How to Manage Supply Chain Risk and 3rd Party Vulnerabilities

On top of the many disruptions brought about by the pandemic, risks incurred by supply chain and 3^rd party vulnerabilities are becoming increasingly common due to ransomware, zero-day attacks, and other cyber-threats. Unlike COVID-19, however, these threats are targeted, malicious, and cannot be addressed with a vaccine.

To maintain a strong cybersecurity posture, it’s important to be aware of and plan for risks like these that directly affect your business despite being outside of your control. The topic is no joke: a former NSA hacker told CNBC that the threat of a cyberattack on the U.S. supply chain “keeps him awake at night.” What is appealing to attackers? Cyber-criminals are attracted to the supply chain due to its vulnerabilities – especially when a single breach or compromise can lead to multiple, even thousands of victims in one fell swoop.

The Supply Chain and 3rd Party Vulnerabilities

There’s a cascading occurrence to a cyber-breach that could ultimately affect your organization—and your business profitability. Supply chain and 3rd party vulnerabilities  need to be addressed as part of a thorough cybersecurity posture that focuses on management strategies, risk assessments, and network scanning.

The SolarWinds digital supply chain attack first noted this shift and magnification of risk to suppliers and their customers. SolarWinds had developed a third-party software called Orion for companies to manage their networks, systems, and IT infrastructures. It was ultimately hacked, impacting some 18,000 customer organizations worldwide, including Microsoft. Similar breaches and attacks on the supply chain, IT, and MSPs have emerged, including Kaseya, Accellion, Codecov, and most recently, Log4J.

CISA deemed the vulnerability score of the Log4J flaw the highest possible rating of 10.0 (critical) on the CVSS scoring methodology. This zero-day vulnerability existed in software used in consumer and enterprise services, websites, applications, and operational technologies. In this case, an unauthenticated, remote actor is able to exploit this vulnerability, taking control and maintaining access.

Vulnerabilities and risk have escalated to the point that the Biden administration recently established an executive order requiring software bill of materials (SBOMs). SBOMs are a written record of the “ingredients” comprising a software product — open source and proprietary code — provided to anyone building software, buying software, and operating software.

Developing Your Vulnerability Management Strategy

Many organizations without a security team don’t know where to start when it comes to developing a vulnerability management program. First and foremost, the best tactic is to deploy vulnerability management tools as part of your cybersecurity program to mitigate the potential for rising third-party risk. If you don’t stay on top of vulnerability management, it’s exponentially harder to protect your network.

Another important part of developing your vulnerability protection strategy is the implementation of an asset management solution or process. Investigate and get to know what assets you’re protecting, especially in a remote working environment. An asset management solution will assist with implementing a patch or remediation should a breach occur because you know what you have to fix, because you can’t provide protection if you don’t know what’s riding on the network. Monthly vulnerability scanning can expose these risks and any add-on assets you may not be aware of.

Fortunately, there are effective tools and services that can support your vulnerability management strategy. We recommend including tools like vulnerability scanning and penetration testing, also known as ethical hacking into your approach. Both are necessary but have different ways to expose network vulnerabilities that could possibly be exploited.

First, Vulnerability Scanning is an automated process that leverages artificial intelligence, machine learning, contextual prioritization, and advanced logic to maximize reach through the network and regularly report on any issues requiring attention. The risk may arise from a workstation, server, software, firewall, apps, plug-ins, and even loT devices. Vulnerability scanning checks for unpatched or out-of-date software, hardware malware on a company device, and even unauthorized plug-ins. The scanner automatically searches your network and systems for security vulnerabilities then reports data to help you understand the risk and security gaps.

Penetration Testing, on the other hand, is a manual process where a person outside your organization gains access to your network and uncovers security vulnerabilities. Ethical hacking simulates an attack, evaluating and testing your defenses to see if weaknesses can be exploited. Accompanied by  supporting documentation, reports, and next steps for closing open threats, these processes enable you to remediate quickly and prevent attacks from spreading.

Shadow IT

Shadow IT refers to the devices, applications, and technologies used for business outside of your knowledge. Remote work challenges have increased the risk of Shadow IT causing data breaches or a violation of compliances and regulations.

When employees or others connect equipment to networks or activate cloud applications that the IT team or company doesn’t know about, you’ve moved into the realm of Shadow IT—and that makes your organization vulnerable. To combat these risks, we recommend developing and distributing a Technology Acceptable Use Policy, which will clearly set expectations for how technology and data should be used and protected, remotely and in-office.

3rd Party Risk Assessments

Before hiring a vendor or supplier, make sure you conduct a risk assessment. A risk assessment is a review of an organization’s policies, procedures, and functions, and are often required by many companies before the deal or partnership can be proceed. While these assessments can focus on many types of risk, cybersecurity risk assessments specifically look at an organization’s risk of a data breach or cyberattack, taking a deep dive into what you’re doing to protect customer data.

3^rd Party Vulnerabilities: Mitigating the Risks

In summary, 3^rd party vulnerabilities stretch across vendor supply chains, requiring a plan to manage these weaknesses. One single breach can lead to thousands of victims.

You can mitigate risk and move faster when you are aware of your network’s assets and know your vulnerabilities across all networks and endpoints, so an asset management solution is key, as is an Incident Response Plan. An effective way to combat shadow IT is with a Technology and Acceptable Use Policy to establish a clear and strong baseline for how technology should be used. Lastly, protect yourself by ensuring your partners and vendors undergo an extensive cybersecurity risk assessment prior to hiring them.

Include technology as part of your strategy. We recommend looking for solutions that are automated and offer programmatic discovery of assets. Engage with tools and services that are easy to deploy and manage without heavy lifting and IT expertise. Network vulnerability scanners should be flexible in application and capabilities, targeting internal and external networks, web applications, mobile and IoT devices, especially those used in remote work. Penetration testing is essential for testing your defenses, as well as to locate and fix potential security weaknesses.

While no single solution can guarantee 100% security, the right vulnerability management strategy can minimize third-party risk and supply chain vulnerability through through tools, processes and business practices.

Webinar: Vulnerability Management: Getting Down to Brass Tacks
Blog: Why is Vulnerability Management Important?
Blog: What’s the Difference Between Vulnerability Scanning and Penetration Testing?
Blog: What Does a Zero-day Vulnerability Mean and How to Stay Protected?
Blog: Log4J Vulnerability Explained
NIST: National Vulnerability Database NVD – CVE-2021-44228 (nist.gov)