Vulnerabilities / Threats

10/27/2017
11:00 AM
Dan Dahlberg
Dan Dahlberg
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Steps to Reduce Risk in Your Supply Chain

Many companies have very limited visibility into their vendors' security posture -- and some may have thousands of vendors. Here are steps that every company should take to lock down their supply chains.

In June, the compromise of an update server for a Ukrainian accounting software platform MeDoc led to the widespread distribution of NotPetya ransomware. A dozen known corporate victims suffered damages already exceeding $500 million.

Around the same time, attackers had infiltrated the network of Piriform, the maker of the popular system-maintenance program CCleaner, infecting two versions of the program that were distributed to more than 2.3 million systems over the month that the attack remained undetected. Files recovered from the command-and-control server showed that the malware infected some 700,000 systems in the final four-day window of the program's spread. (The attackers appear to have regularly deleted all logs, hiding whatever actions they took the other 26 unmonitored days.) The attackers also attempted to specifically target at least 20 companies with additional malware, including major networking hardware and office-electronics providers, such as Cisco, D-Link, Epson, HTC Group, Intel, Linksys, Samsung, Sony, and VMware.

If companies were not watching their software supply chain before the summer, these two events should push them to do so now. Although many companies have focused on shoring up their own security, they have very limited visibility — if any — into their vendors' security posture. Many companies can have hundreds or even thousands of vendors. In many cases, information security teams do not know who those vendors are. Here are three steps that every company should take to lock down their supply chains.

1. Know your business and software vendors. Ever since 9/11, banks have been required to "know their customers." Today, companies should take that advice to heart as well. Over the past several years, more attention has been directed to those vendors for which a company conducts business. These recent attacks have shown that this also applies to all direct and indirect dependencies on their entire operations. While accounting or another part of the organization likely has knowledge of these vendors, security teams might not be appropriately informed.

2. Measure security and determine metrics. As early as possible, security teams need to determine how they are going to measure security. However, there generally is a lack of metrics to determine a company's security posture. In the past, most companies have relied on a vendor's management certifying that they are following a list of best practices.

A variety of metrics and best practice documents are available today, from the Building Security in Maturity Model and its open-source cousin the Open Group Service Integration Maturity Model to the National Institute of Standards and Technology Cyber Security Framework. In addition, the ability to gauge security from external indicators has led to a rapidly evolving rating ecosystem.

While the security team is adopting a process to measure the security of vendors, it should also consider what its own requirements will be. These requirements will vary, depending on the level of access that the vendors — or their products — will have to the company's network.

3. Be proactive with vendors. Finally, companies need to be proactive and bring up the topic of security with vendors regularly. Many companies make sure that they have different policies and technologies in place, but unless they regularly address those issues with their vendors to ensure they are complying, it is more likely that issues will arise.

Larger companies have the benefit of having deeper security expertise, with which they can monitor their vendors. But increasingly, security requirements will flow downstream, and unless smaller contractors can meet requirements, they may lose business.

As attackers focus on vendors as a way to gain entry into their customers' systems, the security of the supply chain will become even more important. Companies need to address these issues today, before the next attack.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

As a Research Scientist at BitSight, Dan Dahlberg is responsible for researching the latest vulnerabilities and threats to understand at a technical and practical level how they affect the risk profile of organizations. He is also responsible for discovering new sources of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RussD653
50%
50%
RussD653,
User Rank: Strategist
11/2/2017 | 10:10:59 AM
Third party rating services
Working for a world wide manufacturing company we do not have the resources to monitor all our vendors which number in the thousands. so we employ a third party rating service which is a valualble solution. 

Although BitsightTech are not perfect, we leverage them to do a lot of the leg work which we do not have the band width to tackle.

 

 
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
To Click or Not to Click: The Answer Is Easy
Kowsik Guruswamy, Chief Technology Officer at Menlo Security,  11/14/2018
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19279
PUBLISHED: 2018-11-14
PRIMX ZoneCentral before 6.1.2236 on Windows sometimes leaks the plaintext of NTFS files. On non-SSD devices, this is limited to a 5-second window and file sizes less than 600 bytes. The effect on SSD devices may be greater.
CVE-2018-19280
PUBLISHED: 2018-11-14
Centreon 3.4.x has XSS via the resource name or macro expression of a poller macro.
CVE-2018-19281
PUBLISHED: 2018-11-14
Centreon 3.4.x allows SNMP trap SQL Injection.
CVE-2018-17960
PUBLISHED: 2018-11-14
CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.
CVE-2018-19278
PUBLISHED: 2018-11-14
Buffer overflow in DNS SRV and NAPTR lookups in Digium Asterisk 15.x before 15.6.2 and 16.x before 16.0.1 allows remote attackers to crash Asterisk via a specially crafted DNS SRV or NAPTR response, because a buffer size is supposed to match an expanded length but actually matches a compressed lengt...