Modern businesses thrive on their ability to quickly integrate with third parties. This includes clients, as well as organisations that assist in enabling core business functions. This integration provides benefits to the business, but also carries an inherent level of risk.
In this article we’re going to look at some security considerations that should be taken into account when dealing with supply chain security.
Understanding the Threat
Attacking organisations with a mature security programme is a challenging undertaking. It requires time, money and resources. Threat actors understand this, and will pursue the path of least resistance to reach their objectives. At the end of the day, they are aiming to turn a profit.
Often the path of least resistance is found in smaller less mature organisations, with connections to larger more profitable (and therefore more attractive targets) to an attacker.
In penetration testing, we refer to moving through a network to identify systems with insufficient security, or sensitive information as “pivoting”. This allows us to expose the weak underbelly of an organisations security posture.
Supply chain attacks occur when a malicious actor is able to gain access to a company’s systems by infiltrating a third party that does business with the target organisation. This could be carried out in a number of ways;
- Using direct network connectivity, such as Virtual Private Networks (VPN’s)
- By compromising the integrity of third party software which is then deployed in the target organisation
- Social engineering – compromising a third party who is considered trusted, allows an attacker to forge digital communications such as bank transfer orders
Examples of failings in supply chain security are rife.
One of the most notorious attacks occurred in 2020 when the infrastructure company, Solarwinds was compromised. The attackers used access to the Solarwinds network to deploy malicious software to 18,000 customers including the U.S federal government.
In 2021 this trend continued when IT solution developer, Kaseya was breached putting thousands of their managed service provider customers at risk.
Protecting information starts with good governance, rather than focusing on technical minutiae.
Your organisation should be asking following questions;
Do I understand my security requirements?
To effectively protect information, you need to;
- Be aware of its existence.
- Understand it’s importance
- Understand what regulatory requirements apply
These tasks may sound like a trivial undertaking, but even in smaller organisations the amount of data recorded can be astronomical. Multiple technical solutions exist to classify and provide taxonomy for data, but this needs to be combined with good processes and procedures.
Do I know what controls are in place?
- You likely have a good understand of what controls are in place to protect data on your network, but what happens when that information leaves the organizational boundaries?
- Are your existing security controls working effectively to protect data whilst it’s in your organizational boundary?
Do I understand the threat?
According to the European Union Agency for CyberSecurity, more than 50% of supply chain attacks were attributed to well know cybercrime groups such as APT29, APT41, Thallium APT, UNC2546, Lazarus APT, TA413 and TA4.
Understanding the motivations and technical capabilities of our adversaries is essential. This allows you to select cost effective security controls that target the threat, rather than a perceived adversary.
A defence contractor for instance would likely have a very different threat model to a retail outlet.
Information Sharing and Analysis Centres (ISACs) can provide threat intelligence data tied to industry verticals. This can include information related to known threat groups targeting a particular industry and their Tactics, Techniques and Procedures (how they conduct operations).
From a supply chain perspective, building collaborative relationships with third party security teams can be beneficial. Knowing a third party supplier has suffered a security breach and assist in updating your security model accordingly.
Do I know who I’m doing business with?
This is a key element of supply chain security. To understand the security posture of your partners the following questions should be asked;
- What level of trust am I placing in these partners?
- What security controls do your business partners have?
- Do they integrate with third party suppliers, and if so what security controls do they have in place?
- Are their subcontractors required to meet a similar set of security standards?
- If purchasing software from a third party, what assurance do I have the product has been methodically designed and tested from a security standpoint?
- If using open source software, is any review of the code carried out before it’s deployed?
Baseline standards should be set for third parties that wish to integrate with your business. Do they adhere to ISO 27001, or Cyber Essentials? If they don’t adhere to these standards, are they able to demonstrate they meet parity?
How do I know my security controls are working as intended?
Getting third parties to agree to meet baseline security measures is a good first step, but ideally these controls should be reviewed by an independent third party. A security partner should be able to assist with the following;
- Configuration reviews – reviews of boundary security devices such as Firewalls and Routers can be performed to ensure they meet industry best practice.
- Boundary testing – ensures networks are correctly segmented. Typically this following on from a configuration review to ensure that rulesets are taking effect.
- Penetration testing – Performs a security assessment from the perspective of an attacker. This provides the highest level of assurance that controls are operating as intended.
- Incident response – even the most maturity of organisations can suffer a security breach. When this occurs, incident response should be conducting to identify and eradicate the threat.
Supply chain attacks are on the increase. As such, ensuring that the third parties you do business with implement basic Cyber-Security measures is essential.
Implementing a pragmatic set of security controls, coupled with ensuring the controls are working as intended is the most effective strategy.
How can IRM help protect your business?
Please contact firstname.lastname@example.org for more information.