In the 1950’s the Lyons restaurant chain in the UK built their own computer and wrote all the applications that they needed to manage and optimize their operations. This was called LEO – Lyons’ Electronic Office. Today, this would be impractical, and all organizations now rely on IT software and services delivered from external suppliers. The creates a supply chain that is very attractive to cyber adversaries because of the leverage it provides. One compromised component is delivered to many potential victims.
How can you protect your organisation against these risks?
Supply chain integrity is a problem for all industries. High value fashion brands suffer from fake products that eat into their profit and whose poor quality can cause support problems as well as brand damage. In the world of IT services, a compromised supply chain can have a catastrophic impact on your business.
Recent events such as the SolarWinds, Kaseya and Log4j compromises by malicious actors have demonstrated the need to focus on software supply chain security. According to a report from ENISA, supply chain attacks are increasing, with 66% of attacks focusing on source code and 62% exploiting customer trust in suppliers. This is a risk that organizations can’t afford to ignore.
All organisations now depend upon vendor and partner-supplied products and services to function in today’s interconnected world. This interdependence introduces new risks that attacks on suppliers can spread rapidly across all their customers. This is a major challenge that CISOs must address.
The software that supports today’s organizations is large and complex comprising many interrelated software components that come from diverse sources. This makes sense because it is more efficient to reuse rather than to recreate common, extensively used functions every time they are needed.
IT Service Iceberg
Some of these components may be developed internally – so there is an internal supply chain. Others may be from external sources such as software vendors or be part of standard infrastructure like operating systems and libraries. An increasing challenge is the number of Open-Source components are now widely incorporated in externally provided applications but are not visible. All of these components may contain hidden vulnerabilities, and these can pose a risk to your business.
At a business level there are three major risks from the technical vulnerabilities introduced in the supply chain:
Business Risks from the Supply Chain
Managing supply chain security is an essential element of the “Identify” and “Protect” phases in an organization’s security processes. The intent of supply chain security management / assurance is to prevent vulnerabilities and cyber threats from being introduced into IT systems.
This makes it part of the vulnerability management processes to prevent vulnerabilities from entering the IT systems, and to detect and remove vulnerabilities before they can be exploited. Where software is externally supplied it is also part of the procurement processes which include vendor assurance.
The responsibilities for security are shared between your suppliers and your organization.
Prepare, Prevent and Protect
The digital supply chain means that the security failures of your vendors impact on your organisation’s security. Today’s services depend upon complex stack of interdependent components, many of which are invisible to the end customer. Vulnerabilities in any of these components have the potential to impact on your business continuity and compliance.
Organizations need to prepare for attacks on their digital supply chain. Take steps to prevent these attacks through their processes for the acquisition of digital assets and to protect against these attacks through technical vulnerability management.
For more details on this and other subjects attend EIC 2022.
1. Do you have processes in place for the following? (Select all that apply)
a. Defining the risk criteria for different types of suppliers.
b. Understanding critical software dependencies and single point of failure.
c. Monitoring supply chain risks and threats.
d. Managing suppliers over the whole lifecycle of a product or service.
2. What capabilities do you already have in place? (Select all that apply)
a. Proactive technology refresh processes.
b. A well-integrated technology stack.
c. A timely incident response process.
d. Prompt disaster recovery process.
e. Accurate technology threat detection.
3. Do you have established channels for the following? (Select all that apply)
a. Internal IT security communications around software dependencies.
b. External communications with suppliers around software risks.
c. SOC to SOC communications with critical software suppliers.