SPONSORED — Cyberattacks that disrupt enterprise and government organizations are common and increasingly successful. BlueVoyant surveyed 1,200 companies across industries, sizes, and countries to determine the current prevalence and impact of supply chain cyberattacks. We found that 98% said they had been negatively impacted by a cyber compromise of a vendor in the last year — and this had occurred more than once at a majority of companies.
Why is this happening?
In response to improved enterprise security standards and technologies at larger firms, threat actors have added tools and methods to their attack portfolios to infiltrate these well-defended targets through their supply chains —where the attacker is likely to find an easily compromised vendor.
BlueVoyant performs continuous external assessments of the Internet-facing cybersecurity posture for many companies across the world —at a similar scale to that of advanced nation-state and criminal groups. Unfortunately, on average, we find about 15% of the vendors in most supply chains show critical, Internet-facing vulnerabilities and make them easy targets for compromise.
How is this happening? Through two sources:
1. Newly discovered Vulnerabilities
Each month, the world becomes aware of new “zero-day” software vulnerabilities. Approximately once a month, one of these zero-day vulnerabilities presents a critical, high-value vulnerability to attackers. Technology vendors typically make software patches available to eliminate these vulnerabilities upon announcement of the zero day — or shortly thereafter. Some companies —those with effective cyber defenses — deploy these essential patches quickly, which protects them from all-too-easy serious cyber compromise. However, BlueVoyant’s experience has shown that without external assistance, only a small batch of companies (about 7%) deploy these patches within even 10 days of a new zero-day announcement to which they are vulnerable. Even a month after public announcement of the zero day, less than 20% of unassisted vendors will have deployed the critical patch.
2. Changes to the Network
Enterprise IT represents a complex, living organism that is under continuous change — vendors send patches and upgrades that are often automatically installed, components break and need replacement, business needs change, and the infrastructure is reconfigured to adapt, etc. All these changes induce the risk of misconfigurations that create risk. Everything was fine yesterday, but during the night a network engineer opened a port in your main firewall to troubleshoot a connectivity issue for 10 minutes — and forgot to close it when finished. Or, someone at a manufacturing facility put an OT network connection outside the firewall because that was easier than going through the company’s network security approval process – and connected it inside the firewall, too. Now, your entire network is exposed and no one knows.
What is the current state of supply chain cyber defense at most companies, and why is it not sufficient? Three reasons:
1. Most organizations require suppliers to fill out risk questionnaires that contain cyber sections. While a good practice, this generally only happens at a single point in time (often annually or less frequently) and tends to get answers reflecting the intended state of cyber defense — which often does not capture the actual state.
2. Many organizations perform on-site audits of some vendors. Again, a useful practice, but due to the cost, these audits are typically performed only on a subset of vendors and typically reflecting their status at a single point in time (again often annually or less frequently).
3. Some organizations add external cyber risk scoring of vendors (analogous to credit ratings for financial risk). Also a useful practice, but issues often arise in putting in place sufficient skilled staffing to follow up to curate the external scores for accuracy and prioritize vulnerability findings. They then follow up with the vendors to make sure they remediate in a timely manner.
What needs to be done to put effective supply chain cyber defense in place? We recommend both enterprise and government organizations follow a six-step program:
Step 1: Know Your Vendors — Both Existing and New
Step 2: Segment Your Vendors for Cybersecurity Risk
Step 3: Perform Traditional Cyber Assurance: Questionnaires and Audits
Step 4: Continuously Assess Vendor Cyber Risk Posture
Step 5: Ensure Remediation
Step 6: Curate Your Vendor Portfolio
Step 1: Know Your Vendors — Both Existing and New
Maintain a comprehensive and regularly updated inventory of the identity of your vendors, the type of business they are doing with you, any network connectivity and credentials planned/implemented, and the risk represented by disruptions in their delivery of goods/services to your firm. This is perhaps the most important step in the entire vendor management process from a risk perspective. It is stunning how few mature, process-driven organizations cannot identify even just their critical vendors.
Ensure you have language in your contracts to enable enforcement of reasonable cybersecurity measures, adherence to standards, incident notifications, and remediations. You need the options to penalize vendors who do not perform to your standards in this area.
Knowing your vendors also includes knowing who to call to get something fixed. Often, the point of contact you have for a vendor is a person identified by the purchasing organization. However, when a material insufficiency or a critical externally facing vulnerability is identified, the remediation responsibility will usually fall upon someone within the IT or CISO organizations. Maintaining current contact information for various team leads (networking, network security, SOC, executives, etc.) is essential to proactive supply chain cyber defense.
Put in place a system for onboarding new vendors that leverages the process identified in this article.
Step 2: Segment Your Vendors for Cybersecurity Risk
Risk tier your vendors based on the type and degree of business and cyber risk they pose to your enterprise or agency. Set appropriate cyber risk tolerances. For example, some vendors have network connectivity (a SaaS provider, perhaps), others have confidential data (a health insurance provider, perhaps), others are essential to your operations (warehouse inventory management software provider, perhaps), while others are not immediately critical to your operations (a catering company, perhaps).
Step 3: Perform Traditional Vendor Cyber Assurance: Questionnaires and Audits
As noted above, periodic questionnaire responses on vendor policies, processes, and technologies (and the scoring thereof) tend to tell you more about the intended state of cybersecurity than the actual ongoing risk of compromise. These responses have both compliance and cyber protection value. Yet the cyber protection value is substantially increased if you have the capability to independently validate a set of the questions and calculate a questionnaire reliability score.
Depending upon your resources, performing periodic on-site audits of the most critical vendors can supplement your overall cyber risk assessments. These audits should focus on verifying from within the network that policies and processes are implemented and consistently followed. The focus is not to scan the network for malware but to ensure that the scanning technology is in place, of sufficient quality, being monitored, and alerts are being followed up to conclusion.
Step 4: Continuously Assess Vendor Cyber Risk Posture
Continuous external monitoring shows the actual state of cyber risk as seen by attackers. Ongoing insights into the cyber-relevant decisions vendors make via changes in configurations, product selections, attack surface, and other IT cyber hygiene factors will either validate or belie the posture asserted in the responses to questionnaires. As noted above, one must keep abreast of the vendors’ constantly changing vulnerability landscape in which new critical software and configuration vulnerabilities regularly occur — and they will attract attackers unless remediated. Identifying the threat actors scanning and attacking your vendors’ externally visible infrastructure allows you to adjust your risk thresholds for vulnerability management. Finally, getting early tips on successful attacks on your vendors when that malware reaches back to attacker infrastructure allows you to proactively implement countermeasures or other compensating controls within your own network prior to acknowledgment by the vendor of the issue.
Step 5: Ensure Remediation
When a critical vulnerability or other serious deficiency is identified, rapid and certain follow-up is necessary with the vendor to ensure that they understand the issue and the proper remediation for it. Then, crucially, follow up to ensure prompt and complete remediation. Otherwise, the chances are all too high that the vulnerability will persist. In our experience with remediating such deficiencies for our clients, we find that vendors with a continuous external push for remediation get 370% more issues resolved after 30 days than those with no external pressure.
Step 6: Curate Your Vendor Portfolio
If you levy reasonable requirements and communicate identified issues professionally, most vendors will appreciate the assistance — you are helping them be more secure, after all — and will implement remediations in a timely manner. Unfortunately, some will not. Those vendors who repeatedly demonstrate important cyber deficiencies need to be told that they must take action to reach an acceptable level of cyber hygiene/defense in order to remain in your supply chain. This can be achieved relatively easily either with internal or external resources at the vendor (e.g., a Managed Detection and Response Service or an IT service provider). In the absence of demonstrated action and observable improvement, your organization will be involuntarily accepting the vendor’s cyber risk.
Interested in becoming a CIG Sponsor and sharing solutions? Drop us an email at info@thecipherbrief.com
Jim Rosenthal is a co-founder and CEO of BlueVoyant. He was the Chief Operating Officer of Morgan Stanley until 2017. At Morgan Stanley, he was responsible to the CEO and the Board of Directors for Cybersecurity. Jim is the recipient of the 2017 Critical Infrastructure Protection Award from the Financial Services Information Sharing and Analysis Center. He is the co-Chairman of Sheltered Harbor, a consortium of major banks, securities firms, industry associations, and technology service providers with the mission of preserving systemic confidence in the event of a cyberattack. He is the past Chairman of the Securities Industry and Financial Markets Association, and has chaired its Cybersecurity Committee from 2014–2017.
Comments