Security Experts:

Don't Forget to Manage Supply Chain Risk

Performing a Vendor Risk Management Process as Part of Normal Business Operations is an Important Step in Securing the Supply Chain

Adobe recently warned customers that attackers had illegally accessed source code for several of its products. This is only one of many examples, in which hackers are mounting targeted attacks against an organization’s supply chain. As companies improved their defenses against direct network attacks, hackers shifted their focus to the weakest link by exploiting the supply chain to gain “backdoor” access to IT systems. As a result, enterprises need to monitor and manage IT security risks downstream in the supply chain.

One of the most damaging and memorable supply chain attacks to date remains the RSA SecureID token breach. Using stolen data about the company’s SecurID authentication system, criminals were able to compromise RSA customers including Lockheed Martin that rely on SecureID tokens to protect their most sensitive data and networks. In another example, 300,000 Verizon customer records were posted on the Internet. A forensic investigation later revealed that none of Verizon’s systems were breached, but that the data had been stolen from a third-party marketing firm that was part of the company’s supply chain.

Supply Chain Cyber SecurityPreventing supplier vulnerabilities from placing your organization at risk is difficult. It encompasses performing risk assessments associated with information sharing, threats related to unsanctioned services and technologies used in daily business operations (e.g., social media platforms, productivity tools such as Evernote), and application vulnerabilities.

When it comes to sharing information with suppliers and the management of associated risks, a recently released report by the Information Security Forum (ISF), an international association that focuses on cyber security issues and information risk management, notes that while “sharing information with suppliers is essential for the supply chain to function, it also creates risks.” Furthermore, the report reveals that “of all the supply chain risks, information [sharing] risk is the least well managed." In fact, when it comes to assessing information sharing risk, most organizations focus only on a small subset of their suppliers, typically based on contract size.

This practice is clearly outdated, considering the fact that cyber criminals are using the supply chain to access data from large, well-protected global organizations they wouldn’t otherwise be able to compromise. In response, organizations need to extend their practice of conducting regular risk assessments to include all of their suppliers, and - if possible – even supplier’s suppliers. Performing vendor risk assessments has become a very popular practice over the past 12 months. While gathering data about a supplier’s business and information security practices provides some peace of mind, it doesn't guarantee a higher level of security, especially if a vendor stretches the truth a bit.

Nonetheless, performing a standardized vendor risk management process as part of normal business operations is an important step in securing the supply chain. Unfortunately, by including all suppliers in manual questionnaire-based risk assessments, organizations quickly reach limitations as it relates to operational efficiency and scalability. To avoid having to hire legions of contractors or full-time staff, organizations are turning to software to help automate the data gathering process and calculation of risks scores. Specifically, Vendor Risk Management tools are being used by more and more organizations to address the information sharing risk component of overall supply chain risks.

This leads us to the next attack vector in the supply chain: vulnerabilities of authorized or unauthorized technology deployments.

Vulnerability management has long been a required preventive measure. However, trends such as the consumerization of technology, “bring your own device” (BYOD), and emerging regulatory mandates that prescribe more frequent testing are pushing vulnerability assessment processes to their breaking point. In today’s fast moving threat environment, vulnerability management deployed as a stand-alone discipline that does not apply risk-based metrics for ranking and prioritizing of remediation efforts may well be the Achilles heel of cyber security.

The biggest inhibitor of effective vulnerability assessments lies in the fact that the number of vulnerabilities in organizations has grown exponentially over the past few years. This is largely due to the increasing number of IT assets under management, which are creating a big data challenge.

Many organizations have the data required to implement a more streamlined vulnerability management process. However, sifting through all the data sets, normalizing and de-duplicating the information, filtering out false positives, aggregating it, and finally deriving business impact-driven remediation actions is a slow and labor-intensive process.

The emergence of Integrated Risk Management systems is taking vulnerability management to the next level. They combine risk intelligence, using big data that is gathered and correlated from security operations tools, with automated remediation that establishes bi-directional workflows with IT operations. These systems drive operational efficiencies by automating continuous monitoring and ticketing to remediate only business critical risks. Using this automated approach, organizations can free up IT and security personnel to focus on critical tasks and turn their security technicians into risk strategists.

Based on the increased risk posed by vulnerabilities in third-party technology, organizations are also starting to turn the table on their suppliers. Instead of using their own security operations teams to assess potential vulnerabilities, some companies are mandating suppliers to use independent verification services to test software applications prior to procurement and deployment.

view counter
Torsten George is currently a security evangelist at Centrify. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He has more than 20 years of global information security experience and is a frequent speaker on cyber security and risk management strategies. Torsten regularly provides commentary and publishes articles on data breaches, incident response best practices, and cyber security strategies in media outlets. He has held executive level positions with RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).