[BreachExchange] 3 Steps to Reduce Risk in Your Supply Chain

[Audrey McNeil]

https://www.darkreading.com/vulnerabilities---threats/3-
steps-to-reduce-risk-in-your-supply-chain/a/d-id/1330226

In June, the compromise of an update server for a Ukrainian accounting
software platform MeDoc led to the widespread distribution of NotPetya
ransomware. A dozen known corporate victims suffered damages already
exceeding $500 million.

Around the same time, attackers had infiltrated the network of Piriform,
the maker of the popular system-maintenance program CCleaner, infecting two
versions of the program that were distributed to more than 2.3 million
systems over the month that the attack remained undetected. Files recovered
from the command-and-control server showed that the malware infected some
700,000 systems in the final four-day window of the program's spread. (The
attackers appear to have regularly deleted all logs, hiding whatever
actions they took the other 26 unmonitored days.) The attackers also
attempted to specifically target at least 20 companies with additional
malware, including major networking hardware and office-electronics
providers, such as Cisco, D-Link, Epson, HTC Group, Intel, Linksys,
Samsung, Sony, and VMware.

If companies were not watching their software supply chain before the
summer, these two events should push them to do so now. Although many
companies have focused on shoring up their own security, they have very
limited visibility — if any — into their vendors' security posture. Many
companies can have hundreds or even thousands of vendors. In many cases,
information security teams do not know who those vendors are. Here are
three steps that every company should take to lock down their supply chains.

1. Know your business and software vendors. Ever since 9/11, banks have
been required to "know their customers." Today, companies should take that
advice to heart as well. Over the past several years, more attention has
been directed to those vendors for which a company conducts business. These
recent attacks have shown that this also applies to all direct and indirect
dependencies on their entire operations. While accounting or another part
of the organization likely has knowledge of these vendors, security teams
might not be appropriately informed.

2. Measure security and determine metrics. As early as possible, security
teams need to determine how they are going to measure security. However,
there generally is a lack of metrics to determine a company's security
posture. In the past, most companies have relied on a vendor's management
certifying that they are following a list of best practices.

A variety of metrics and best practice documents are available today, from
the Building Security in Maturity Model and its open-source cousin the Open
Group Service Integration Maturity Model to the National Institute of
Standards and Technology Cyber Security Framework. In addition, the ability
to gauge security from external indicators has led to a rapidly evolving
rating ecosystem.

While the security team is adopting a process to measure the security of
vendors, it should also consider what its own requirements will be. These
requirements will vary, depending on the level of access that the vendors —
or their products — will have to the company's network.

3. Be proactive with vendors. Finally, companies need to be proactive and
bring up the topic of security with vendors regularly. Many companies make
sure that they have different policies and technologies in place, but
unless they regularly address those issues with their vendors to ensure
they are complying, it is more likely that issues will arise.

Larger companies have the benefit of having deeper security expertise, with
which they can monitor their vendors. But increasingly, security
requirements will flow downstream, and unless smaller contractors can meet
requirements, they may lose business.

As attackers focus on vendors as a way to gain entry into their customers'
systems, the security of the supply chain will become even more important.
Companies need to address these issues today, before the next attack.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171027/a297e737/attachment.html>