To prevent the next big supply chain hack third-party risk managers must learn more about the application security programs of their vendors and their own enterprises.
If you’re following the SolarWinds saga, and who in risk management and security isn’t, you’ve certainly heard the term “supply chain hack” or “supply chain attack.” Although it can also refer to attempts to disrupt physical systems of supply, in the SolarWinds case, a supply chain hack is a cyber-attack that targets vulnerabilities in the information systems supply chain of an organization.
Security experts have for years warned of supply chain hacks. The most sophisticated of these attacks require patience and extraordinary skill, and so are typically perpetrated by advanced persistent threat actors (APTs), i.e., nation states. The SolarWinds attack has been attributed to Cozy Bear, a cyber unit of the Russian security service, SVR.
The SolarWinds difference
If these threats have been known for years, what makes SolarWinds so different? First of all is the sheer scale of the attack — the number of targeted organizations is astounding. In the case of SolarWinds, the attack targeted multiple organizations in government and the private sector and affected as many as 18,000 organizations worldwide. Governmental and military organizations in the U.S. and other countries appear to be primary targets. Life sciences firms working on Covid-19 vaccines also appear to have been targeted.
Second, the attack was at the heart of IT infrastructure, the SolarWinds Orion software which manages and monitors organizations’ networks and applications. From there, attackers were able to branch out and create other means of access to business systems and perhaps even to operational systems. There is evidence that many unclassified governmental email systems were compromised, enabling the attackers to monitor the thinking of senior policy makers.
Third, the failure of application security hygiene at SolarWinds left the door open to the very platform that the company uses to develop updates to its Orion software. This enabled attackers to create trojanized Orion updates which in turn SolarWinds distributed to its customers.
Application security hygiene
While it is very difficult to detect supply chain hacks, not looking for them is not a solution. Furthermore, most enterprises do not have an integrated application security program that cuts across third-party, custom, legacy, mobile, customer-facing, and other applications.
With application security already a low priority in most enterprises, things get worse. In application development teams, it is not uncommon for developers and software engineers to use simple passwords and even shared passwords for the team. Developers habitually focus on reliability and performance of an application with security, at best, a third priority. In many development teams, coordination with IT security professionals is not robust.
At the customer end of the supply chain, the key metric is time to patch. Having a robust patch management system is a valid security measure since many patches include fixes for known vulnerabilities. However, SolarWinds is not the first supply chain hack to take advantage of software updates, for example NotPetya and FLAME, and, in supply chain attacks, focusing on time to patch plays to the benefit of the attackers.
There is another side though to patch management and other information systems and applications management hygiene: Should your enterprise be compromised by a supply chain attack, having updated systems, keeping your systems and applications up to date makes it harder for threat actors to gain access to information or to compromise other systems.
Next steps for third-party risk managers
It is up to third-party risk managers to take steps to mitigate the risk of supply chain attacks. With the SolarWinds attack, they should find their IT security colleagues more than willing to collaborate. However, keep in mind that security professionals will also be trying to address the vulnerabilities in your enterprise. They will be looking for new techniques and security solutions to detect highly adept APT hackers that can lay in wait for months before acting. Traditional tools like data leakage protection and network security monitoring are not as effective against APTs that have patience and can cover their tracks.
For third-party risk managers there are three priorities:
Review your assessment methodologies for third-party application security programs. Application security hygiene is essential.
Prioritize third-party applications. Applying the same level of scrutiny to all third-party applications is a waste of time and dilutes the effort that should be place on the most critical applications. Overall, APTs and other less sophisticated supply chain attack actors are seeking access to valuable information. APTs are interested in three things: intellectual property and national secrets, the ability to disrupt critical infrastructure, and decision making by senior leaders.
Work with your own security team. Ensure that third-party applications are included in a robust integrated application security program at your own enterprise.
French Caldwell
Member of the Analyst Syndicate and Leading strategist and thought leader in RegTech
French Caldwell is the leading strategist and thought leader in RegTech, including IRM, GRC and ESG, privacy, cybersecurity, social and digital risks and regulation, and the impact of disruptive technologies on policy and strategy. He is a former Gartner Fellow, and following Gartner he became the global head of marketing at a Silicon Valley firm that delivers regtech solutions for governance, risk and compliance analytics and reporting. Skilled at the alignment of strategy, communications, technology, processes, analysis, policy and people to improve business and mission outcomes. Experienced at advising senior executives and corporate directors on disruptive technology, strategic risk management, cybersecurity, and public policy issues.
Member of the Analyst Syndicate and Leading strategist and thought leader in RegTech
French Caldwell is the leading strategist and thought leader in RegTech, including IRM, GRC and ESG, privacy, cybersecurity, social and digital risks and regulation, and the impact of disruptive technologies on policy and strategy. He is a former Gartner Fellow, and following Gartner he became the global head of marketing at a Silicon Valley firm that delivers regtech solutions for governance, risk and compliance analytics and reporting.