Framing the Chaos: Digital Supply Chain Risks and Resiliency
August 23rd, 2021
Kaseya REvil Ransomware Attack
Digital supply chains are one of the biggest targets for cybercriminals, and many companies are not aware of vulnerabilities within their own systems, and the systems of their software vendors. On July 2, 2021, Kaseya, an IT management and remote monitoring solution informed its customers that their VSA product had been compromised with malicious code through its update mechanism. The VSA product is a remote management and monitoring tool for networks and is used by enterprise companies and managed service providers (MSPs). Kaseya told customers to shut down the VSA so that attackers could not gain further remote access to assets. Kaseya also urged customers to shut down the cloud version of the VSA and all SaaS servers out of precaution.
At first, it was believed that only 50 companies using VSA were targeted by the attack, however, the actual number rose to about 1,500 companies who were likely exposed to downstream impacts of the ransomware attack. The reason for this difference in numbers is as customers are MSPs, their own customer bases are also affected. Those who rely on the remote monitoring service can also be affected by the attack.
The REvil ransomware gang responsible for the attack initially demanded a $70 million in ransom payment to release the decryptor necessary to unlock systems. By July 23rd, Kaseya had received a universal decryptor tool, and that they were working with customers to restore files.
Digital Supply Chains are Vulnerable
Supply chain risks are not new, but many companies who do not have a physical supply chain (are not shipping anything, do not require off-site facilities, etc.) assume that they are immune to supply chain risks. However, in our interconnected world, this is actually not the case. The truth is, if you use software programs and/or have vendors you have a supply chain- it’s a digital supply chain.
As seen with the Kaseya ransomware attack, most of these types of attacks are premeditated (also seen with the Solarwinds incident) and executed when security teams may not be working at full capacities, such as during holidays. Software updates are particularly vulnerable and create a chain of events that spreads malicious codes along to customers, and then on to their customers. As software products are dependent on hundreds, if not thousands of components (including open-source components) produced by vendors, these risks can multiply quickly.
Considering the number of vendors that most companies rely on, these vulnerabilities can seem, frankly, chaotic. To help provide insight into the severity of these threats, electronic automation company, Synopsys conducted an audit in 2020 on risks around open-source components and found:
99% of codebases contain at least one open-source component
Open source makes up 70% of the overall code
Concerningly, 91% of codebases are more than four years out of date
75% of codebases that were audited contained open-source components that housed high-risk vulnerabilities, a significant increase from audits conducted a year prior
In addition to open-source components, digital supply chains can also mean utilizing machine learning and AI, replacing manual processes with digital ones, or managing more and more digital data. And this is not to say that this is a bad thing; supply chain technologies usually have a payback of fewer than two years. Yet, as the digital landscape expands, and companies use more and more technology providers, the area of attack broadens and vulnerabilities will only increase.
This expansion and attacks such as the one at Solarwinds have shown us that we can’t just monitor the activities of our third parties, but of their third parties as well. This is where viewing third-party vendors as a digital supply chain can help companies decide if the vendors that they’re looking to contract with are secure, but also help technology companies improve their own cyber resiliency.
Transparency into Digital Supply Chains Is Key
The vulnerabilities that digital supply chains can present has not gone under the radar. The Biden Administration’s Executive Order requires that technology vendors who work with the federal government release a software bill of materials (SBOMs) which document all of the components and materials that are included in software products’ codebases.
Regulators are also paying more attention to the activities of third parties, and companies can be held responsible for cybersecurity incidents within their third parties. In anticipation of this increased focus, the National Institute of Standards and Technology (NIST) has published “Key Practices in Cyber Supply Chain Risk Management” which provides recommendations to help organizations ensure resilience by building robust cyber supply chain risk management (C-SCRM).
The NIST’s guidance focuses heavily on transparency and collaboration between procurers and vendors. Key points outlined in their report include:
Integrate C-SCRM across the organization
Establish a formal C-SCRM program
Know and manage critical suppliers
Understand the organization’s supply chain
Closely collaborate with key suppliers
Include key suppliers in resilience and improvement activities
Assess and monitor throughout the supplier relationship
Plan for the full life cycle
How to Build Digital Supply Chain Resilience
In addition to guidance provided in the NIST publication, companies can also implement third-party risk management (TPRM) best practices to help boost cyber supply chain resilience:
Know Your Vendor Landscape
The first step towards building cyber supply chain resilience is to know who your vendors are, and who their vendors are. This can seem like common sense, but many companies do not have a full understanding of each component within their digital supply chain. Take time to determine what each of your vendors do, how dependent you are on them, how they affect your day-to-day operations, and the inherent risks each brings to your own cybersecurity. Expand this to analyze the vendors your direct third parties use, as well, as they can affect your operations through their downstream activities.
Prioritize Which Vulnerabilities Are at Highest Risk
A major component of building supply chain security and resiliency is to ensure that businesses prioritize patching up vulnerabilities rather than just identifying bugs. Businesses that do not fix vulnerabilities where patches are present are at risk of cybercriminals as many can reverse-engineer patches to discover vulnerabilities in products or systems.
This task can be daunting, however, especially if manual processes are heavily relied upon. Online code repositories and other automation tools can be used to identify and correct simple vulnerabilities, leaving IT teams more time to focus on complex and high-risk vulnerabilities.
Not all vulnerabilities are high risk to cybercriminals and it is impossible to fix every single one. By knowing all of your vendors, third-parties, and n-th parties you can utilize metrics to determine which vulnerabilities need immediate triaging, and what the probabilities are that exploitation can occur.
And don’t forget that third-party software products can be extremely beneficial, as well. TPRM automation tools allow you to view all of your third parties in easy-to-navigate dashboards, so you don’t have to go digging through data to determine where to focus your efforts on.
Use Multi-Factor Authentication and Zero-Trust Architecture
There are relatively simple, yet very important practices companies can put into place quickly to increase their security. Implementing multi-factor authentication and zero-trust architecture (where the system has “zero trust” that you are the approved user and requires additional challenges to log into networks) creates more checkpoints against hackers. Embracing these practices is critical to strengthening your software and supply chain security, though it does require collaboration with IT teams to manage these controls.
Update Internal Stakeholders About All Third-Party Purchases
Another important aspect to consider when building TPRM and supply chain resilience is how we purchase third-party applications and solutions. In many cases, small teams such as marketing departments analyze programs and tools that could complement their mar-tech stack. Sometimes, when the cost is relatively low and/or already build into a departmental budget, procurement or IT teams are not informed of, or responsible for handling the purchases and it is put on the department’s credit card.
The problem with this is that no IT due diligence is conducted when appropriate internal stakeholders aren’t updated about purchases. While these applications may not affect the operations of the whole organization, they still present vulnerabilities and have downstream implications if due diligence is not conducted. Performing an internal audit of any vendor purchases that may have slipped through the gaps is a good best practice for building organizational resiliency.
Collaborate With Vendors on Digital Supply Chain Resiliency
As important as it is to boost your own cyber and supply chain resiliency, it can be moot if the vendors you’re dependent on are not making efforts on their side.
As a customer, your procurement teams should collaborate with vendors to implement technologies such as hot patching, which allows organizations to enable patching without having to reboot the software. This means companies do not have to choose between implementing critical cybersecurity and staying online. Collaborating on other security protocols and procedures only helps to boost mutual resiliency.
Get in touch for a better approach to third-party risk management
The Definition of Better Business
Better business is built on acting with integrity. It commands better performance, delivering better efficiency, collaboration, and financial outcomes. It inspires trust. But better business is more than that – it’s about lifting the ethical standard of an entire business ecosystem to build a better world.