June 18, 2021 | Supply Chain Software Blogs
Your organization may have worked hard to develop and implement stringent security standards to secure its supply network. But what about the third parties in your supply chain?
Do all your software vendors prioritize security? Do they have appropriate checks in place to keep their networks and products secure?
The truth is many do not have such defenses in place.
This leaves organizations using the software and their customers increasingly vulnerable.
All of these were crippled by supply chain attacks recently.
The breach at SolarWinds, an IT management software provider, discovered in December 2020 showed how single points of failure can be exploited to have far-reaching impact. A malware-laced software update that hackers unleashed impacted as many as 18,000 organizations and government entities.
Even security vendors can be a target. In the SolarWinds case, one of the victims was FireEye, a cybersecurity vendor.
The SolarWinds hack could cost cyber insurance companies up to $90 million, according to an estimate by Bit Sight, a security rating firm.
In a survey of security leaders in February by Splunk and Enterprise Strategy Group, 78% said they are “concerned about more SolarWinds-style attacks in the future.”
Their worries came true in May, when cybercriminals took over the network of Colonial Pipeline, a critical supplier of fuels to the U.S. East Coast, and extracted a hefty ransom in bitcoins (some of which has been recovered).
Soon enough, another cyber-attack affected operations of the world’s largest meat processor JBS SA across the U.S., Canada and Australia. This company too was forced to pay a large ransom.
Supply chain attacks typically originate from a trusted business partner, vendor or supplier and target the weakest or least secure link in the supply chain. Cybercriminals usually zero-in on third parties that often have the weakest cybersecurity measures in place.
By targeting the least secure links of the supply chain, hackers are much more likely to succeed in penetrating secure systems to access vital data.
In most cases, the initial victim of the hack is not the ultimate target, rather it serves as a gateway to a larger network.
Every company in a supply chain must understand it is a potential target for cyber-breach and should know how to secure its data and network.
Here are seven measures your business should undertake to shore up its cyber defenses:
Map out the threat landscape, which includes software vendors, open-source projects, IT and cloud services. Make a list of all third-party tools and services used in software projects.
Before shortlisting a vendor, consider its cybersecurity framework. Ensure that vendors have structured, validated and certified security policies and procedures. Contracts with vendors must clearly state the standards and requirements for access and use of data.
Pay special attention to software suppliers, particularly for software that has privileged access to company assets. For these suppliers, the assessment must be more elaborate to assess the integrity of the software development process. Ensure that adequate controls are in place to check the introduction of malicious code.
It is not unusual for companies to make their data available to third parties. However, this must be done with due consideration. Lesser the number of people who have access to data, the simpler it is to control and mitigate threats. Do an audit to determine who has access to data and what they are doing with this data. A business can also exercise control by sharing data with vendors in a one-way feed.
Keep an eye on developer endpoints, such as servers, workstations or virtual machines. Deploy endpoint protection platforms and endpoint detection and response technology to detect anomalous behavior and facilitate immediate response.
At times, more than technology, a cultural change is needed to combat cyber threats. Employees as well as vendors and partners must be aware of what they can do and, more importantly, what they cannot do with sensitive data and information. Conduct training sessions to educate staff on all aspects of security such as company policy, password security and social engineering attack methods.
Ensure that there is an incident response plan in place to effectively deal with a potential crisis. Such a plan should include the full range of incidents that could occur and set out appropriate responses.
Unfortunately, there are no set standards currently that specifically address the security of the software supply chain and software development process. However, some institutions, such as the Consortium for Information and Software Quality, are working to address this lack of standards.
Doing proper due diligence is critical to avoid situations where your supply chain is hacked.
All businesses, big and small, must know who their software and hardware suppliers are, vet them and hold them to certain standards. This is as important as negotiating a contract with the vendor.