Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/27/2017
11:00 AM
Dan Dahlberg
Dan Dahlberg
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Steps to Reduce Risk in Your Supply Chain

Many companies have very limited visibility into their vendors' security posture -- and some may have thousands of vendors. Here are steps that every company should take to lock down their supply chains.

In June, the compromise of an update server for a Ukrainian accounting software platform MeDoc led to the widespread distribution of NotPetya ransomware. A dozen known corporate victims suffered damages already exceeding $500 million.

Around the same time, attackers had infiltrated the network of Piriform, the maker of the popular system-maintenance program CCleaner, infecting two versions of the program that were distributed to more than 2.3 million systems over the month that the attack remained undetected. Files recovered from the command-and-control server showed that the malware infected some 700,000 systems in the final four-day window of the program's spread. (The attackers appear to have regularly deleted all logs, hiding whatever actions they took the other 26 unmonitored days.) The attackers also attempted to specifically target at least 20 companies with additional malware, including major networking hardware and office-electronics providers, such as Cisco, D-Link, Epson, HTC Group, Intel, Linksys, Samsung, Sony, and VMware.

If companies were not watching their software supply chain before the summer, these two events should push them to do so now. Although many companies have focused on shoring up their own security, they have very limited visibility — if any — into their vendors' security posture. Many companies can have hundreds or even thousands of vendors. In many cases, information security teams do not know who those vendors are. Here are three steps that every company should take to lock down their supply chains.

1. Know your business and software vendors. Ever since 9/11, banks have been required to "know their customers." Today, companies should take that advice to heart as well. Over the past several years, more attention has been directed to those vendors for which a company conducts business. These recent attacks have shown that this also applies to all direct and indirect dependencies on their entire operations. While accounting or another part of the organization likely has knowledge of these vendors, security teams might not be appropriately informed.

2. Measure security and determine metrics. As early as possible, security teams need to determine how they are going to measure security. However, there generally is a lack of metrics to determine a company's security posture. In the past, most companies have relied on a vendor's management certifying that they are following a list of best practices.

A variety of metrics and best practice documents are available today, from the Building Security in Maturity Model and its open-source cousin the Open Group Service Integration Maturity Model to the National Institute of Standards and Technology Cyber Security Framework. In addition, the ability to gauge security from external indicators has led to a rapidly evolving rating ecosystem.

While the security team is adopting a process to measure the security of vendors, it should also consider what its own requirements will be. These requirements will vary, depending on the level of access that the vendors — or their products — will have to the company's network.

3. Be proactive with vendors. Finally, companies need to be proactive and bring up the topic of security with vendors regularly. Many companies make sure that they have different policies and technologies in place, but unless they regularly address those issues with their vendors to ensure they are complying, it is more likely that issues will arise.

Larger companies have the benefit of having deeper security expertise, with which they can monitor their vendors. But increasingly, security requirements will flow downstream, and unless smaller contractors can meet requirements, they may lose business.

As attackers focus on vendors as a way to gain entry into their customers' systems, the security of the supply chain will become even more important. Companies need to address these issues today, before the next attack.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

As a Research Scientist at BitSight, Dan Dahlberg is responsible for researching the latest vulnerabilities and threats to understand at a technical and practical level how they affect the risk profile of organizations. He is also responsible for discovering new sources of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RussD653
50%
50%
RussD653,
User Rank: Strategist
11/2/2017 | 10:10:59 AM
Third party rating services
Working for a world wide manufacturing company we do not have the resources to monitor all our vendors which number in the thousands. so we employ a third party rating service which is a valualble solution. 

Although BitsightTech are not perfect, we leverage them to do a lot of the leg work which we do not have the band width to tackle.

 

 
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...
CVE-2019-18889
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.