Vulnerabilities / Threats

10/27/2017
11:00 AM
Dan Dahlberg
Dan Dahlberg
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Steps to Reduce Risk in Your Supply Chain

Many companies have very limited visibility into their vendors' security posture -- and some may have thousands of vendors. Here are steps that every company should take to lock down their supply chains.

In June, the compromise of an update server for a Ukrainian accounting software platform MeDoc led to the widespread distribution of NotPetya ransomware. A dozen known corporate victims suffered damages already exceeding $500 million.

Around the same time, attackers had infiltrated the network of Piriform, the maker of the popular system-maintenance program CCleaner, infecting two versions of the program that were distributed to more than 2.3 million systems over the month that the attack remained undetected. Files recovered from the command-and-control server showed that the malware infected some 700,000 systems in the final four-day window of the program's spread. (The attackers appear to have regularly deleted all logs, hiding whatever actions they took the other 26 unmonitored days.) The attackers also attempted to specifically target at least 20 companies with additional malware, including major networking hardware and office-electronics providers, such as Cisco, D-Link, Epson, HTC Group, Intel, Linksys, Samsung, Sony, and VMware.

If companies were not watching their software supply chain before the summer, these two events should push them to do so now. Although many companies have focused on shoring up their own security, they have very limited visibility — if any — into their vendors' security posture. Many companies can have hundreds or even thousands of vendors. In many cases, information security teams do not know who those vendors are. Here are three steps that every company should take to lock down their supply chains.

1. Know your business and software vendors. Ever since 9/11, banks have been required to "know their customers." Today, companies should take that advice to heart as well. Over the past several years, more attention has been directed to those vendors for which a company conducts business. These recent attacks have shown that this also applies to all direct and indirect dependencies on their entire operations. While accounting or another part of the organization likely has knowledge of these vendors, security teams might not be appropriately informed.

2. Measure security and determine metrics. As early as possible, security teams need to determine how they are going to measure security. However, there generally is a lack of metrics to determine a company's security posture. In the past, most companies have relied on a vendor's management certifying that they are following a list of best practices.

A variety of metrics and best practice documents are available today, from the Building Security in Maturity Model and its open-source cousin the Open Group Service Integration Maturity Model to the National Institute of Standards and Technology Cyber Security Framework. In addition, the ability to gauge security from external indicators has led to a rapidly evolving rating ecosystem.

While the security team is adopting a process to measure the security of vendors, it should also consider what its own requirements will be. These requirements will vary, depending on the level of access that the vendors — or their products — will have to the company's network.

3. Be proactive with vendors. Finally, companies need to be proactive and bring up the topic of security with vendors regularly. Many companies make sure that they have different policies and technologies in place, but unless they regularly address those issues with their vendors to ensure they are complying, it is more likely that issues will arise.

Larger companies have the benefit of having deeper security expertise, with which they can monitor their vendors. But increasingly, security requirements will flow downstream, and unless smaller contractors can meet requirements, they may lose business.

As attackers focus on vendors as a way to gain entry into their customers' systems, the security of the supply chain will become even more important. Companies need to address these issues today, before the next attack.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

As a Research Scientist at BitSight, Dan Dahlberg is responsible for researching the latest vulnerabilities and threats to understand at a technical and practical level how they affect the risk profile of organizations. He is also responsible for discovering new sources of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RussD653
50%
50%
RussD653,
User Rank: Strategist
11/2/2017 | 10:10:59 AM
Third party rating services
Working for a world wide manufacturing company we do not have the resources to monitor all our vendors which number in the thousands. so we employ a third party rating service which is a valualble solution. 

Although BitsightTech are not perfect, we leverage them to do a lot of the leg work which we do not have the band width to tackle.

 

 
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.