Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management

Analytics

6/27/2019
03:50 PM
Jai Vijayan
Jai Vijayan
Slideshows
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
7 comments
Comment Now

7 Ways to Mitigate Supply Chain Attacks

Breaches caused by external vendors and service providers have become a major and escalating problem for organizations.
2 of 8

Stipulate Security Requirements in Your Contracts Security and risk mitigation requirements must be included in an organization's contractual agreement with third-party vendor and service providers, says Rocco Grillo, managing director with professional services firm Alvarez & Marsal. Requirements should include the ability for an organization to audit the third party's security practices and business continuity plans, establish performance standards, and clearly define default and termination terms. The contract should include provisions governing the use of foreign-based service providers and outline data governance and vendor subcontracting rules, he says. 'Ensure contracts include the right to audit the security posture of suppliers by your security team or a third party,' adds Jason Haward-Grau, CISO at PAS Global. 'For suppliers of software of any type, require certification of cybersecurity vulnerability assessment with each release by the supplier.' Image Source: Shutterstock

Stipulate Security Requirements in Your Contracts

Security and risk mitigation requirements must be included in an organization's contractual agreement with third-party vendor and service providers, says Rocco Grillo, managing director with professional services firm Alvarez & Marsal. Requirements should include the ability for an organization to audit the third party's security practices and business continuity plans, establish performance standards, and clearly define default and termination terms. The contract should include provisions governing the use of foreign-based service providers and outline data governance and vendor subcontracting rules, he says.

"Ensure contracts include the right to audit the security posture of suppliers by your security team or a third party," adds Jason Haward-Grau, CISO at PAS Global. "For suppliers of software of any type, require certification of cybersecurity vulnerability assessment with each release by the supplier."

Image Source: Shutterstock

2 of 8
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
 User Rank: Ninja
7/19/2019 | 10:29:39 AM
Re: attack
I agree the customer doesn't care where they get their services from, as long as the service is consistent, on-time it meets their requirements, they would care if it came from Tim-Buck-Too. 

But there is a bigger question to this dilemma; what if they do care where the parts come from and if the supplier added components that were not listed on the SKU (parts listing) and they discovered this device was sending information back to an unknown location where this data was tagged, labeled and could be used for purposes to affect the lives of others. Now the severity and importance have changed (i.e. NSA Prism's - Cisco Firmware upgrade to boards sent to China, France's Monitoring/Phone Tampering, SuperMicro Embedded Micro-Chips, Google/Apple/Microsoft embedded applications to capture user patterns - Telemetry). So now the dynamic changes because now it is affecting the lives of others.



I think we can try to mitigate the process but the problem is not the process, it is the underlying spy game that is being played by nation-states and the competitive advantage they are trying to gain. The root cause of the problem is in front of us, there needs to be clear rules that we both (the US and others) follow where we keep each other accountable to deter the wrong-doings; more nation-state policing such as fines, penalties, and sanctions is the only way to address this problem (use Blockchain's immutable process of capturing purchases and following the process from start to finish but there are ways - Cisco FW and SuperMicro - to step around the process). If this is not addressed at the executive and presidential level, no matter how intricate a process we have in place to monitor and mitigate breaches, there will always be another way to circumvent what we have, there really needs to be a truce.

Supply Chain Process



Todd
tdsan
50%
50%
tdsan,
 User Rank: Ninja
7/16/2019 | 11:30:34 AM
Re: attack
That's a problem, because customers don't care if it was the company's supplier that lost the data, not the company itself.. —Lyngiten

Interesting comment, let me play devil's advocate; if a cloud vendor worked with another cloud vendor to provide a service, would you care where the service came from (if they put it under the AWS umbrella) or would you ignore it and continue?

I think in most instances people they don't care (just like utility companies) where the service comes from, as long as it is reliable, consistent and it meets their business requirements (SLAs).

However, in the case of supply chain mgmt, it is essential to determine if the vendor/supplier is reputable and they are not willing to compromise their integrity. Apple did this when they were faced with the possibility of violating its security framework giving the FBI the ability to hack into their iPhone series.

In the case of SuperMicro, it was evident that one of their suppliers was being influenced by the Chinese government to use microchips on their system boards; so, we would care because it is affecting organizations around the globe (this was a clear and blatant misuse of power).

Todd
Lyngiten
50%
50%
Lyngiten,
 User Rank: Apprentice
7/16/2019 | 8:09:49 AM
attack
Only 18 percent of companies says they knew if those vendors were, in turn, sharing that information with other suppliers. That's a problem, because customers don't care if it was the company's supplier that lost the data, not the company itself.
tdsan
50%
50%
tdsan,
 User Rank: Ninja
6/30/2019 | 6:27:35 PM
Re: interesting but there is something we are missing.
We need to implement a "BlockChain" methodology when it pertains to the supply chain (only allow approved vendors), at least we would be able to see who purchased what and how the solution was implemented; that way we can determine if components were added a later time; this gives all interested parties the ability to cross-reference the material purchased (SuperMicro micro-chip was hard to detect but at least we have a way of matching the serial numbers to the device). If there was some tampering, we would know it.

Think about this, if every device emits an RF reading or electrical signature, then we could look for electrical signatures not part of the device (remove the obvious and what remains is the answer). Some sort of inexpensive Xray device that pinpoints RF energy readings.

T
RyanSepe
50%
50%
RyanSepe,
 User Rank: Ninja
6/30/2019 | 8:28:51 AM
Re: interesting but there is something we are missing.
"(they denied it of course)" Deny, deny, deny. Same nonsense is currently going on the wake of the Chernobyl mini-series. Russia, not being a fan of the telling, has decided they would like to create their own where the meltdown was the cause of espionage performed by the Americans.

It's astounding when even Nation-States don't want to have accountability.
tdsan
50%
50%
tdsan,
 User Rank: Ninja
6/29/2019 | 6:54:24 PM
interesting but there is something we are missing.
Do you remember the China hack that occurred with SuperMicro - https://bloom.bg/2OCRfgO. This was an elaborate attempt to place a microchip on the system board where the chip could control and monitor the system from anywhere. This was an elaborate setup by the government of China (they denied it of course) but this chip was state-of-the-art.
Quote - Elemental's servers could be found in Department of Defense data centers, the CIA's drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.

 Also, remember, we are doing the same thing (go back and review Edward Snowden's remarks - https://bit.ly/2o3lvE5. So in order for us to validate the process, the nation-states need to agree to work together and stop this surreptious undercover spy game or it will only continue (I don't see it happening anytime soon), they will find a way.

T
News
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22539
PUBLISHED: 2021-04-16
An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend...
CVE-2021-31414
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
CVE-2021-26073
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
CVE-2021-26074
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...
CVE-2018-19942
PUBLISHED: 2021-04-16
A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 build 20210202 (and later) QT...