Supply chain risks are not new, but many companies without a physical supply chain (not shipping anything, not requiring off-site facilities, etc.) assume they are immune to supply chain risks.
However, in our interconnected world, if you use software programs or have vendors, you have a digital supply chain. And if you have a digital supply chain, you need a digital supply chain strategy.
As we’ll see with the Kaseya ransomware attack, most attacks are premeditated (also seen with the SolarWinds incident) and executed when security teams may not be at full capacity, such as during holidays. Software updates are particularly vulnerable and create a chain of events that spreads malicious codes to customers and then on to their customers.
As software products depend on hundreds, if not thousands, of components (including open-source components) produced by vendors, these risks multiply quickly.
Digital supply chains are one of cybercriminals’ biggest targets, but many companies are unaware of vulnerabilities within their systems and vendors’ systems.
On July 2, 2021, Kaseya – an IT management and remote monitoring solution – informed its customers of a compromise in their VSA product after malicious code entered through its update mechanism.
Enterprise companies and managed service providers (MSPs) use the VSA product as a remote network management and monitoring tool. Kaseya told customers to shut down the VSA so that attackers could not gain further remote access to assets. Kaseya also urged customers to shut down the cloud version of the VSA and all SaaS servers out of precaution.
At first, it was believed attackers targeted only 50 companies using VSA. The actual number rose to about 1,500 companies that were likely exposed to downstream impacts of the ransomware attack. The reason for this difference is that the effects ripple out to the customer bases of customer MSPs. The attack can also affect customers relying on the remote monitoring service.
The REvil ransomware gang responsible for the attack initially demanded $70 million in ransom to release the decryptor necessary to unlock systems.
By July 23, Kaseya received a universal decryptor tool and was working with customers to restore files.
Considering the number of vendors most companies rely on, these vulnerabilities can seem chaotic.
To help provide insight into the severity of these threats, the electronic automation company Synopsys conducted an audit in 2020 on risks around open-source components and found:
In addition to open-source components, digital supply chains can also mean utilizing machine learning and AI, replacing manual processes with digital ones, or managing more and more digital data.
This is not to say this is bad; supply chain technologies usually have a payback of fewer than two years. Yet, as the digital landscape expands and companies use more and more technology providers, the area of attack broadens, and vulnerabilities will only increase.
This expansion and attacks, such as the one at SolarWinds, have shown us we must monitor the activities of our third parties and their third parties. Viewing third-party vendors as a digital supply chain can help companies decide if the vendors they want to contract with are secure. It can also help technology companies improve their own cyber resiliency.
The vulnerabilities digital supply chains can present have not gone under the radar. The Biden Administration’s Executive Order requires technology vendors who work with the federal government to release a software bill of materials (SBOMs), which documents all components and materials included in software products’ codebases.
Regulators are also paying more attention to the activities of third parties, and regulators may hold companies responsible for cybersecurity incidents within their third parties.
In anticipation of this increased focus, the National Institute of Standards and Technology (NIST) published “Key Practices in Cyber Supply Chain Risk Management,” which provides recommendations to help organizations ensure resilience.
The NIST’s guidance focuses heavily on transparency and collaboration between procurers and vendors. Key points outlined in their report include:
In addition to the guidance provided in the NIST publication, companies can implement third-party risk management (TPRM) best practices to help boost cyber supply chain resilience.
The first step toward building cyber supply chain resilience is to know who your vendors are and who their vendors are. This can seem like common sense, but many companies do not fully understand each component within their digital supply chain.
Take time to determine what each of your vendors do, how dependent you are on them, how they affect your day-to-day operations, and the inherent risks each brings to your cybersecurity. Analyze the vendors your direct third parties use, as well, as they can affect your operations through their downstream activities.
A significant component of building supply chain security and resiliency is ensuring businesses prioritize patching up vulnerabilities rather than just identifying bugs. Businesses that do not fix vulnerabilities where patches are present are at risk of cybercriminals, as many can reverse-engineer patches to discover vulnerabilities in products or systems.
This task can be daunting, especially if manual processes are heavily relied upon. You can use online code repositories and other automation tools to identify and correct simple vulnerabilities, leaving IT teams more time to focus on complex and high-risk vulnerabilities.
Not all vulnerabilities are high risk to cybercriminals, and it is impossible to fix every single one. By knowing all of your vendors, third parties, and n-th parties, you can utilize metrics to determine which vulnerabilities need immediate triaging and what the probabilities of exploitation are.
Don’t forget that third-party software products can also be highly beneficial. TPRM automation tools allow you to view all your third parties in easy-to-navigate dashboards, so you don’t have to dig through data to determine where to focus your efforts.
There are relatively simple yet essential practices companies can implement to increase their security. Multi-factor authentication and zero-trust architecture (where the system has “zero trust” that you are the approved user and requires additional challenges to log into networks) create more checkpoints against hackers. Embracing these practices is critical to strengthening your software and supply chain security, though it requires collaboration with IT teams to manage controls.
Another important aspect of building TPRM and supply chain resilience is how we purchase third-party applications and solutions. Small teams, such as marketing departments, often analyze programs and tools that could complement their mar-tech stack.
Sometimes, when the cost is low or already built into a departmental budget, procurement or IT teams are not informed of or responsible for handling the purchases. Teams put them on the department’s credit card.
The problem is departments do not conduct IT due diligence when they do not update appropriate internal stakeholders about purchases. While these applications may not affect the operations of the whole organization, they still present vulnerabilities and have downstream implications without due diligence.
Performing an internal audit of any vendor purchases that may have slipped through the gaps is a good practice for building organizational resiliency.
As important as it is to boost your own cyber and supply chain resiliency, it can be moot if the vendors you’re dependent on are not making efforts on their side.
As a customer, your procurement teams should collaborate with vendors to implement technologies such as hot patching, which allows organizations to enable patching without having to reboot the software. This means companies do not have to choose between implementing critical cybersecurity and staying online. Collaborating on other security protocols and procedures helps boost mutual resiliency.
Learn more about Aravo’s Supply Chain Resilience capabilities and how our solutions help companies prepare for the future.
Share with Your Friends:
