Three steps to strengthen your supply chain
Third-party cyber risk is among the fastest-growing security risks today. Here's how to mitigate these threats.
As many organizations have become more reliant on third-party software partnerships, the supply chain has inadvertently become an integral part of how most businesses operate. Vendors provide critical components of an organization’s operation, including software and hardware. Therefore, potential security risks lurk in every relationship between an organization and its supplier base.
Supply chain attacks are an emerging threat that targets software developers and suppliers. The goal is to access source codes, build processes or update mechanisms by infecting legitimate apps to distribute malware. According to a survey conducted in June 2020 by Opinion Matters for BlueVoyant, 80% of organizations have had a breach that was caused by one of their vendors. Despite the high risk of a breach through a supplier, 77% of respondents said they had limited visibility into those vendors.
Highly-funded threat actors have realized that though their cyberattacks against a security-conscious organization would most likely not be worth the effort, by targeting and exploiting an organization’s supply chain, they could use this attack vector as an easier point of entry to gain a foothold into an organization’s critical networks and systems.
The growing threat to supply chain networks
The recent massive cyberattack which impacted U.S. government agencies and some of the world’s largest corporations allowed adversaries to obtain access to systems through a compromised third-party software update.
This incident is drawing global attention to the damage software supply chain attacks can cause and just how widespread the impact can be — regardless of an organization’s size, monetary value or security posture. Moreover, it highlights that in an increasingly tech-driven world, we need to pay close attention to the vendors and products we choose.
Hackers are deploying some of the most sophisticated cyberattacks ever seen. As the state of cybersecurity continues to evolve and data becomes more prolific, corporations are even more reliant on tech and third-party software partnerships; making it increasingly important to be risk-averse in how we are approaching the technology need.
Three steps to strengthening supply chain
Listed below are three steps organizations can take to better prepare and manage the risk of their supply chain:
1. Monitor your supply chain system: Software is often in a constant state of evolution and change in response to new components, updates to existing components, new patches and security threats. As such, supply chains are dynamic entities that change and grow over time. Ensuring that your organization has a set of valid controls and a formally established and well-defined process for monitoring and auditing the operation of all elements at every tier of your supply chain is a necessity. From protecting critical client data to implementing a secure software development life cycle, utilizing a defensive design system architecture, and adding access and authentication controls to protect weak points within your supply chain is key in mitigating supply chain risk.
2. Harden software updates delivery mechanisms: Software updates and patches are inevitable in any technological product, and a significant challenge is that a patch changes the system. Although patches and changes are utilized to address known problems, changes can introduce new vulnerabilities. A failure to promptly update or patch the product ensures that an exploitable vulnerability will remain within the supply chain. Implementing manual and automated code review processes that categorize and analyze vulnerabilities in the operational deployment of software to detect any attempts to subvert code for malicious purposes is crucial. These code reviews should be used as countermeasures to ensure and maintain the integrity of the supply chain.
3. Build a response plan for supply chain incidents: Supply chains are complex, and weaknesses and vulnerabilities are the inevitable consequence. Therefore, a process that will securely manage threat identification, analysis and remediation upon discovery of a supply chain problem is required. To ensure the effectiveness of the incident response process, organizations need to plan and implement a process for receiving notice of and subsequently managing supply chain incidents. Procedures for detecting, reporting and responding to security incidents must be included in the plan to ensure continuity of operations.
Adversaries have more resources at their disposal than ever before, and with increased public awareness and oversight, the risks associated with a supply chain attack have never been higher. An organization’s security posture is really only as strong as its weakest link — and the weak link in your enterprise security might lie with partners and suppliers.
Ensure your organization has an array of defense-in-depth controls, significant investment in security across a multitude of domains and continual software and process improvements to best prevent, detect and respond to supply chain attacks. Prevention is better than cure — do the work now to avoid a crisis later.
Amanda Fennell is chief security officer at Relativity. In her role, Amanda is responsible for championing and directing security strategy in risk management and compliance practices. Yvan Foonde is manager of cyber incident response at Relativity. In his role, Yvan is responsible for leading the incident response and digital forensics capabilities.
Related: