We are all part of a giant and interwoven supply chain. Cybersecurity failure within the supply chain is a collective problem that has always existed, but its severity has been brought to light once more due to recent events.
Building a program for supply chain security in the early 2000s was not easy. A routine analysis of a potential service partner could turn out to be an eye-opening experience in which corporate data was entrusted to someone without basic notions of cybersecurity. Even mainstream products had critical vulnerabilities. Security teams spent many resources demanding better security for their products and services.
Even products from organizations such as Microsoft, Cisco, Hewlett-Packard (HP), McAfee, RSA, PeopleSoft and many others were once insecure. When these instances were brought to light, technical teams were not excited about the prospect of delaying projects due to cybersecurity concerns. Business stakeholders were outright angry and had little to no consideration for cybersecurity.
Over the past 2 decades, things have changed—and they have changed in the minds of cybercriminals, too. Cybercriminals no longer resemble a hoard of barbarians storming the front gates of a medieval keep. Their cyberattacks are smarter, stealthier and more persistent. If the front door is locked, they will try to gain access using the other doors and windows. Attackers may concoct clever ploys to get inside of an enterprise through employees and contractors, but today, it is more likely that they will gain access through a trusted vendor or supplier.
Attackers may concoct clever ploys to get inside of an enterprise through employees and contractors, but today, it is more likely that they will gain access through a trusted vendor or supplier.
Zero trust is a technical solution that does not always translate into a good business model. We want to greet our customers with open arms and offer them our goods and services, not subject them to often-intrusive examination. So, what is the compromise? What do we need to do to find a healthy balance between our supply chain, our customers and security? To find the answer, consider some practical advice:
- Trust, but verify—Your enterprise’s cybersecurity requirements for vendors must be more thorough than a questionnaire or compliance paperwork. Many breaches involve false assurances from vendors about the state of their security. Security practitioners are often shocked by how little cybersecurity is accounted for within the “proper paperwork.”
You do not have to go far to see an example of this. For example, consider the present state of security for certain data transfer appliances from Accellion, which in 2021 became a gateway to several breaches and ransom demands.1 Each appliance was marked with a “secured by Accellion” tagline, but this did not deter hackers from breaching them. From the point of sale until very recently, it is most likely that Accellion assured its customers that its solution was “secure.”
- We no longer can rely on trust—So, how do we verify? Deploy penetration testers (pen testers) and red teams against every product and solution on the market? Perhaps it is not a bad approach for some of the products and services that you use. But you will quickly run out of resources, unless you build a program specifically designed for third-party security. You may require your third parties to test their product, but will it be effective? Very few of them will do everything that is needed, and most will do only the minimum of what is required.
- Ask the right questions—For example, was the product or service tested for cybersecurity? This is not a “yes” or “no” question—it boils down to the level of diligence. For example, what was the scope of the penetration test (pen test)? What was tested: only the product or the entire environment (including corporate, test and quality assurance [QA])? Are you receiving a mere executive summary or a complete list of findings? Are you looking at the first round of findings or at a carefully filtered list of issues that remain after 2, 3 or even 4 rounds of tests?
- Your trust must be earned by a third party—You, as a third party to others, must do what is needed to ensure that your product and service offerings are secure. The maturity of the cybersecurity program must be measurable and visible. It is something into which you must invest resources, rather than simply performing a bare-minimum effort because your enterprise has deemed it necessary.
In 2021, we are no longer living in an age where an organization’s only mistake is failing to address cybersecurity. Today, any such mistake will be exposed, which can result in much harm to the entire enterprise. It takes a single account, system, application or user to cause a major breach. In the past, an exposure may have existed for months before anyone noticed; today, breaches can escalate within minutes of an exposure.
You must find your place within your supply chain and take greater responsibility. This responsibility is not only for your link in the chain, but for the connected links above and below. Investing in the cybersecurity of your environment may lead to the discovery of security failures, but addressing issues promptly and ensuring that they are being constantly monitored will further protect your link in the chain and everyone around it. If most follow suit, then our entire supply chain will create—and meet—a new standard of cybersecurity.
Endnotes
1 Moore, A.; Stark, G., et. al.; “Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion,” FireEye Blogs, 22 February 2021
Alex Holden, CISSP
Is the founder and chief information security officer (CISO) of Hold Security LLC. Under his leadership, Hold Security plays a pivotal role in information security and threat intelligence, and has become one of the most recognizable names in its field. Holden is credited with the discovery of many high-profile breaches affecting enterprises including Adobe Systems, JPMorgan Chase and Yahoo. He researches the minds and techniques of cybercriminals and helps build better defenses against cyberattacks.