By Jamison Day
In today’s evolving threat landscape, securing only your own organization’s cyber activity is no longer enough. While many companies have established cyber security best practices within their own walls, they often overlook the cyber security of their supply chains. From 2014 to 2015, cyber incidents involving supply chain partners grew 22 percent. Some now estimate that as much as 80 percent of information breaches originate in the supply chain.
Recently publicized attacks have shown that hackers are likely to gain access to your information systems through a supply chain partner or third party service provider. For example, in 2013, 110 million customers’ data and over 40 million payment cards were stolen from Target, which was initially breached through a connection via its HVAC vendor Fazio Mechanical Services. Similar vendor-originating breaches have affected AT&T, Cogent Healthcare, Goodwill, Home Depot, the U.S. Office of Personnel Management (OPM), the U.S. Department of Defense, and the list goes on.
So, how can you keep your supply chain partners from becoming a cyber security vulnerability to your company?
It isn’t easy. In today’s business climate, outsourcing and strategic partnerships can solve many business problems and can even be an economic necessity; however, it also creates cyber vulnerabilities by moving your company’s information system endpoints outside of its own defense perimeter. Whether it is a retailer’s point-of-sale (PoS) system accessing your inventories or production schedules, a supplier updating your product’s research and development (R&D) information, or a payroll service provider that has access to your employee’s personally identifiable information (PII), your reliance on partner companies requires exchanging information. Hackers not only know this, but they are also exploiting it. Therefore, you must treat every supplier as a potential vector of attack.
Before making any supply chain decisions, your company’s first line of defense will be your supplier selection practices.
Cyber Security through Supplier Selection
When you contract with suppliers, distributors, and service providers, you are making an important choice about whether those cyber security links in your supply chain are strong or weak. Your supplier selection processes should make it clear that cyber security is not just desirable, but it is a critical selection criterion. The best assessment will come from your own cyber security team. If they only hear about new supply chain partners after the contract is signed (or worse, after a threat emerges!), you are in trouble. Shadow vendors, just like shadow IT, provide hackers with potential attack vectors that remain unmonitored. Vendors without an organizational culture of cyber security either do not fully understand today’s risks or they do not value their customers. Either way, are you willing to risk having companies with lax security as partners in your supply chain?
There are many pieces of documentation your company will want to review before inking a business contract. Ideally, potential partners will have a cyber security certification such as ISO 27001, Cyber Essentials, or PCI compliance (where applicable) and can provide their certification documentation. Regardless, certificates do not prove compliance, so you will still want to perform or review a third-party risk assessment that provides a cyber asset inventory and examines the company’s practices for managing:
- Security patches
- SPAM: Email or postings containing irrelevant, inappropriate or indiscriminate messages sent to a large number of recipients. LookingGlass Cyber (n) - tons and tons of emails sent out with no relevance to anyone, or anything. and malicious email
- Employee cyber security training
- Access control permissions
- Remote access
- Backup and recovery
- Intrusion detection
- Physical hardware protection
- Equipment (Make sure any recovered equipment has a clear chain of custody and firmware/software is validated.)
- Network architecture
While this documentation provides evidence of the candidate supplier’s formal processes, your company’s cyber security team should perform additional due diligence. After obtaining results from a third-party penetration test, closely examine the corrective actions they have taken. Perform research with available intelligence sources such as Threat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations understand the risks common and severe external threats, used to inform decisions regarding the subject’s response. LookingGlass Cyber (n) - Actionable, relevant, and timely information that can help when assessing the security posture of an organization. A little more left. No no, that’s now too far... feeds and platforms, Domain: A specified location where a set of activity or knowledge exists. For instance, an Internet domain is synonymous with a website address or URL where information can be made available. LookingGlass Cyber (n) - A fancy name for a URL or website. name reputation monitoring, and vulnerability scans.
Lastly, your vendor contracts should require rapid notification of any breach, cyber security insurance (where deemed appropriate), and collaboration in cyber defense action. After all, any weakness in the links of your supply chain can act as a convenient attack vector for threat actors to access your data and cyber assets.
On-Going Supply Chain Cyber Security
Even with the best supplier selection practices, cyber security is by no means guaranteed once contracts are in place. Managing cyber security within the everyday interactions that take place across your supply chain requires constant vigilance.
If your corporation is like most, the large number of information systems and vast amount of data used internally already present a cyber security challenge. A recent Ponemon Institute report found that 79 percent of U.S. businesses lack the tools and resources required to detect and defend their own organizations against cyber attacks. Unfortunately, the many external information system connections required to coordinate your extended supply chain present an even greater cyber security challenge.
Engaging this challenge will require that our already overburdened cyber security teams continue to efficiently allocate their limited resources. Luckily, each of your supply chain partners is different; some require access to sensitive systems or data while others don’t, and some have strong approaches to managing cyber security while others struggle. The following matrix provides a general framework for allocating your cyber security resources among a diverse range of supply chain partners.
LookingGlass Supply Chain Cyber Security Strategy Matrix
Over the past few decades, outsourced service providers and strategic partners have become more crucial and more integrated into our organizations’ operations. As a result, our partners’ access to, and potential impact on, our systems and data continues to grow. All supply chain partners should encourage each other to mature their cyber security cultures over time and should work together on cyber security best practices.
For every partner, regardless of what quadrant they are in, your company should employ automated and passive defense solutions (which do not require continuous activity to keep in place) whenever possible to reduce the manual effort required from your cyber security team. The proper use of firewalls, anti-malware, anti-virus, intrusion detection systems, intrusion prevention systems, and multi-factor authentication provide a significant increase in security.
Since every partner is a potential attack vector, be sure to use segmented demilitarized zones (DMZs) and unique VPN keys for each partner. Not only does this allow for more tailored management across a variety of attack surfaces, but it appropriately quarantines any critical threat arising from another organization without affecting others’ ability to interact with your company. Deliberating for days or weeks on how to deal with a threat after learning about one gives attackers time to gain a greater foothold into your networks and/or exfiltrate more information. Therefore, determine in advance what situations justify cutting off vendor access, and set up the processes for doing so.
Automated third-party threat feed monitoring can be added to this list as well. The cyber asset inventory obtained during supplier selection should provide a list of IP ranges and domain names that can be monitored with alerts. As threat intelligence feeds report significant indicators of compromise associated with those addresses, your cyber security team can contact the affected partner to ask them how they are responding to the security vulnerability – and therefore your own – and how they are going to address the issue and make improvements.
In addition to threat intelligence feed monitoring, you should set up alerts for domain name reputation monitoring and vulnerability scanning. As issues surface, your cyber security team can begin building its relationship with its vendor counterparts by monitoring, and perhaps assisting with, remediation and preventative actions. These low-effort approaches have the added benefit of encouraging partners to enhance their own cyber maturity as they will want to identify their internal issues prior to their customers seeing them.
Lastly, establish metrics that monitor partner engagement and performance. This will also help you effectively manage your own cyber security efforts. Consider monitoring the number of partners within each quadrant of the supply chain cyber security strategy matrix, detected intrusion attempts occurring via each partner, and interactions with each partner’s cyber security teams. Understanding the evolution of your supply chain’s participants, active threat vectors, and collaboration efforts will help management make better decisions about how to enhance your supply chain cyber security efforts over time.
Quadrant I: Periodic Assessment
Your supply chain partners with low access to your systems and highly mature approaches to cyber security pose the lowest threat risk. These organizations should be periodically assessed – more often than at vendor contract renewal – to ensure they continue to use sound cyber security processes and technologies.
With low access, these partners may not be highly motivated to work closely together; however, their mature approach to cyber security makes them valuable for your company to maintain a relationship with. Sharing cyber threat intelligence, whether through direct relationship or via an ISAC/ISAO, could provide visibility into additional threat actors that are active within your industry vertical.
Quadrant II: Collaborative Active Defense
Partners with high access to your network and high maturity are likely to be your closest allies for enhancing supply chain cyber security. As invested supply chain partners that understand the value of cyber security, building strong relationships between your security operation centers can help both companies develop more integrated active defense strategies that do more with less.
Consider regular sharing of suspicious activity, indicators of compromise, and threat intelligence to build each other’s knowledge base and deepen the relationship. Such relationships can prove invaluable during incident response and may help to reduce remediation time. Similarly, joint red-team and penetration testing efforts can provide more varied insights about what enhancements can be made to improve your shared supply chain’s cyber security posture. The focus here should be promoting a shift from perimeter-based defenses towards extended supply chain cyber security.
Quadrant III: Continuous Monitoring
For partners that your company doesn’t trust to effectively manage cyber security on their own and that have low access to your systems or data, a continuous monitoring strategy makes sense. However, monitoring a partner’s network from afar is a challenge. Regular use of external vulnerability scanning tools (e.g. Nessus) may provide some useful insight, but these are far from fail-safe.
Since these partners are not trusted to follow proven cyber security practices, it is important to ensure they are appropriately using their access without introducing vulnerabilities to your data or systems. Whenever unsafe practices are identified, they should be protected against and brought to the partner’s attention to encourage greater awareness of the need for cyber security.
Quadrant IV: Self-Active Defense
Posing the highest threat risk are supply chain partners that require access to sensitive systems/data but have weak cyber security capabilities of their own. There are many criteria for the selection of suppliers and sometimes it will be necessary to contract with highly integrated supply chain partners that do not have sound cyber security practices.
Your company will need to constantly be on alert with these partners. That means enforcing very stringent access policies, staying on guard for any indications of unauthorized activity, and using active defense techniques (e.g. network activity monitoring, behavioral analysis, APT defense) to carefully ensure your own security. Partners in this quadrant are the most likely candidates for severing access and your company should be prepared to do so. Similarly, it is important to involve your cyber security team in these vendor performance reviews so that an accurate estimation of threat risk can be weighed alongside the value obtained from the services they provide.
Maintaining supply chain cyber security is not easy – especially when dealing with multiple vendors – but it certainly has become crucial as cyber attacks via data-integrated vendors have become more common and the cost of compromise keeps rising. Your best defense is to ensure your supply chain partners are well-prepared and in the fight with you. Ultimately, what is at risk is your company’s financial performance, brand reputation, and customer loyalty.
More often than not, people don’t realize the importance of having sound cyber security practices in place until after a serious incident occurs; however, it is the everyday efforts of cyber security that will keep your organization from having to deal with the repercussions of an attack.
This is why you should seek and develop partners that are collaborative with your own cyber security operations. As your supply chain partners’ cyber security capabilities continue to mature, your company will have more opportunity to engage a corporate community that is invested in the same goal of collective protection. After all, just as every supply chain partner’s success is interdependent, the security of our information systems is interdependent as well.
The next blog in this series will examine the realistic capabilities and limitations of automated data-driven cyber security.
Contact us to learn how LookingGlass threat intelligence services can help your organization with vendor risk management.