[BreachExchange] Why Supply Chain Security Should be a Strong Link

Audrey McNeil audrey at riskbasedsecurity.com
Thu May 24 20:03:48 EDT 2018


The recent NCSC report underlines an all-too-common refrain for UK PLC –
the cyber-threat to businesses is growing. The security sector may have
grown a thick skin to such warnings, however to hear it from a Government
body with access to a unique picture of the threat landscape, means
companies should take heed.

Specific warnings about the growing threat from ransomware and DDoS are an
ongoing anxiety-inducing thought for security teams. WannaCry quickly
shifted ransomware from the realm of small scale laptop clean-up to board
level concern and DDoS is an omnipresent danger.

There was a third emerging problem which NCSC saw fit to highlight, which
is that of supply chain threats. Reading between the lines, this is a
warning that not only should the UK expect a higher volume of attacks, but
also ones with an increased amount of planning.

It takes far less time to rent a botnet or buy a piece of off-the-shelf
ransomware than it does to find, analyze and compromise a third party. You
only have to look at the ‘low and slow’ approach adopted by the recent
CCleaner compromise for proof. Moving laterally at night, it hid for months
inside a development system before finally striking. These are not the
hallmarks of a script kiddie.

Whilst CISOs and security teams are more at home with the tangible threat
to their immediate perimeter, the vulnerability introduced by trusted third
parties sometimes comes as an afterthought. Security teams need to get
better at looking outside their own organization when assessing risk.
Attackers have realized this, switching their attacks away from a perimeter
guarded by shiny new countermeasures to focus on the outdated laptop used
by your HR consultant.

The increased outsourcing of non-core company functions has created fertile
ground for the growth of this threat. Nowhere is this trend more evident
than with technology outsourcing. The raft of sensitive enterprise data
tasks now handled by MSPs with privileged access to critical systems is a
particular area for concern. All it takes is a single backdoor, an insecure
remote connection or even a rogue employee and your data can quietly walk
out the door.

Given this, what can companies do to sharpen up their approach? The
management of a disparate set of suppliers is a problem that takes more
than just technology to resolve. It should be a procedural and cultural
shift in the way any large business does business with the outside world.

Firstly, assess risk. You will already understand what your critical assets
are, so map which have exposure to such attacks and prioritize these.
Anywhere that suppliers have a gateway into sensitive data, or control
systems if you are overseeing an infrastructure asset, needs to be
considered. Think like an attacker, be creative.

Once this is captured, a small focused group could be appointed with a
broad range of skills that sits outside the purely technical, for example
representatives from legal and procurement. Working with this team, assess
current suppliers and review the security posture of each and where they
have access to networks or data.

Again, be creative. Whilst technical teams will often have a tight grasp of
how their data is secured, this may throw up some eyebrow raising moments
from how other business functions share company information.

Only after this phase will you have a full view of current exposure. Work
closely with suppliers to communicate a set of standards which need to be
applied to secure interactions. It is important that this is not done in a
dictatorial way, as the smaller businesses that make up your supplier base
can see this as time-consuming and difficult, so helping them understand
the shared risk is important. For this reason, these rules should be
flexible based upon resource supplier-side.

Finally, bake this process into all future supplier on-boarding. Whilst the
up-front work to assess risk is intensive, building standards into future
contracts means it becomes part of the way you do business. This will
minimize exposure from the very start of all engagements.

However, it is important not to become complacent. The standards created
should be agile enough to respond to emerging attacks and the fluid nature
of technology brought into your organization. All security policies date.
In addition, security teams should also ensure threat monitoring technology
is augmented to watch for supply chain risk, monitoring network traffic for
data exfiltration and automating management of shadow IT and software.

On the face of it, the supply chain risk can seem daunting. Security teams
see managing their own estate as a game of continually plugging different
holes, so the thought of having to do so across the entire supplier base
looks like a tall order. However, with the right processes, close
communications with suppliers and some small technical improvements, it
doesn’t have to be. It is a risk point that needs to be considered, not
least because your adversaries probably already are.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180524/158df2f9/attachment.html>

More information about the BreachExchange mailing list