Supply Chain Security Best Practices
Your organization’s security is only as strong as its weakest link – and that link could be your vendors. In fact, supply chain cybersecurity attacks surged in 2022; according to the Identity Theft Resource Center, there were 40% more supply chain security attacks than malware attacks. So how can you reduce your organization’s risk? Let’s start by looking at some of the different types of supply chain attacks, and then we’ll share supply chain security best practices that will help you minimize your organization’s risk.
Supply Chain Attacks Deliver High Impact Data Breaches
One of the reasons criminals have increased their focus on supply chain attacks is the simple fact that these breaches can quickly compromise thousands of targets. There are many ways a supply chain breach can occur. Let’s look at some of the common supply chain attacks:
- Attacking a service provider. In March of 2023, 9 million AT&T customers had their data exposed when one of AT&T’s marketing vendors was hacked. In this case, the hacker was able to steal customer data held by AT&T’s vendor.
- Compromising a software vendor to distribute malware in their product. One of the worst supply chain attacks to date was the Solar Winds attack. In late 2020, the company’s software, which is deeply embedded in the networks of tens of thousands of organizations, was infected with malware. Since SolarWinds was not aware that it had been breached, its next software update carried the malware (and the backdoor it opened into each network) to its 18,000 customers included high-profile tech companies such as Microsoft, CISCO, 425 U.S. Fortune 500 companies, the United States DoD, DoJ, and DHS, and many others. One of the worst aspects of this type of supply chain breach is that the attack came from a trusted provider that had admin access to many of their customers’ systems and was also excluded from malware scans on many of the networks.
- Exploiting a vulnerability in a commonly used code library. You may remember the infamous Log4j exploit, in which a zero-day vulnerability in the widely used Apache Log4j Java-based logging library impacted a staggering number of organizations, systems, and services. This code library was used as a component of many software products and services, and organizations such as SAP, Apple, Tesla, VM Ware, Cisco,and many, many others were scrambling to patch their internal software and roll out patches to fix vulnerabilities in their products.
- Software as a Service (SaaS) and Cloud breaches. Many companies store a significant amount of data in the cloud and use SaaS programs as an integral part of their operations. When one of these vendors is breached, your information can be exposed. One example is the LastPass breach. In August of 2022, LastPass experienced two data breaches. User information, some source code, API keys, MFA seed information, some encrypted password files, and encryption keys were stolen. As a result, the criminals were able to access a number of master passwords for an array of organizations.
As you can see in these examples, your vendor’s risk is your cybersecurity risk. Now that we’ve looked at some of the ways supply chain attacks happen, let’s dig into the supply chain security best practices so you can reduce your organization’s risk.
Supply Chain Security Best Practices
One of the key ways your organization can reduce risk is to follow supply chain security best practices. NIST has a whole subsection of guidance on supply chain risk management for those of you who want to dive into all of the details. To make your life simpler, we have summarized the NIST supply chain security guidance into five steps and added actionable supply chain security best practices you can implement to reduce risk:
- Develop your supply chain security processes. This responsibility is commonly assigned to the risk management department, information security department, or compliance department. Here are some important steps to include:
- Assign roles and responsibilities. It’s important to have defined roles and tasks so there is accountability for initial and ongoing supply chain security efforts.
- Identify key stakeholders. Ensure you have a team that can help develop policies that balance your organization’s business needs and risk.
- Establish security standards and requirements for your suppliers (and even their suppliers).
- Develop a standard methodology for prioritizing and assessing suppliers. Consider using an existing list for information gathering, such as the Standard Information Gathering (SIG) or SIG-LITE questionnaire.
- Develop vendor communications tools, escalation processes for non-conforming suppliers, vendor feedback and input processes, and timelines for regular program review.
- Track current industry standards and resources for informing program development and revision.
- Review/revise your supplier risk management program on a regular basis.
- Know yourself and your suppliers. In a survey by Venminder, 80% of organizations reported that they had over 100 vendors, and more than half had over 300. Clearly the supply chain is a substantial security risk. You need to identify and understand your risk in order to reduce it, so you should:
- Regularly conduct data mapping & asset inventory. Classify your information resources based on confidentiality and availability requirements.
- Carefully enumerate your suppliers, so that you have a complete and correct list. This includes big partners such as SaaS providers like Microsoft 365, all the way down to services like GoDaddy that you may use for website or domain services.
- Determine what data each supplier holds, or what IT resources they manage, and what the impact would be if confidentiality or availability was affected.
- Prioritize your suppliers, taking into account their level of access to sensitive data and critical resources.
- Routinely review your list of suppliers, as well as the prioritization, to ensure it remains up to date.
- Minimize supplier access. The fewer resources suppliers can access, the lower your risk.
- Delegate requirements through contracts. Establish and include standard clauses with minimum requirements in your vendor contracts that address security, assessments, breach notification, and breach response, and track any exceptions so you can revisit them periodically.
- For software suppliers, require vendors to provide an SBOM – a software bill of materials that is like a list of ingredients that your software supplier uses in their software. This is now becoming a requirement for Federal contracts, and an increasing number of suppliers now have these available. If your supplier does not, you can also generate an SBOM with Microsoft’s new open-source SBOM tool or use commercial products such as Sonatype, Syft, MergeBase, VeraCode and others. This list of all the code libraries and versions used in your environment is crucial, so you know if your organization is impacted when a vulnerability or dependency is discovered in a code library or software version.
- Assess Supplier Risk. Review your suppliers and see how each vendor measures up against your cybersecurity requirements.
- Conduct vendor security reviews. Prioritize vendor reviews based on the sensitivity and volume of data that each vendor holds. Most organizations don’t have the time to evaluate all of their suppliers at once, but you can significantly reduce your supply chain risks if you tackle the high priority vendors.
- Track and assess your risk from each supplier. To streamline the vendor vetting process, consider leveraging a SaaS tool such as Venminder, OneTrust, Vanta, or many others.
- Collect technical security test results. Many organizations require high-priority vendors to provide proof of a penetration test at least annually. Often, vendors will submit a letter of attestation, which usually includes a brief summary of the test results, what was tested, and the qualifications of the tester. If your vendors provide you with custom code or apps, you should also have a web application penetration test periodically or upon any major changes to the application.
- Integrate key suppliers into your response planning, as follows:
- Keep a list of suppliers with their 24-hours support lines in your incident response plan and keep this information up to date.
- Document important response processes that relate to your critical suppliers, so you know what to expect.
- Establish a single point of contact for suppliers to contact in case of any incident and share this information with all suppliers. Have a backup contact in case that person is out sick or on vacation.
- Conduct tabletop exercises as part of your IR planning, and invite your high priority suppliers that handle sensitive information to participate in these trainings so you can identify and fix process gaps. Running tabletop exercises can reduce the cost of an incident by an average of $2.6 million.
- Here are some additional questions to ask your MSPs as well as any vendors that hold your sensitive information:
- Will the supplier notify you if they suspect a breach? If so, what is the guaranteed notification timeframe?
- Will they provide you with evidence relating to the breach, such as log data?
- Who covers the investigation/notification costs if one of your vendors is breached? Does your/their insurance cover any of the costs?
- Will they notify you if their 4th or 5th party suppliers are breached? If so, when?
Creating a Long-Term Plan
Effective supply chain security doesn’t happen overnight. Take it step-by-step: Implement as many of these supply chain security best practices as you can, prioritize your biggest suppliers first (as this alone will deliver a significant risk reduction), and create a long-term plan. Please contact us if you need help securing your supply chain, vetting vendors, or creating your supply chain security policies and procedures.