Let’s start with a question. What happens to your cyber-risk profile when you have invested significantly in your infrastructure, cybersecurity tools, education, and hiring of the right professionals?
Before you answer, consider what the question is asking. Have you done at least the following: (1) implemented a robust identity and access management platform, (2) implemented network detection and response capability, (3) implemented end point detection and response capability, (4) installed and maintained sophisticated next generation firewalls, (5) begun running advanced secure web gateway technologies, (6) put an advanced secure email gateway in place, (7) made in-depth and relevant cybersecurity awareness training available to all users, and (8) hired the best cybersecurity professionals your organization can afford? That is a complicated question, and this list is by no means the totality of what controls are available to manage your cyber-risks.
For conversation’s sake, just consider you have done only the things listed in this question; how secure do you feel your enterprise might be against cyberattack? If we are being honest and if you had all those items checked off, you should feel rather good about bouncing back from most cyberattacks. Now, ask yourself another question to which the answer (if you truly consider the ramifications) might be unsettling. How secure are your vendors’ and consultants’ networks? I am referring to the cybersecurity posture of the links in your supply chain. The truth is any of us is only as secure as the weakest links in our supply chain. Meaning, we must adjust our understanding of the cyber-threat landscape and reevaluate how we place value on our preventative security measures versus our resilience and incident response capabilities.
By now most of you reading this have heard about the recent cyberattacks attributed to Russian state actors using weaponized versions of Solar Winds products. These are not only perfect examples of supply chain attacks, but they are the worst-case scenario when it comes to attacks involving an organization’s supply chain. The sophistication of these attacks is impressive to say the least. While CISA and other experts are discussing possibly multiple attack vectors for this current string of attacks, none is more concerning than the compromise of Solar Winds, a trusted vendor partner for many organizations. From a risk mitigation perspective, this is our worst nightmare. For those not familiar with the attack, I will take a moment to summarize.
The compromise to the Solar Winds platform impacted approximately 18,000 of their customers. Many of which are federal, state and local government entities. Somehow bad actors were able to embed malicious code within software updates that were released between March and June 2020. The code was then certified and made available for download. Customers of Solar Winds downloaded and installed the weaponized software update to their system that monitors network connections, server performance, etc. Once installed, the malicious code embedded in the update made possible the conditions that would allow bad actors access to the victim’s networks.
Why was this attack successful? The answer is simple: no technical administrative or operational controls were effective against a signed update from a trusted source. Supply chain attacks are extremely harmful because they exploit trust, bypass typical defensive mechanisms, cause the victims to experience large financial losses, and cause real damage to critical systems. The Solar Winds compromise is a painful remainder of the cyber-risks associated with the supply chain. The question is now, how do you effectively assess cyber-risks to include compensating controls for your supply chain?
You might take a draconian approach and restrict vendors’ access to systems or services provided by the organization, but the Solar Winds hack demonstrated this is not really an effective approach. The answer is not so clear in this area. You could ask the vendor to provide you with the results of their last security audit or ask for copies of their security policy. Asking for policy and audit report findings probably will not give you a clear picture of how your vendors manage their risks, however; you would need nearly every policy the vendor has from onboarding to handling recycling and waste bins. For most organizations it is not a good value proposition to pore over every vendor in such great detail as required to truly understand their risk profile. You could use services that provide a risk score for the companies you do business with, but these services will likely overlook internal HR practices such as periodic background re-investigations or how many employees are on improvement plans (which might give insight into insider threats). One vehicle you can consider is to look at what types of legal obligations you can place on a vendor through the contracting process. For example, maybe there is a contractual requirement for your vendors to obtain approval from your organization’s contracting people before they onboard any subcontractors that will work under their contract. This approach may provide a means to hold your vendors accountable for their contractual obligations, but it probably will not do much to address your vendors’ subcontractors’ subcontractors or their subcontractors, and so on. In short, securing the supply chain is not something you will likely accomplish.
You may consider creating strict access controls that manage identity for your vendors such as requiring your vendors to have user accounts that you provide to gain access to your network systems. Also consider requiring correspondence with onboarded consultants to use your own corporate email system to help control risks associated with phishing-based attacks. These types of controls will have some effectiveness with prime vendors, but it is extremely difficult if not impossible to have umbrella-type controls that will envelop all the links in your supply chain.
Instead, when you are building your risk profile and you are taking into consideration your supply chain, ascertain how your vendors are paid for their services. Talk with your financial teams to make sure there are adequate controls in place to account for fraud attempts. Account for how your organization onboards contractors. Are they subject to at least the same level of background checks your organization’s employees are required to pass? There is much to consider when assessing supply chain cyber-risks; almost too much to consider. Simply put, the supply chain is long and complex. As such, any technical, administrative, or operational controls you put in place will likely break down at some point along the chain.
Therefore, assessing risk and implementing risk-mitigating controls to the supply chain should revolve around your own resiliency. Make sure you have other vendors on your bench that can provide similar or overlapping services where possible; this may prevent your organization from becoming crippled when a link in your supply chain is compromised. Test your cyber-incident response, business continuity, and disaster recovery plans. Finally, as you refine your plans, identify how your users might be impacted by your recovery efforts should a catastrophic event occur. Then discuss that potential impact early and frequently with organizational leadership for the purpose of setting expectations should the worst-case scenario come to pass.