Is your Digital Supply Chain your weakest Link?

In the 1950’s the Lyons restaurant chain in the UK built their own computer and wrote all the applications that they needed to manage and optimize their operations. This was called LEO – Lyons’ Electronic Office.  Today, this would be impractical, and all organizations now rely on IT software and services delivered from external suppliers. The creates a supply chain that is very attractive to cyber adversaries because of the leverage it provides.  One compromised component is delivered to many potential victims.

How can you protect your organisation against these risks?

Supply Chain Threats

Supply chain integrity is a problem for all industries.  High value fashion brands suffer from fake products that eat into their profit and whose poor quality can cause support problems as well as brand damage. In the world of IT services, a compromised supply chain can have a catastrophic impact on your business.

Recent events such as the SolarWinds, Kaseya and Log4j compromises by malicious actors have demonstrated the need to focus on software supply chain security.  According to a report from ENISA, supply chain attacks are increasing, with 66% of attacks focusing on source code and 62% exploiting customer trust in suppliers. This is a risk that organizations can’t afford to ignore.

All organisations now depend upon vendor and partner-supplied products and services to function in today’s interconnected world.  This interdependence introduces new risks that attacks on suppliers can spread rapidly across all their customers.  This is a major challenge that CISOs must address.

IT Service Iceberg

The software that supports today’s organizations is large and complex comprising many interrelated software components that come from diverse sources. This makes sense because it is more efficient to reuse rather than to recreate common, extensively used functions every time they are needed.

IT Service Iceberg

Some of these components may be developed internally – so there is an internal supply chain.  Others may be from external sources such as software vendors or be part of standard infrastructure like operating systems and libraries.  An increasing challenge is the number of Open-Source components are now widely incorporated in externally provided applications but are not visible.  All of these components may contain hidden vulnerabilities, and these can pose a risk to your business.

Supply Chain Risk

At a business level there are three major risks from the technical vulnerabilities introduced in the supply chain:

  • Loss of business continuity – the increased dependency of organization on software systems and applications means that any interruption to these systems can have a severe impact.  There are many documented reports of the impact of Ransomware attacks.
  • Loss of intellectual property and fraud – illegitimate access to organizational data can result in the loss of trade secrets and intellectual property as well as provide the potential for financial fraud.
  • Compliance failure – most organizations must comply with regulations on how they use and protect data they hold – especially in the areas of personal privacy and financial services.  Since this data is mostly held in IT systems compromising these systems can lead to compliance failure.

Supply Chain Cyber Security Management

Business Risks from the Supply Chain

Managing supply chain security is an essential element of the “Identify” and “Protect” phases in an organization’s security processes.  The intent of supply chain security management / assurance is to prevent vulnerabilities and cyber threats from being introduced into IT systems. 

This makes it part of the vulnerability management processes to prevent vulnerabilities from entering the IT systems, and to detect and remove vulnerabilities before they can be exploited.  Where software is externally supplied it is also part of the procurement processes which include vendor assurance.

Prepare, Prevent and Protect

The responsibilities for security are shared between your suppliers and your organization.

  • Make sure that you understand and document how these responsibilities are shared.
  • Ensure that you meet your responsibilities. Identify sensitivity and risk and use this to specify the appropriate security requirements.  Use Secure SDLC methodologies for software you develop.  Catalogue all software components that your applications depend upon. Implement secure configurations and manage other technical vulnerabilities.
  • Assure that your suppliers meet theirs.  Audit vendor claims, require independent certification, identify supplier dependencies and clarify contractual clauses.

Prepare, Prevent and Protect

Conclusion

The digital supply chain means that the security failures of your vendors impact on your organisation’s security. Today’s services depend upon complex stack of interdependent components, many of which are invisible to the end customer.  Vulnerabilities in any of these components have the potential to impact on your business continuity and compliance.

Organizations need to prepare for attacks on their digital supply chain.  Take steps to prevent these attacks through their processes for the acquisition of digital assets and to protect against these attacks through technical vulnerability management.

Responding to Critical Software Vulnerabilities (kuppingercole.com)

Prepare and Protect against Software Vulnerabilities (kuppingercole.com)

Analyst Chat #107: From Log4j to Software Supply Chain Security (kuppingercole.com)

Software Supply Chain Security: Don’t Get Your Code Tampered (kuppingercole.com)

Software Supply Chain Security | KuppingerCole

Building an Identity-Centric Security Strategy (kuppingercole.com)

For more details on this and other subjects attend EIC 2022.

Poll Questions

1. Do you have processes in place for the following? (Select all that apply)

a. Defining the risk criteria for different types of suppliers.
b. Understanding critical software dependencies and single point of failure.
c. Monitoring supply chain risks and threats.
d. Managing suppliers over the whole lifecycle of a product or service.

2. What capabilities do you already have in place? (Select all that apply)

a. Proactive technology refresh processes.
b. A well-integrated technology stack.
c. A timely incident response process.
d. Prompt disaster recovery process.
e. Accurate technology threat detection.

3. Do you have established channels for the following? (Select all that apply)

a. Internal IT security communications around software dependencies.
b. External communications with suppliers around software risks.
c. SOC to SOC communications with critical software suppliers.