What was once referred to as individual vendor cyber risk has morphed into something much more complex, known as digital supply chain risk. Why supply chain? As organizations undergo digital transformations, they tend to purchase more cloud services, and these cloud services rely on vendors. And, more than likely, those vendors rely on other vendors.
If the thought of this makes you feel uneasy, your instincts are correct. By relying on these cloud services and their vendor partners, you are opening yourself up to more risk — risk you can’t control. You’ve essentially exposed your business to a less secure environment you don’t own that could impact your network in the case of an external incident.
Supply chain risk management (also referred to as vendor risk management or VRM) is the process of ensuring that the use of service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance. And this concept of supply chain risk (and effective management) is more relevant than ever before.
Let’s go over recent supply chain attacks making headlines, best practices for supply chain risk management, and what to do if you find out a vendor you use and trust has been compromised.
Why supply chain risk is in the news
In 2020, as many businesses were forced to transition to remote work, they often settled into the ease and reliability of cloud-based services. This means the supply chain became more elaborate, increasingly dependent on storage, email, communication, accounting services, and more.
Because there was a rush to get up and running quickly during the pandemic, security risks were overlooked. It’s easy to forget that what makes it easier for employees to access their accounts and sensitive information also makes it easier for hackers to target and access the same information.
In December 2020, we watched SolarWinds, a software development company that helps businesses manage their networks and systems, experience a breach through its Orion product. The threat actors embedded malicious code into the software before an update was released to all users, which resulted in malware being deployed to SolarWinds' customers, which led attackers to gain unauthorized access. What’s significant about this attack is it appeared to be led by a foreign nation state to gather information about the US government.
The SolarWinds breach isn’t the only recent example of ‘supply chain compromise.’ Mimecast, a provider of email security products and services, posted an announcement in January 2021 regarding a security breach potentially affecting roughly 10% of their customers. Impacted organizations were using Mimecast’s products for Microsoft 365 Exchange Web Services (M365, formerly Office 365). The breach was related to a digital certificate used to authenticate the connection between Mimecast and the M365 service, which malicious actors appeared to have compromised.
Supply chain risk best practices
Cloud-based services are attractive targets to hackers because businesses assume they are secure. The reality is everyone’s security is unique, and their environment is unique (systems, servers, cloud usage, remote access, etc.), and you have to remain diligent. Always follow best practices to minimize your chances of falling victim to a supply chain breach.
Identify known risks
Identify known risks across the supply chain, both upstream and downstream. When picking a vendor, it’s essential to make sure that they address all of your needs and have a process in place if something goes wrong. Ideally, they should have a security team and incident response (IR) plan with people in place to handle breaches if they occur. It is also suggested to inquire how they will alert you if something does happen. Information, especially quickly, is key in any cyber event.
You need to take a close look at:
- Networks, systems, and software they access
- Where they access your IT ecosystem
- How they access your network
- What information they access or transmit
Establish a framework for supply chain risk management
Establish a framework for accepting, transferring, mitigating, or refusing supply chain risks. You should evaluate which vendors and customers are critical to your business. Think about the impact the vendor’s data breach could have on your network and your overall security. And lastly, you should prioritize strategies for vendors you deem high risk and determine whether any single points of failure exist.
Implement a regular patching cadence
Cybercriminals look for vulnerabilities that can be used to gain access to systems or spread malicious software. These vulnerabilities can be located and patched through regular software updates. We can’t state just how critical these patches are. We suggest you update software as soon as security patches become available, at least within 30 days of the software’s release.
Monitor risk across the supply chain
Supply chain risks, along with the increasing number of personal and work devices we use, creates a broad attack surface. We recommend using an internal network monitoring solution (also referred to as an endpoint detection and response solution) that can identify and prevent dangerous attacks such as malware, ransomware, and exploits.
In addition, we suggest you create a company policy to only use business accounts on specific systems. The more systems you have to manage (family members computers, public systems, tablets, etc.) the more difficult it becomes to remediate after an incident.
We also recommend using an internet attack monitoring tool, such as Coalition’s Attack Surface Monitor (ASM), to monitor your internet-connected assets. All Coalition policyholders benefit from ASM, both for themselves and their top five vendors.
Multi-factor Authentication (MFA) and strong passwords
MFA immediately increases your account security by requiring multiple forms of verification to prove your identity when signing into an application. With MFA, users must also provide a digital token or code that is provided by a secondary device (often a mobile device) in the physical possession of the user to gain access to their account. You may also see references to Two-factor Authentication or 2FA.
Almost all the vendors offer this feature, but people usually don’t use it until it’s too late. It is suggested to implement MFA wherever it is supported, but most recommended on email, remote access software, any accounting/payroll software and banking access.
And, while it may feel daunting to worry about the length, strength, and update-frequency of your company passwords — it’s necessary. Passwords need to be unique (don’t reuse passwords multiple times or between multiple accounts), strong (with a mix of letters, numbers, and symbols), and updated regularly (based on a company-wide password policy). It is suggested to use passphrases instead of passwords.
Follow cyber news for the products and services you use
We suggest you receive updates from the products and services you use and check their websites frequently. Most large vendors have their own security-focused pages you can check for the latest news, attacks, and cybersecurity information. Plus, cloud vendors often have paid services that provide guidance specific to the services you are using. And, if you want to stay up-to-date, there are a variety of quality cyber news publications you can follow.
- Vendor websites: Amazon Web Services (AWS) security blog and bulletins, Microsoft Azure security blog and Security Center, Google Security Command Center, Google Workspace blog (formerly G Suite)
- Security news: Security Weekly, Krebs on Security, The Hacker News, Bleeping Computer, Dark Reading, SC Media
Audit your software regularly
It is very important to audit which software is being utilized within your network and making sure it is up to date and not vulnerable to compromise. Below is a list of common technology that is often targeted, listed easiest to most difficult to compromise:
- Email: reset accounts, creating new accounts, wiring money, accessing contacts, privileged legal discussions, spoofing emails to further compromise
- Remote access tools (RDP, LogMeIn, TeamViewer, ScreenConnect)
- Document management and collaboration (Dropbox, Sharepoint, Sharefile)
- 3rd party software or accounts where monetary value can be found (payroll, databases, accounting, banking)
- Security services with privileged access
- Personal accounts you’ve created that utilize business email (can be prevented by prohibiting password reuse or business email use for personal reasons)
It is recommended to audit the log data associated with the technology above as often as possible. If you are able to review it weekly, that is ideal. Additionally, setting up logging alerts (new accounts created or suspicious logins) is an excellent way to catch suspicious activity. For example, if a vendor is compromised and therefore your email credentials have been compromised, it is important to audit the login data for email to confirm whether or not a bad actor is logging in to accounts with the stolen credentials.
A vendor was compromised — now what?
If you believe a vendor has been compromised you need to act quickly. Gather the team you have ready to handle these situations, communicate clearly, and get in touch with the vendor and your insurance provider for fast incident response.
- Contact the vendor: It’s important that you directly contact the vendor (third-party) as soon as possible. Get as much information as you can about the breach and know how it may impact your business.
- Contact your cyber insurance provider: Cyber insurers, like Coalition, have systems in place to help their insureds respond to a potential compromise. Response time matters. Contact your insurer as soon as possible to help mitigate risk.
Control your risks (including 3rd parties), right away
The recent supply chain attacks on SolarWinds and Mimecast are prime examples of how fruitful these attacks can be. Despite it being harder to compromise more prominent names, it’s worth it for the threat attackers to access thousands of customers and users, even if it takes months to infiltrate. But smaller companies are also targets because they have less visibility into their vendor activity and tend to underestimate gaps and vulnerabilities in their security.
Coalition Control offers free attack surface monitoring for organizations of all sizes. But, as they say, “wait, there’s more.” Included in your free account is the ability to monitor 3rd parties or your own supply chain for latent risks in their infrastructure. Sign up for a free account today, and start controlling your risk (and that of your vendors) today.