilities / Threats

10/27/2017
11:00 AM
Dan Dahlberg
Dan Dahlberg
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Steps to Reduce Risk in Your Supply Chain

Many companies have very limited visibility into their vendors' security posture -- and some may have thousands of vendors. Here are steps that every company should take to lock down their supply chains.

In June, the compromise of an update server for a Ukrainian accounting software platform MeDoc led to the widespread distribution of NotPetya ransomware. A dozen known corporate victims suffered damages already exceeding $500 million.

Around the same time, attackers had infiltrated the network of Piriform, the maker of the popular system-maintenance program CCleaner, infecting two versions of the program that were distributed to more than 2.3 million systems over the month that the attack remained undetected. Files recovered from the command-and-control server showed that the malware infected some 700,000 systems in the final four-day window of the program's spread. (The attackers appear to have regularly deleted all logs, hiding whatever actions they took the other 26 unmonitored days.) The attackers also attempted to specifically target at least 20 companies with additional malware, including major networking hardware and office-electronics providers, such as Cisco, D-Link, Epson, HTC Group, Intel, Linksys, Samsung, Sony, and VMware.

If companies were not watching their software supply chain before the summer, these two events should push them to do so now. Although many companies have focused on shoring up their own security, they have very limited visibility — if any — into their vendors' security posture. Many companies can have hundreds or even thousands of vendors. In many cases, information security teams do not know who those vendors are. Here are three steps that every company should take to lock down their supply chains.

1. Know your business and software vendors. Ever since 9/11, banks have been required to "know their customers." Today, companies should take that advice to heart as well. Over the past several years, more attention has been directed to those vendors for which a company conducts business. These recent attacks have shown that this also applies to all direct and indirect dependencies on their entire operations. While accounting or another part of the organization likely has knowledge of these vendors, security teams might not be appropriately informed.

2. Measure security and determine metrics. As early as possible, security teams need to determine how they are going to measure security. However, there generally is a lack of metrics to determine a company's security posture. In the past, most companies have relied on a vendor's management certifying that they are following a list of best practices.

A variety of metrics and best practice documents are available today, from the Building Security in Maturity Model and its open-source cousin the Open Group Service Integration Maturity Model to the National Institute of Standards and Technology Cyber Security Framework. In addition, the ability to gauge security from external indicators has led to a rapidly evolving rating ecosystem.

While the security team is adopting a process to measure the security of vendors, it should also consider what its own requirements will be. These requirements will vary, depending on the level of access that the vendors — or their products — will have to the company's network.

3. Be proactive with vendors. Finally, companies need to be proactive and bring up the topic of security with vendors regularly. Many companies make sure that they have different policies and technologies in place, but unless they regularly address those issues with their vendors to ensure they are complying, it is more likely that issues will arise.

Larger companies have the benefit of having deeper security expertise, with which they can monitor their vendors. But increasingly, security requirements will flow downstream, and unless smaller contractors can meet requirements, they may lose business.

As attackers focus on vendors as a way to gain entry into their customers' systems, the security of the supply chain will become even more important. Companies need to address these issues today, before the next attack.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

As a Research Scientist at BitSight, Dan Dahlberg is responsible for researching the latest vulnerabilities and threats to understand at a technical and practical level how they affect the risk profile of organizations. He is also responsible for discovering new sources of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RussD653
50%
50%
RussD653,
User Rank: Strategist
11/2/2017 | 10:10:59 AM
Third party rating services
Working for a world wide manufacturing company we do not have the resources to monitor all our vendors which number in the thousands. so we employ a third party rating service which is a valualble solution. 

Although BitsightTech are not perfect, we leverage them to do a lot of the leg work which we do not have the band width to tackle.

 

 
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8980
PUBLISHED: 2019-02-21
A memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service (memory consumption) by triggering vfs_read failures.
CVE-2019-8979
PUBLISHED: 2019-02-21
Koseven through 3.3.9, and Kohana through 3.3.6, has SQL Injection when the order_by() parameter can be controlled.
CVE-2013-7469
PUBLISHED: 2019-02-21
Seafile through 6.2.11 always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
CVE-2018-20146
PUBLISHED: 2019-02-21
An issue was discovered in Liquidware ProfileUnity before 6.8.0 with Liquidware FlexApp before 6.8.0. A local user could obtain administrator rights, as demonstrated by use of PowerShell.
CVE-2019-5727
PUBLISHED: 2019-02-21
Splunk Web in Splunk Enterprise 6.5.x before 6.5.5, 6.4.x before 6.4.9, 6.3.x before 6.3.12, 6.2.x before 6.2.14, 6.1.x before 6.1.14, and 6.0.x before 6.0.15 and Splunk Light before 6.6.0 has Persistent XSS, aka SPL-138827.