Now is the time for every business, every nonprofit, every government agency, and every organization to take action on supply chain security. In the wake of the SolarWinds attack, we know that Intel, Cisco, VMWare, Microsoft and other technology giants are among the companies known to have been infected with malware linked to Russian hacking groups. Hackers can use their access to these key suppliers to worm their way into all our networks. From there, they can hold us for ransom, take down operations, steal money or intellectual property, and sell or rent access to other cybercriminal gangs.
Precious few details have been released about the cyberattacks, but Microsoft announced that the hackers targeted their source code management systems. No surprise there. We’ve known that hackers have been targeting source code repositories specifically for over a decade, when Google, Adobe, Intel, and many other technology firms were hit. The goal of these well-funded attackers is not to hack one company, but to inject themselves into the very arteries of our technology ecosystem.
Even more frightening: what don’t we know? Microsoft is sophisticated enough to detect a nation-state attack themselves. Software vendor SolarWinds wasn’t; a third party (FireEye) detected and notified the public about their breach. What other technology vendors have been hacked unknowingly, that we will discover in the coming months or years? Perhaps the most impactful intrusions will be the ones that are never discovered. For more information on how to tell if you were impacted by the SolarWinds SUNBURST or SUPERNOVA malware, read our previous blog.
Supply Chain Security Tips
It’s a new year: time to take action. This year, supply chain security will undoubtedly be a hot-button issue. Due to the interconnected nature of the supply chain, it will take all of us working together to piece together an effective supply chain security plan. Here are actions that every organization should take in 2021 to reduce our collective supply chain security risks:
- Aim for Progress, Not Perfection. There’s no such thing as perfect security, and we all take risks to operate, to communicate, and to collaborate. However, most organizations have a big gap when it comes to supply chain security. For 2021, put a supply chain security plan in place, and set realistic goals that will enable you to end the year in a better spot than you started.
- Collaborate. Supply chain security is a global problem, and it’s not realistic to expect individual organizations to manage this daunting task alone. Get involved! Your approach will depend on your unique organization and team members. For example, you can start by raising the topic of supply chain security standards in your local infosec meetup, or on your favorite infosec mailing list. If you participate in an industry ISAC or association, make sure to put supply chain security on your regular agenda this year, and work towards a consensus on standards. Together, we can develop more effective best practices and incentivize suppliers to invest in cybersecurity.
- Vet Your Suppliers. Do you have a supplier vetting program? If not, 2021 is the year to create it! Even if you do, there’s always room for improvement. This year, aim to document any informal processes, create templates, and establish more consistent routines. Remember, it’s not enough to review a supplier once—you need to regularly check your supplier’s risk profile, especially since the cybersecurity threat landscape is constantly changing. Read our vendor vetting blog to review best practices.
- Prioritize Suppliers Based on Risk. When you conduct vendor vetting, make sure you prioritize your highest-risk suppliers first. It’s not practical or cost effective to vet every vendor with equal scrutiny. Instead, consider which suppliers have privileged access to your IT resources and/or sensitive data, and carefully examine these suppliers most frequently and with the greatest rigor. Revisit your supplier risk ratings at least annually.
- Limit Access. You can cut down on your work and your supply chain security risks by limiting suppliers’ access to your IT resources and sensitive data. Often, suppliers have more access than they really need and consequently pose more risk to your organization than necessary. Conduct a review of supplier access at least annually, and limit access to the minimum necessary for them to get the job done.
- Request Third-Party Security Assessments. In many cases, you don’t need to spend your own time and resources vetting your suppliers. Often, suppliers already undergo their own third-party security assessments (or they should). This is particularly true of suppliers that support customers in highly regulated industries, such as healthcare or financial services. Proactively ask to see summaries or evidence of annual cybersecurity reports, such as penetration testing results, risk assessments, SOC-2 assessments, etc. If the supplier cannot or will not provide a report, or at least a summary/letter of attestation, consider that a red flag.
- Make Sure Your Suppliers Vet Their Suppliers. Fourth- and fifth party supply chain risks are real and have led to costly data breaches. Make sure that your vendors have a process for vetting their own supply chains. The NIST Cybersecurity Framework includes a subsection for supply chain risk management (ID.SC); suppliers that use this as their controls framework will have a good foundation for implementing their own vetting programs.
- Verify Software Lifecycle Security. As demonstrated by the SolarWinds malware, well-funded hacking groups are targeting software firms, with the goal of injecting their malware into a multitude of customer networks. Ensure that any software provider you work with has a strong software development security program, as well as security measures that extend through the distribution process. Remember, your cybersecurity depends on their cybersecurity.
- Understand Detection Capabilities. Are your suppliers capable of detecting an intrusion—or would malware sneak by unnoticed? Make sure your high-priority suppliers actively monitor their IT environments and have effective programs in place to detect threats (both internal and external).
- Require Timely Reporting. When suppliers detect a hacker, much of the time there is no requirement to report an intrusion unless it affects personally identifiable information (PII). Unauthorized access to source code or other private intellectual property is rarely reported to the public (unless the hackers threaten extortion). Even when suppliers do report cybersecurity incidents to customers, often this is only after a long delay (as Blackbaud customers discovered when they were notified two months after a ransomware gang revealed that they had stolen customer data). Ensure that your supplier contracts clearly spell out the circumstances that require notification and the acceptable time frames, as well as consequences for violations.
Supply chain security affects all of us. The problem is too large for any one organization to tackle alone. By collectively pushing for a stronger baseline of standards, we can achieve greater supply chain security and reduce risk throughout the whole technology ecosystem.
If you need assistance with supplier vetting or ramping up your program, contact our team of cybersecurity experts. We are always happy to help.