By Chester Wisniewski, principal threat researcher at Sophos
Supply chain cybersecurity attacks have been in the news lately, and it has become an ever more pressing concern for many businesses.
Understanding that supply chain security is a complex problem to approach, the Cyber Security Agency of Singapore has developed a new national effort called the critical information infrastructure (CII) Supply Chain Programme. This programme aims to better manage vendors’ cyber-security risks, in the wake of recent global hacking attacks through third-party suppliers.
We’re all targets
As we’ve seen in the SolarWinds hack, businesses need to think beyond internal security. It forces businesses to be security aware and security literate regardless of whether they are actually selling cybersecurity products. The truth is, we’re all links in someone’s supply chain, and that makes us susceptible to cyberthreats if we’re not protected.
It’s easy to imagine how one might be a backdoor into a military contractor if they supply them with services or tools, but would you consider your local nail salon to be a supply chain risk? Well, you should. In fact, an attack against a large company began by compromising a local salon and using their billing system to send malicious PDFs to executives at the company who used their services.
Supply chain security is one of the most difficult areas of security to assess. Many organizations ignore it either because they didn’t know where to start or they believed they weren’t important enough to be targeted through the compromise of a trusted partner. However, we need to start somewhere.
There are two primary methods of addressing these concerns. One is to attempt to assess the security of your suppliers and business partners; the other is to identify high risk interactions and implement compensating controls.
Assessing security posture
Determining how seriously a supplier takes their security can be difficult, but necessary. The first step is to determine the level of risk they present, which will help you determine how much effort should be invested in the task.
If they don’t have remote access to your network or process sensitive data, you may flag them as minimal risk. Conversely, those you entrust to access, manage or process data on your behalf require a higher degree of scrutiny.
There are many approaches to making an assessment, but one popular approach for large service providers, cloud operators and payment processors is to determine what types of certifications and audits they are subject to.
For example, a payment processor will be subject to compliance with PCI DSS. If they are subject to PCI DSS level 1 or 2, you should request their RoC (report on compliance) issued by their QSA/ISA. You should review these RoCs on a quarterly basis to assure they are meeting your expectations.
Another popular certification to confirm audits is SOC 2/2+/3 for your cloud service providers. SOC audits assess security controls and mitigations covering five Trust Service Principals: privacy, security, availability, processing integrity, and confidentiality.
Just as with your own security, no amount of audits is a guarantee of anything, but it helps inform purchasing decisions and whom you engage with. Other things you may want to consider or ask for include penetration test reports, and GDPR compliance, or frequency of previous flaws or data breaches.
These considerations should be integrated into your contract renewals process and RFI/RFQ documents. Larger organisations that have a vendor on–boarding process should integrate requirements into this process and review them periodically.
In addition to IT service providers, apply extra scrutiny to any outsourcing you do around human resources, legal, accounting, and tax preparation. Many of these organisations themselves outsource during peak season, and they could introduce more risk than you realize.
Applying a risk management approach
The most common way we see organisations fall victim to supply chain attacks is through the use of stolen, but authorised access. Service providers are all too often provided credentials with the same rights and privileges as internal employees.
That is to say they aren’t required to use multi-factor authentication, which allows for both stolen credentials through phishing attacks and unauthorised credential reuse by their staff. Because most organisations employ SSO (single sign-on), these credentials can be abused to access all sorts of systems that are unnecessary for the task at hand. This expands the risk of malicious insiders and outsiders alike.
Another mistake is providing unfettered remote VPN, RDP, or other remote access technology for third parties to manage solutions. By unfettered, we mean providing access to the entire network instead of segmenting and carefully hardening any necessary remote access tools.
All externally facing tools must require multi-factor authentication, and they should be limited to single hosts or systems. Where additional access is desired, the use of “jump hosts” is recommended to reduce risk and provide additional opportunity for monitoring and logging.
Another process that can end in tears is whitelisting all applications signed by a vendor’s software signing certificate. We have repeatedly seen certificates stolen and abused to sign malware. Security tools should inspect everything possible.
When conducting your own security assessments and penetration tests, work with your vendors to be sure they are included in your scope of testing. Sometimes things can independently check out, but flaws in how they interact can be discovered when viewed as a complete system.
Monitor all suppliers’ security bulletins to be able to quickly deploy patches and mitigations when vulnerabilities are discovered and keep an eye on the news headlines for your suppliers. When in crisis mode responding to an incident, you may not be very high on their list of organisations to notify. This can allow you to lockdown access and begin to investigate whether you are impacted by their situation.
Lastly, if you have cyber insurance, determine whether it covers third party losses and how to engage the policy, if necessary. Work with your vendors to ensure that your coverage overlaps with any appropriate coverage they may have.
The threat landscape has evolved, and supply chain compromise is an issue for all organizations, large and small. We’re all targets in someone’s supply chain – and it’s never been more important to minimize third party supply chain risk.