In our previous article, we took a deep dive into 2020’s notorious supply chain attack on SolarWinds. In light of the even more recent attack on Ubiquiti Networks, which led to a large and still-growing breach of user credentials and personal information in January 2021, we’re going to explore how you can improve your supply chain cybersecurity to protect your organization from similar supply chain attacks.
Who is at risk of a supply chain attack?
Supply chain attacks have been on the rise for a number of years now, with Sonatype stating in its 2020 State of the Software Supply Chain report that next-gen supply chain attacks surged by 430% from 2019. With the ongoing pandemic fragmenting supply chains and pushing businesses toward remote work, opportunities for hackers are only growing.
Organizations of any size that utilize third-party vendors, such as software providers, could be vulnerable to a supply chain attack. In fact, small players in the supply chain are often targeted as gateways to larger organizations due to their less robust cybersecurity.
The higher the number of third-party software suppliers your business relies on, the higher your risk for this type of attack — especially if you have not vetted them properly. To improve your organization’s cybersecurity, you must first identify your areas of weakness.
How to assess your supply chain cybersecurity
It is essential to continuously review your cybersecurity measures to expose potential supply chain risk factors. Here are some tips on vendor risk management:
- Map your assets. Analyze all of your network’s assets and systems. Create a software inventory, map each asset’s pathway into your organization, and search for gaps in your firewall coverage, security protocols, and update settings.
- Create a threat model. Categorize each of your vendors according to their access level and the type of threat they could be vulnerable to — amateur hackers, insiders, ransomware, hacktivists, nation-state attackers — and prioritize your attack detection system accordingly.
- Calculate risk. If any of your software providers suffered attacks in the past, assess what happened and what has been done to prevent repeat occurrences. This will help you to identify which vendors post the greatest risk and where there is room for improvement.
- Utilize a sandbox system. Rather than updating your software and hoping for the best, you should use sandbox software to isolate and test the changes before they are unleashed into your network at large.
- Carry out malware analysis. Malware analysis can help detect abnormalities in new or suspicious files. This process ranges in sophistication from using simple, fully automated tools to enlisting an analyst to examine the file’s properties, interact with it, or even reverse-engineer its code.
How to review your third-party vendors
After establishing which of your existing third-party providers pose the greatest security risk to your organization, you can develop a strategy for supply chain risk management. Take a critical look at your highest-risk suppliers, and work with them to establish trust.
You can do this by demanding evidence of their physical security and cybersecurity best practices. This might include requiring certifications such as NIST 800 or ISO 27001. Ask about their hiring and vetting protocols, to assess the risk of bad actors infiltrating their organization, and assess their methods for vetting their own third-party vendors. You might also want to adjust their contracts to include cybersecurity controls.
For a more proactive approach, you can scan the dark web for breached credentials, account numbers, and data relating to your suppliers. Zeta Sky offers a free, no-obligation, dark web scan. Get in touch with our team to schedule yours today.
Red flags to watch out for in your supply chain
When vetting the cybersecurity of your vendors, there are a few things that should raise alarm. These include:
- Past breaches: If during your research you discover that your vendor has experienced a security breach in the past, you should examine the cause and severity of the incident. If they have not taken appropriate measures to avoid future breaches, then they could be putting your organization at risk.
- An absence of cybersecurity policies: Every business, no matter its size, should have clear cybersecurity protocols and policies. These should include rules on password strength and MFA, data retention and destruction, data encryption, data and account access, network security, vendor cybersecurity, confidentiality, hiring and background checks, employee security training, and security breach detection and response.
- Inadequate protective measures: Unpatched software, unsecured Wi-Fi, or a lack of protections such as firewalls, antivirus, and threat intelligence all leave your vendors — and therefore you — vulnerable.
- A lack of testing: To avoid a breach, vendors must regularly test their own defenses for potential weaknesses. Methods should include vulnerability analysis to detect loopholes; penetration testing, or ethical hacking, to test solutions to those loopholes; and social engineering testing to ascertain whether employee training has been effective.
If you come across any of these issues when assessing your suppliers, it is essential to address them immediately to minimize your vulnerability to a supply chain attack.
How to reduce the risk of a supply chain attack
To mitigate risk associated with your suppliers and partners, communication and understanding is key. You must set clear security policies to be followed by all parties, including establishing response protocols for notifying one another in the event of a breach.
Depending on your industry, you might need to have your suppliers adhere to regulatory compliance requirements, such as HIPAA for healthcare, PCI DSS for retail, or the new CMMC (Cybersecurity Maturity Model Certification), which is being rolled out to safeguard Controlled Unclassified Information (CUI) across DoD supply chains. As well as incorporating these policies into your contracts, you should establish a monitoring system and carry out regular audits to ensure they are being followed.
The onus of security should not be placed solely on your suppliers, either. Your organization should follow strict rules to keep your internal IT secure. This should include policies on change management, vulnerability assessments, user access, data backup, software updates, mobile device management, employee training, and third-party monitoring.
You should develop a robust system for monitoring which vendors have access to your data and systems, and continually review the risk level of these partnerships by scanning your vendors for emerging cyberthreats. This way, you can catch potential vulnerabilities before they affect your organization and enforce the necessary controls.
How to reduce the risk of a supply chain attack
By establishing clear internal and external processes — and actively vetting, monitoring, and testing your suppliers — your organization has a far better chance of preventing or mitigating the effects of supply chain attacks.
If you want to know more about the many ways you can protect your business, contact Zeta Sky. We can help you establish your security protocols and incident response capabilities, as well as providing emergency assistance in the event of a cyberattack or data breach.