Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

09:00 AM
Steve Caimi, Industry Solutions Specialist, Cisco Secure
Steve Caimi, Industry Solutions Specialist, Cisco Secure
Sponsored Article

Cybersecurity Supply Chain Risk Is Not a Zero-Day Threat

With an increasing number of public supply chain attacks, it's important to remember that there are established frameworks that can significantly reduce risk.

Supply chain attacks are big news in 2021, impacting the daily lives of people around the world.

There has been no shortage of supply chain security incidents in 2021. The SolarWinds attack that was first publicly reported in December 2020 spread to thousands of organizations. The Colonial Pipeline was attacked in a ransomware incident that affected the fuel supply across the East Coast of the US. There even was a ransomware attack against meat supplier JBS, and at the beginning of July there was the Kaseya attack that hit more than 1,500 businesses around the world.

Supply chain security is not a new topic, but with the intensity of attacks that have affected the real world in 2021 there has been renewed focus on the issue. While there is new attention being paid to supply chain security, there are some well-established frameworks and best practices that organizations can take advantage of today to help minimize supply risks now.

Supply Chain Security Is Not a New Topic
The National Institutes of Science and Technology (NIST) has issued lots of guidance over the last decade that has a direct impact on supply chain security. In 2013, as a result of President Obama's executive order 13636, the NIST Cybersecurity Framework was created in a bid to help improve critical infrastructure security.

NIST also has a specific set of guidelines and recommendations, known as Cyber Supply Chain Risk Management (C-SCRM), that have been available since at least 2016. The C-SCRM guidelines benefit from multiple efforts, including NIST SP-800-161, titled "Supply Chain Risk Management Practices for Federal Information Systems and Organizations," which was released in 2015. NIST SP 800-53, published in 2020, goes a step further, defining security and privacy controls. More recently, NISTIR 8276, released in February 2021, identifies key practices in cyber supply chain risk management.

So, with all that guidance already available, why do supply chain cybersecurity incidents continue to occur? There are many possible reasons, including a lack of awareness around the proactive steps that organizations can take to reduce risk. What also could be happening is some organizations might just believe that they aren't at risk and the guidance is not applicable to them.

The reality is that software runs the world, and all software is built with a supply chain. It's time that organizations of all sizes recognize that supply chain security is a risk that affects us all.

Challenges of Supply Chain Management
While there are established frameworks and guidance, cybersecurity supply chain management is often not a simple task.

It can be difficult for organizations to understand the whole supply chain, as suppliers often rely on other suppliers. As supply chains get increasingly more complex, there is a corresponding decline in the amount of visibility many organizations have.

Cyber supply chain risk management in a lot of ways isn't really a technology discussion at first. Rather, it's about acknowledging that there is a need to implement a formal program around cybersecurity risk management, actually putting a plan in place and embedding it into the organization's risk plan.

The Path to Cyber Supply Chain Risk Management
At the upcoming Black Hat USA 2021 event this summer, Cisco has a session titled "The Side Door: Don't let your suppliers or partners open it for cyberattacks," where we'll provide some prescriptive guidance on how to limit cyber supply chain risk.

A key part of that guidance is to have a formal supply chain risk management program, as it's critical for organizations to have visibility into their own supply chains. Organizations need to understand who they are doing business with and how suppliers secure data and application development. Visibility into security processes from suppliers should be considered as part of any buying decision.

While process has a key role to play in supply chain risk management, so too does technology.

Implementing network segmentation techniques, such that operational and information technology networks are separated, is a key best practice. The concepts of least privilege access and zero trust are also important because organizations should provide only the access that is needed to enable a service to run. Visibility into network activity via DNS is another core recommendation. Many types of attacks will attempt communicate with external resources and DNS can be leveraged as a control point to limit risk.

Attacks against supply chains are likely to continue, but there are steps organizations can and should take now. Cyber supply chain management should not be a mystery; it should be a well-defined and methodical approach of process and technology to help mitigate risk.

About the Author

Steve Caimi is an Industry Solutions Specialist at Cisco Secure who helps organizations efficiently and effectively manage their cybersecurity programs and achieve compliance goals. He advocates a risk-based approach based on industry standards and best practices that guide organizations to the improvements that matter the most. 
Prior to joining Cisco, Steve held various product management, engineering, and solution architecture positions at HP Enterprise Security, CA Technologies, UUNET Technologies, and Citigroup. He earned a Master of Business Administration from Virginia Tech and a Bachelor of Science in Electrical Engineering from Penn State University. He is also a Certified Information Systems Security Professional (CISSP).

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-09-19
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract...
PUBLISHED: 2021-09-19
loop_rw_iter in fs/io_uring.c in the Linux kernel through 5.14.6 allows local users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of a kernel buffer, as demonstrated by using /proc/<pid>/maps for exploitation.
PUBLISHED: 2021-09-19
All versions of package com.jsoniter:jsoniter are vulnerable to Deserialization of Untrusted Data via malicious JSON strings. This may lead to a Denial of Service, and in certain cases, code execution.
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows forgery of SSH host certificates in some situations.
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows alteration of build artifacts in some situations.