Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/27/2017
11:00 AM
Dan Dahlberg
Dan Dahlberg
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Steps to Reduce Risk in Your Supply Chain

Many companies have very limited visibility into their vendors' security posture -- and some may have thousands of vendors. Here are steps that every company should take to lock down their supply chains.

In June, the compromise of an update server for a Ukrainian accounting software platform MeDoc led to the widespread distribution of NotPetya ransomware. A dozen known corporate victims suffered damages already exceeding $500 million.

Around the same time, attackers had infiltrated the network of Piriform, the maker of the popular system-maintenance program CCleaner, infecting two versions of the program that were distributed to more than 2.3 million systems over the month that the attack remained undetected. Files recovered from the command-and-control server showed that the malware infected some 700,000 systems in the final four-day window of the program's spread. (The attackers appear to have regularly deleted all logs, hiding whatever actions they took the other 26 unmonitored days.) The attackers also attempted to specifically target at least 20 companies with additional malware, including major networking hardware and office-electronics providers, such as Cisco, D-Link, Epson, HTC Group, Intel, Linksys, Samsung, Sony, and VMware.

If companies were not watching their software supply chain before the summer, these two events should push them to do so now. Although many companies have focused on shoring up their own security, they have very limited visibility — if any — into their vendors' security posture. Many companies can have hundreds or even thousands of vendors. In many cases, information security teams do not know who those vendors are. Here are three steps that every company should take to lock down their supply chains.

1. Know your business and software vendors. Ever since 9/11, banks have been required to "know their customers." Today, companies should take that advice to heart as well. Over the past several years, more attention has been directed to those vendors for which a company conducts business. These recent attacks have shown that this also applies to all direct and indirect dependencies on their entire operations. While accounting or another part of the organization likely has knowledge of these vendors, security teams might not be appropriately informed.

2. Measure security and determine metrics. As early as possible, security teams need to determine how they are going to measure security. However, there generally is a lack of metrics to determine a company's security posture. In the past, most companies have relied on a vendor's management certifying that they are following a list of best practices.

A variety of metrics and best practice documents are available today, from the Building Security in Maturity Model and its open-source cousin the Open Group Service Integration Maturity Model to the National Institute of Standards and Technology Cyber Security Framework. In addition, the ability to gauge security from external indicators has led to a rapidly evolving rating ecosystem.

While the security team is adopting a process to measure the security of vendors, it should also consider what its own requirements will be. These requirements will vary, depending on the level of access that the vendors — or their products — will have to the company's network.

3. Be proactive with vendors. Finally, companies need to be proactive and bring up the topic of security with vendors regularly. Many companies make sure that they have different policies and technologies in place, but unless they regularly address those issues with their vendors to ensure they are complying, it is more likely that issues will arise.

Larger companies have the benefit of having deeper security expertise, with which they can monitor their vendors. But increasingly, security requirements will flow downstream, and unless smaller contractors can meet requirements, they may lose business.

As attackers focus on vendors as a way to gain entry into their customers' systems, the security of the supply chain will become even more important. Companies need to address these issues today, before the next attack.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

As a Research Scientist at BitSight, Dan Dahlberg is responsible for researching the latest vulnerabilities and threats to understand at a technical and practical level how they affect the risk profile of organizations. He is also responsible for discovering new sources of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RussD653
50%
50%
RussD653,
User Rank: Strategist
11/2/2017 | 10:10:59 AM
Third party rating services
Working for a world wide manufacturing company we do not have the resources to monitor all our vendors which number in the thousands. so we employ a third party rating service which is a valualble solution. 

Although BitsightTech are not perfect, we leverage them to do a lot of the leg work which we do not have the band width to tackle.

 

 
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
CVE-2019-4409
PUBLISHED: 2019-10-18
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...