Supply chain security is becoming an ever more pressing concern for many businesses, yet it is a very complex problem to approach.
There are two primary methods of addressing these concerns. One is to attempt to assess the security of your suppliers and business partners; the other is to identify high risk interactions and implement compensating controls.
Assessing security posture
Determining how seriously a supplier takes their security can be difficult, but necessary. The first step is to determine the level of risk they present, which will help you determine how much effort should be invested in the task.
If they don’t have remote access to your network or process sensitive data, you may flag them as minimal risk. Conversely, those you entrust to access, manage or process data on your behalf require a higher degree of scrutiny.
There are many approaches to making an assessment, but one popular approach for large service providers, cloud operators and payment processors is to determine what types of certifications and audits they are subject to.
For example, a payment processor will be subject to compliance with PCI DSS. If they are subject to PCI DSS level 1 or 2, you should request their RoC (report on compliance) issued by their QSA/ISA. You should review these RoCs on a quarterly basis to assure they are meeting your expectations.
Another popular certification to confirm audits is SOC 2/2+/3 for your cloud service providers. SOC audits assess security controls and mitigations covering five Trust Service Principals: privacy, security, availability, processing integrity, and confidentiality.
Just as with your own security, no amount of audits is a guarantee of anything, but it helps inform purchasing decisions and whom you engage with. Other things you may want to consider or ask for include penetration test reports, and GDPR compliance, or frequency of previous flaws or data breaches.
These considerations should be integrated into your contract renewals process and RFI/RFQ documents. Larger organizations that have a vendor on–boarding process should integrate requirements into this process and review them periodically.
In addition to IT service providers, apply extra scrutiny to any outsourcing you do around human resources, legal, accounting, and tax preparation. Many of these organizations themselves outsource during peak season, and they could introduce more risk than you realize.
Applying a risk management approach
The most common way we see organizations fall victim to supply chain attacks is through the use of stolen, but authorized access. Service providers are all too often provided credentials with the same rights and privileges as internal employees.
That is to say they aren’t required to use multi-factor authentication, which allows for both stolen credentials through phishing attacks and unauthorized credential reuse by their staff. Because most organizations employ SSO (single sign-on), these credentials can be abused to access all sorts of systems that are unnecessary for the task at hand. This expands the risk of malicious insiders and outsiders alike.
Another mistake is providing unfettered remote VPN, RDP, or other remote access technology for third parties to manage solutions. By unfettered, we mean providing access to the entire network instead of segmenting and carefully hardening any necessary remote access tools.
All externally facing tools must require multi-factor authentication, and they should be limited to single hosts or systems. Where additional access is desired, the use of “jump hosts” is recommended to reduce risk and provide additional opportunity for monitoring and logging.
Another process that can end in tears is whitelisting all applications signed by a vendor’s software signing certificate. We have repeatedly seen certificates stolen and abused to sign malware. Security tools should inspect everything possible.
When conducting your own security assessments and penetration tests, work with your vendors to be sure they are included in your scope of testing. Sometimes things can independently check out, but flaws in how they interact can be discovered when viewed as a complete system.
Monitor all suppliers’ security bulletins to be able to quickly deploy patches and mitigations when vulnerabilities are discovered and keep an eye on the news headlines for your suppliers. When in crisis mode responding to an incident, you may not be very high on their list of organizations to notify. This can allow you to lockdown access and begin to investigate whether you are impacted by their situation.
Lastly, if you have cyber insurance, determine whether it covers third party losses and how to engage the policy, if necessary. Work with your vendors to ensure that your coverage overlaps with any appropriate coverage they may have.
Supply chain security is one of the most difficult areas of security to assess. Many organizations ignore it either because they didn’t know where to start or they believed they weren’t important enough to be targeted through the compromise of a trusted partner.
The threat landscape has evolved, and supply chain compromise is an issue for all organizations, large and small. We’re all targets in someone’s supply chain – and it’s never been more important to minimize third party supply chain risk.