Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management

Analytics

6/27/2019
03:50 PM
Jai Vijayan
Jai Vijayan
Slideshows
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
7 comments
Comment Now

7 Ways to Mitigate Supply Chain Attacks

Breaches caused by external vendors and service providers have become a major and escalating problem for organizations.
2 of 8

Stipulate Security Requirements in Your Contracts

Security and risk mitigation requirements must be included in an organization's contractual agreement with third-party vendor and service providers, says Rocco Grillo, managing director with professional services firm Alvarez & Marsal. Requirements should include the ability for an organization to audit the third party's security practices and business continuity plans, establish performance standards, and clearly define default and termination terms. The contract should include provisions governing the use of foreign-based service providers and outline data governance and vendor subcontracting rules, he says.

"Ensure contracts include the right to audit the security posture of suppliers by your security team or a third party," adds Jason Haward-Grau, CISO at PAS Global. "For suppliers of software of any type, require certification of cybersecurity vulnerability assessment with each release by the supplier."

Image Source: Shutterstock

2 of 8
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
CharlieFrindle
50%
50%
CharlieFrindle,
 User Rank: Apprentice
8/30/2019 | 8:39:39 AM
192.168.l.l
Thanks for the valuable information and insights you have so provided here.
tdsan
50%
50%
tdsan,
 User Rank: Ninja
7/19/2019 | 10:29:39 AM
Re: attack
I agree the customer doesn't care where they get their services from, as long as the service is consistent, on-time it meets their requirements, they would care if it came from Tim-Buck-Too. 

But there is a bigger question to this dilemma; what if they do care where the parts come from and if the supplier added components that were not listed on the SKU (parts listing) and they discovered this device was sending information back to an unknown location where this data was tagged, labeled and could be used for purposes to affect the lives of others. Now the severity and importance have changed (i.e. NSA Prism's - Cisco Firmware upgrade to boards sent to China, France's Monitoring/Phone Tampering, SuperMicro Embedded Micro-Chips, Google/Apple/Microsoft embedded applications to capture user patterns - Telemetry). So now the dynamic changes because now it is affecting the lives of others.



I think we can try to mitigate the process but the problem is not the process, it is the underlying spy game that is being played by nation-states and the competitive advantage they are trying to gain. The root cause of the problem is in front of us, there needs to be clear rules that we both (the US and others) follow where we keep each other accountable to deter the wrong-doings; more nation-state policing such as fines, penalties, and sanctions is the only way to address this problem (use Blockchain's immutable process of capturing purchases and following the process from start to finish but there are ways - Cisco FW and SuperMicro - to step around the process). If this is not addressed at the executive and presidential level, no matter how intricate a process we have in place to monitor and mitigate breaches, there will always be another way to circumvent what we have, there really needs to be a truce.

Supply Chain Process



Todd
tdsan
50%
50%
tdsan,
 User Rank: Ninja
7/16/2019 | 11:30:34 AM
Re: attack
That's a problem, because customers don't care if it was the company's supplier that lost the data, not the company itself.. —Lyngiten

Interesting comment, let me play devil's advocate; if a cloud vendor worked with another cloud vendor to provide a service, would you care where the service came from (if they put it under the AWS umbrella) or would you ignore it and continue?

I think in most instances people they don't care (just like utility companies) where the service comes from, as long as it is reliable, consistent and it meets their business requirements (SLAs).

However, in the case of supply chain mgmt, it is essential to determine if the vendor/supplier is reputable and they are not willing to compromise their integrity. Apple did this when they were faced with the possibility of violating its security framework giving the FBI the ability to hack into their iPhone series.

In the case of SuperMicro, it was evident that one of their suppliers was being influenced by the Chinese government to use microchips on their system boards; so, we would care because it is affecting organizations around the globe (this was a clear and blatant misuse of power).

Todd
Lyngiten
50%
50%
Lyngiten,
 User Rank: Apprentice
7/16/2019 | 8:09:49 AM
attack
Only 18 percent of companies says they knew if those vendors were, in turn, sharing that information with other suppliers. That's a problem, because customers don't care if it was the company's supplier that lost the data, not the company itself.
tdsan
50%
50%
tdsan,
 User Rank: Ninja
6/30/2019 | 6:27:35 PM
Re: interesting but there is something we are missing.
We need to implement a "BlockChain" methodology when it pertains to the supply chain (only allow approved vendors), at least we would be able to see who purchased what and how the solution was implemented; that way we can determine if components were added a later time; this gives all interested parties the ability to cross-reference the material purchased (SuperMicro micro-chip was hard to detect but at least we have a way of matching the serial numbers to the device). If there was some tampering, we would know it.

Think about this, if every device emits an RF reading or electrical signature, then we could look for electrical signatures not part of the device (remove the obvious and what remains is the answer). Some sort of inexpensive Xray device that pinpoints RF energy readings.

T
RyanSepe
50%
50%
RyanSepe,
 User Rank: Ninja
6/30/2019 | 8:28:51 AM
Re: interesting but there is something we are missing.
"(they denied it of course)" Deny, deny, deny. Same nonsense is currently going on the wake of the Chernobyl mini-series. Russia, not being a fan of the telling, has decided they would like to create their own where the meltdown was the cause of espionage performed by the Americans.

It's astounding when even Nation-States don't want to have accountability.
tdsan
50%
50%
tdsan,
 User Rank: Ninja
6/29/2019 | 6:54:24 PM
interesting but there is something we are missing.
Do you remember the China hack that occurred with SuperMicro - https://bloom.bg/2OCRfgO. This was an elaborate attempt to place a microchip on the system board where the chip could control and monitor the system from anywhere. This was an elaborate setup by the government of China (they denied it of course) but this chip was state-of-the-art.
Quote - Elemental's servers could be found in Department of Defense data centers, the CIA's drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.

 Also, remember, we are doing the same thing (go back and review Edward Snowden's remarks - https://bit.ly/2o3lvE5. So in order for us to validate the process, the nation-states need to agree to work together and stop this surreptious undercover spy game or it will only continue (I don't see it happening anytime soon), they will find a way.

T
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.