The supply chain and third-party providers are increasingly vulnerable to ransomware, zero-day attacks, and other cyber risks. These threats aren’t isolated and are targeted and have expanded across every business sector.
A former NSA hacker told CNBC that the threat of a cyberattack on the U.S. supply chain “keeps him awake at night.” Attackers are attracted by its vulnerabilities – especially when a single breach or compromise can lead to multiple, even thousands of victims in one fell swoop.
The Third-Party Risk and Supply Chain Vulnerabilities
There’s a cascading occurrence to a cyber breach that could ultimately affect your clients—and your business profitability. Third-party and supply chain vulnerabilities need to be addressed as part of a thorough cybersecurity process that focuses on management strategies, risk assessments, and network scanning and testing.
The SolarWinds digital supply chain attack first noted this shift and magnification of risk to suppliers and their customers. Trusted third-party software, which SolarWinds developed for companies to manage their networks, systems, and IT infrastructures, was hacked, impacting some 18,000 customer organizations worldwide, including Microsoft. Similar breaches and attacks on the supply chain, IT, and MSPs have emerged, including Kaseya, Accellion, Codecov, and most recently, Log4J.
CISA deemed Log4J “the most serious of vulnerabilities.” A zero-day vulnerability existed in software used in consumer and enterprise services, websites, applications, and operational technologies. In this case, an unauthenticated, remote actor could exploit this vulnerability, taking control and maintaining access.
Vulnerabilities and risk have escalated to the point that the Biden administration recently established an executive order requiring software bill of materials (SBOMs). SBOMs are a written record of the “ingredients” comprising a software product — open source and proprietary code — provided to anyone building software, buying software, and operating software.
Develop a Vulnerability Management Strategy
The best strategy is to deploy vulnerability management tools as part of your cybersecurity to mitigate the potential for rising third-party risk. If you don’t stay on top of vulnerability management, it’s exponentially harder to protect your network.
Develop your vulnerability strategies alongside an asset management solution. Investigate and get to know what assets you’re protecting, especially in a remote working environment. These processes assist with implementing a patch or remediation because you know what you have to fix and when.
Many organizations without a security team lack the vulnerability management program to uncover and remediate security vulnerabilities that can wreak havoc throughout their network. Your plan should include vulnerability scanning and penetration testing, also known as ethical hacking. Both are necessary but different ways to expose network vulnerabilities that could possibly be exploited.
Vulnerability scanning is an automated process that leverages artificial intelligence, machine learning, contextual prioritization, and advanced logic to maximize reach through the network and regularly report on any issues requiring attention. The risk may arise from a workstation, server, software, firewall, apps, plug-ins, and even loT devices. Vulnerability scanning checks for unpatched or out-of-date software, hardware malware on a company device, and even unauthorized plug-ins. The scanner automatically searches your network and systems for security vulnerabilities then reports data to help you understand the risk and security gaps.
Ethical hacking, also known as penetration testing, is a manual process where a person outside your organization penetrates your network and uncovers security vulnerabilities. Ethical hacking simulates an attack and evaluates and tests your defenses to see if an ethical hacker can exploit the vulnerability. It provides documentation, reports, and the next steps for closing open threats. These processes expose various network weaknesses, so you can remediate quickly and prevent attacks from spreading.
Why You Need a Vulnerability Management Strategy
Many IT professionals don’t have an asset management solution in place – and it needs to be part of a comprehensive cybersecurity approach. The risk is that you can’t provide protection if you don’t know what’s riding on the network. Monthly vulnerability scanning can expose these risks and any add-on assets you may not be aware of.
Shadow IT is the devices, applications, and technologies used for business outside of your knowledge. Remote work challenges have increased the risk of Shadow IT causing data breaches or a violation of compliances and regulations.
When employees or others connect equipment to networks or activate cloud applications that the IT team or company doesn’t know about, you’ve moved into the realm of Shadow IT—and that makes your organization vulnerable.
Utilizing an Asset Management Solution and Patch Strategy
Incorporating asset management and patch solutions helps identify the assets that need to be protected, which is especially important in a remote environment. It also assists with implementing a patch strategy to uncover weaknesses and the latest risk. Remember that employees are your first line of defense and reiterate and train personnel on your policies and what they can and cannot use as far as software and services.
Third-Party Risk Assessments
As a vendor or supplier, Remote work challenges are becoming a normal part of doing business. A risk assessment is a review of an organization’s policies, procedures, and functions. Many organizations require those they do business with to provide and conduct third-party risk assessments. While these assessments can focus on many types of risk, cybersecurity risk assessments specifically look at an organization’s risk of a data breach or cyberattack, taking a deep dive into what you’re doing to protect customer data.
Mitigate the Risks
Cyber risks now stretch across third-party and vendor supply chains, requiring a plan to manage these vulnerabilities.
You can mitigate risk and fix things faster when you know your vulnerabilities. Look for solutions that are automated and offer automatic discovery of assets. Engage with solutions that are easy to deploy and manage without heavy lifting and IT expertise.
Network vulnerability scanners should be flexible in application and capabilities, targeting external networks, internal networks, web applications, and other assets, especially those used in remote work.
Comprehensive cybersecurity is possible for every organization. No single solution is 100% perfect security, but the right cybersecurity program can minimize third-party risk and supply chain vulnerability.
Webinar: Vulnerability Management: Getting Down to Brass Tacks
Blog: Why is Vulnerability Management Important?
Blog: What’s the Difference Between Vulnerability Scanning and Penetration Testing?
Blog: What Does a Zero-day Vulnerability Mean and How to Stay Protected?
Blog: Log4J Vulnerability Explained
NIST: National Vulnerability Database NVD – CVE-2021-44228 (nist.gov)
Resources & insights
Protect and defend with multiple layers of cybersecurity
Faster. Smarter. Stronger.