Right now supply-chain vendors are a prime target for cybercriminals. One expert offers ways to remove the bullseye from supply vendors.
There aren’t many sure things in life, and, sadly, one of them is how criminals—cyber or otherwise—always leverage the victim’s weakest link to ensure their success. TechRepublic’s Tom Merritt, in his article, video and podcast, Top 5 things to know about supply chain attacks, looked at one important weak link making headlines, supply chains.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
Merritt said, “Even though you’re not in charge of the vulnerability in this case, you have options. Make sure your vendors (suppliers) meet tough security standards and agree to third-party testing.”
Kevin Reed, CISO at Acronis, could not agree more. In his Help Net Security article, How can a business ensure the security of their supply chain?, Reed specifically focused on Merrit’s concern about making sure supply-chain vendors are putting forth the effort to meet security standards.
Reed offered the following advice: Assess the potential fallout from a compromised supplier. Before a decision to use a supplier is made, Reed suggests a full risk assessment if resources are available. The minimum should, at least, include building a worst-case scenario by asking the following questions:
- How would the business be affected if the supplier’s programs were compromised?
- How would the business be impacted if the supplier’s databases were compromised, with data being stolen or frozen by ransomware?
- How would the business be impacted if cyberattackers gained access to the business’ internal network?
Meet the supplier’s security manager or CISO: Obtaining contact information about crucial cybersecurity personnel (managers and CISOs) is obvious. “It is important to identify the supplier’s security leadership because that is who can answer your questions,” Reed said. “If a cybersecurity team is non-existent or poorly staffed with no real leadership, you may want to reconsider engaging with this supplier.”
Evaluate the supplier’s IT resources: The people responsible for cybersecurity should be willing to explain how the company’s digital systems and data are protected. “Request evidence to verify what the supplier is claiming,” Reed said. “Penetration test reports are a useful way to do this. Be sure the scope of the test is appropriate and, whenever possible, request a report on two consecutive tests to verify that the supplier is acting on its findings.”
“If the supplier is a software provider, ask for an independent source code review,” He said. “In some cases, the supplier may require a non-disclosure agreement to share the full report or may choose not to share it. When this happens, ask for an executive summary.”
SEE: Cybersecurity: Don’t blame employees—make them feel like part of the solution (TechRepublic)
“If the supplier is a cloud provider, you can perform a Shodan search or ask the supplier for a report of their scans,” Reed said. It is possible to perform the scan independent of the supplier. If that is an option, Reed suggested obtaining a permit from the supplier and asking them to isolate customer addresses as they are not relevant.
Ask suppliers how they prioritize risk: If the company performs risk assessments, its suppliers should as well. A common way to do this is using the Common Vulnerability Scoring System: “A free and open industry standard for assessing the severity of computer system security vulnerabilities by assigning severity scores to vulnerabilities, which in turn allows responders to prioritize responses and resources according to the threat.”
Something else to consider, Reed suggested looking at the supplier’s logs on updating and patching systems. “The fact they have a report demonstrates their commitment to security and managing vulnerabilities,” Reed said. “If possible, try to get a report that is produced by an independent entity.”
Repeat the verification process annually: Consistent verification is essential if the supplier provides mission-critical materials or services for the company being supplied.
What’s to be gained?
By following the above-recommended practices, Reed believes companies will gain the following:
- The ability to identify the risks associated with a particular supplier
- An understanding of how the supplier manages those risks
- Evidence regarding how the supplier is mitigating those risks
“Based on this evidence and the risk appetite, a business can make an informed decision to work with this supplier,” Reed said. “Lastly, as you perform these assessments, aim for consistency and look for risk that changes over time.”
More things to know
Reed is well aware there are no guarantees, especially when dealing with supply chains. Besides following the above practices, Reed emphasizes the necessity to protect the company’s digital environment with adequate anti-malware and to conduct ongoing cybersecurity training with company employees.