Feedback Friday: Industry Experts Comment on Hive Ransomware Takedown

Security Experts:

Connect with us

Hi, what are you looking for?


Risk Management

Don’t Forget to Manage Supply Chain Risk

Performing a Vendor Risk Management Process as Part of Normal Business Operations is an Important Step in Securing the Supply Chain

Performing a Vendor Risk Management Process as Part of Normal Business Operations is an Important Step in Securing the Supply Chain

Adobe recently warned customers that attackers had illegally accessed source code for several of its products. This is only one of many examples, in which hackers are mounting targeted attacks against an organization’s supply chain. As companies improved their defenses against direct network attacks, hackers shifted their focus to the weakest link by exploiting the supply chain to gain “backdoor” access to IT systems. As a result, enterprises need to monitor and manage IT security risks downstream in the supply chain.

One of the most damaging and memorable supply chain attacks to date remains the RSA SecureID token breach. Using stolen data about the company’s SecurID authentication system, criminals were able to compromise RSA customers including Lockheed Martin that rely on SecureID tokens to protect their most sensitive data and networks. In another example, 300,000 Verizon customer records were posted on the Internet. A forensic investigation later revealed that none of Verizon’s systems were breached, but that the data had been stolen from a third-party marketing firm that was part of the company’s supply chain.

Supply Chain Cyber SecurityPreventing supplier vulnerabilities from placing your organization at risk is difficult. It encompasses performing risk assessments associated with information sharing, threats related to unsanctioned services and technologies used in daily business operations (e.g., social media platforms, productivity tools such as Evernote), and application vulnerabilities.

When it comes to sharing information with suppliers and the management of associated risks, a recently released report by the Information Security Forum (ISF), an international association that focuses on cyber security issues and information risk management, notes that while “sharing information with suppliers is essential for the supply chain to function, it also creates risks.” Furthermore, the report reveals that “of all the supply chain risks, information [sharing] risk is the least well managed.” In fact, when it comes to assessing information sharing risk, most organizations focus only on a small subset of their suppliers, typically based on contract size.

This practice is clearly outdated, considering the fact that cyber criminals are using the supply chain to access data from large, well-protected global organizations they wouldn’t otherwise be able to compromise. In response, organizations need to extend their practice of conducting regular risk assessments to include all of their suppliers, and – if possible – even supplier’s suppliers. Performing vendor risk assessments has become a very popular practice over the past 12 months. While gathering data about a supplier’s business and information security practices provides some peace of mind, it doesn’t guarantee a higher level of security, especially if a vendor stretches the truth a bit.

Nonetheless, performing a standardized vendor risk management process as part of normal business operations is an important step in securing the supply chain. Unfortunately, by including all suppliers in manual questionnaire-based risk assessments, organizations quickly reach limitations as it relates to operational efficiency and scalability. To avoid having to hire legions of contractors or full-time staff, organizations are turning to software to help automate the data gathering process and calculation of risks scores. Specifically, Vendor Risk Management tools are being used by more and more organizations to address the information sharing risk component of overall supply chain risks.

This leads us to the next attack vector in the supply chain: vulnerabilities of authorized or unauthorized technology deployments.

Vulnerability management has long been a required preventive measure. However, trends such as the consumerization of technology, “bring your own device” (BYOD), and emerging regulatory mandates that prescribe more frequent testing are pushing vulnerability assessment processes to their breaking point. In today’s fast moving threat environment, vulnerability management deployed as a stand-alone discipline that does not apply risk-based metrics for ranking and prioritizing of remediation efforts may well be the Achilles heel of cyber security.

The biggest inhibitor of effective vulnerability assessments lies in the fact that the number of vulnerabilities in organizations has grown exponentially over the past few years. This is largely due to the increasing number of IT assets under management, which are creating a big data challenge.

Many organizations have the data required to implement a more streamlined vulnerability management process. However, sifting through all the data sets, normalizing and de-duplicating the information, filtering out false positives, aggregating it, and finally deriving business impact-driven remediation actions is a slow and labor-intensive process.

The emergence of Integrated Risk Management systems is taking vulnerability management to the next level. They combine risk intelligence, using big data that is gathered and correlated from security operations tools, with automated remediation that establishes bi-directional workflows with IT operations. These systems drive operational efficiencies by automating continuous monitoring and ticketing to remediate only business critical risks. Using this automated approach, organizations can free up IT and security personnel to focus on critical tasks and turn their security technicians into risk strategists.

Based on the increased risk posed by vulnerabilities in third-party technology, organizations are also starting to turn the table on their suppliers. Instead of using their own security operations teams to assess potential vulnerabilities, some companies are mandating suppliers to use independent verification services to test software applications prior to procurement and deployment.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Supply Chain Security

Oracle's Critical Patch Update for January 2023 includes 327 patches, with more than 70 that address critical-severity vulnerabilities.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.