Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management

Analytics

6/27/2019
03:50 PM
Jai Vijayan
Jai Vijayan
Slideshows
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
6 comments
Comment Now

7 Ways to Mitigate Supply Chain Attacks

Breaches caused by external vendors and service providers have become a major and escalating problem for organizations.
2 of 8

Stipulate Security Requirements in Your Contracts Security and risk mitigation requirements must be included in an organization's contractual agreement with third-party vendor and service providers, says Rocco Grillo, managing director with professional services firm Alvarez & Marsal. Requirements should include the ability for an organization to audit the third party's security practices and business continuity plans, establish performance standards, and clearly define default and termination terms. The contract should include provisions governing the use of foreign-based service providers and outline data governance and vendor subcontracting rules, he says. 'Ensure contracts include the right to audit the security posture of suppliers by your security team or a third party,' adds Jason Haward-Grau, CISO at PAS Global. 'For suppliers of software of any type, require certification of cybersecurity vulnerability assessment with each release by the supplier.' Image Source: Shutterstock

Stipulate Security Requirements in Your Contracts

Security and risk mitigation requirements must be included in an organization's contractual agreement with third-party vendor and service providers, says Rocco Grillo, managing director with professional services firm Alvarez & Marsal. Requirements should include the ability for an organization to audit the third party's security practices and business continuity plans, establish performance standards, and clearly define default and termination terms. The contract should include provisions governing the use of foreign-based service providers and outline data governance and vendor subcontracting rules, he says.

"Ensure contracts include the right to audit the security posture of suppliers by your security team or a third party," adds Jason Haward-Grau, CISO at PAS Global. "For suppliers of software of any type, require certification of cybersecurity vulnerability assessment with each release by the supplier."

Image Source: Shutterstock

2 of 8
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
 User Rank: Ninja
7/19/2019 | 10:29:39 AM
Re: attack
I agree the customer doesn't care where they get their services from, as long as the service is consistent, on-time it meets their requirements, they would care if it came from Tim-Buck-Too. 

But there is a bigger question to this dilemma; what if they do care where the parts come from and if the supplier added components that were not listed on the SKU (parts listing) and they discovered this device was sending information back to an unknown location where this data was tagged, labeled and could be used for purposes to affect the lives of others. Now the severity and importance have changed (i.e. NSA Prism's - Cisco Firmware upgrade to boards sent to China, France's Monitoring/Phone Tampering, SuperMicro Embedded Micro-Chips, Google/Apple/Microsoft embedded applications to capture user patterns - Telemetry). So now the dynamic changes because now it is affecting the lives of others.



I think we can try to mitigate the process but the problem is not the process, it is the underlying spy game that is being played by nation-states and the competitive advantage they are trying to gain. The root cause of the problem is in front of us, there needs to be clear rules that we both (the US and others) follow where we keep each other accountable to deter the wrong-doings; more nation-state policing such as fines, penalties, and sanctions is the only way to address this problem (use Blockchain's immutable process of capturing purchases and following the process from start to finish but there are ways - Cisco FW and SuperMicro - to step around the process). If this is not addressed at the executive and presidential level, no matter how intricate a process we have in place to monitor and mitigate breaches, there will always be another way to circumvent what we have, there really needs to be a truce.

Supply Chain Process



Todd
tdsan
50%
50%
tdsan,
 User Rank: Ninja
7/16/2019 | 11:30:34 AM
Re: attack
That's a problem, because customers don't care if it was the company's supplier that lost the data, not the company itself.. —Lyngiten

Interesting comment, let me play devil's advocate; if a cloud vendor worked with another cloud vendor to provide a service, would you care where the service came from (if they put it under the AMZ umbrella) or would you ignore it and continue?

I think in most instances people they don't care (just like utility companies) where the service comes from, as long as it is reliable, consistent and it meets their business requirements (SLAs).

However, in the case of supply chain mgmt, it is essential to determine if the vendor/supplier is reputable and they are not willing to compromise their integrity. Apple did this when they were faced with the possibility of violating its security framework giving the FBI the ability to hack into their iPhone series.

In the case of SuperMicro, it was evident that one of their suppliers was being influenced by the Chinese government to use microchips on their system boards; so, we would care because it is affecting organizations around the globe (this was a clear and blatant misuse of power).

Todd
Lyngiten
50%
50%
Lyngiten,
 User Rank: Apprentice
7/16/2019 | 8:09:49 AM
attack
Only 18 percent of companies says they knew if those vendors were, in turn, sharing that information with other suppliers. That's a problem, because customers don't care if it was the company's supplier that lost the data, not the company itself.
tdsan
50%
50%
tdsan,
 User Rank: Ninja
6/30/2019 | 6:27:35 PM
Re: interesting but there is something we are missing.
We need to implement a "BlockChain" methodology when it pertains to the supply chain (only allow approved vendors), at least we would be able to see who purchased what and how the solution was implemented; that way we can determine if components were added a later time; this gives all interested parties the ability to cross-reference the material purchased (SuperMicro micro-chip was hard to detect but at least we have a way of matching the serial numbers to the device). If there was some tampering, we would know it.

Think about this, if every device emits an RF reading or electrical signature, then we could look for electrical signatures not part of the device (remove the obvious and what remains is the answer). Some sort of inexpensive Xray device that pinpoints RF energy readings.

T
RyanSepe
50%
50%
RyanSepe,
 User Rank: Ninja
6/30/2019 | 8:28:51 AM
Re: interesting but there is something we are missing.
"(they denied it of course)" Deny, deny, deny. Same nonsense is currently going on the wake of the Chernobyl mini-series. Russia, not being a fan of the telling, has decided they would like to create their own where the meltdown was the cause of espionage performed by the Americans.

It's astounding when even Nation-States don't want to have accountability.
tdsan
50%
50%
tdsan,
 User Rank: Ninja
6/29/2019 | 6:54:24 PM
interesting but there is something we are missing.
Do you remember the China hack that occurred with SuperMicro - https://bloom.bg/2OCRfgO. This was an elaborate attempt to place a microchip on the system board where the chip could control and monitor the system from anywhere. This was an elaborate setup by the government of China (they denied it of course) but this chip was state-of-the-art.
Quote - Elemental's servers could be found in Department of Defense data centers, the CIA's drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.

 Also, remember, we are doing the same thing (go back and review Edward Snowden's remarks - https://bit.ly/2o3lvE5. So in order for us to validate the process, the nation-states need to agree to work together and stop this surreptious undercover spy game or it will only continue (I don't see it happening anytime soon), they will find a way.

T
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Keep your eyes open! This area has been prone to WireShark attacks!
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Here’s some insight on what's working – and what isn't – in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14230
PUBLISHED: 2019-07-21
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.7 for WordPress. One could exploit the id parameter in the set_count ajax nopriv handler due to there being no sanitization prior to use in a SQL query in saveQuestionVote. This allows an unauthenticated/unprivileged user ...
CVE-2019-14231
PUBLISHED: 2019-07-21
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.2 for WordPress. One could exploit the points parameter in the ob_get_results ajax nopriv handler due to there being no sanitization prior to use in a SQL query in getResultByPointsTrivia. This allows an unauthenticated/un...
CVE-2019-14207
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.11. The application could crash when calling the clone function due to an endless loop resulting from confusing relationships between a child and parent object (caused by an append error).
CVE-2019-14208
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.10. The application could be exposed to a NULL pointer dereference and crash when getting a PDF object from a document, or parsing a certain portfolio that contains a null dictionary.
CVE-2019-14209
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.10. The application could be exposed to Heap Corruption due to data desynchrony when adding AcroForm.