CYBER SECURITY CONSULTING SERVICE AWARDS AND RECOGNITIONS
CyberSecOp's comprehensive managed security services, cyber security consulting, professional services, and data protection technology are recognized as industry-leading threat detection and response solutions by major analyst firms, key media outlets, and others.
NIST Practices in Cyber Supply Chain Risk Management
Company Overview
Through its products and solutions, CyberSecOp offers cyber security tools, such as network, email, and mobile security as well as forensic investigation following a breach. As stated by the business:
The landscape of cyber threats is quickly changing. Organized threat actors are laser-focused on hacking systems and stealing data using sophisticated attacks that are tailored to compromise a specific target and evade traditional signature-based defenses, a key component of what currently constitutes basic cyber hygiene, instead of the broad scattershot attacks of the past.
SolarWinds Supply Chain Against US Agencies
The recent SolarWinds attack made the entire world aware of the danger of a cyber supply chain attack, or an attack on or through the vendors or suppliers of your company. It is becoming increasingly apparent that your business and its data are only as secure as the weakest link among your suppliers, even if you take all the necessary precautions to secure your own computer systems. This risk includes potential computer system attacks as well as the possibility of a disruption to the operations of your suppliers.
Common Risks for Supply Chains
Many risks can cause supply chain disruption, and those threats can have severe consequences for your business. Some of the more common risks are:
Cybersecurity Risks
Hackers can enter your supply chain and then move throughout your firm. Cybersecurity breaches can also wreak havoc on your day-to-day operations. So information security should be at the forefront of your mind when considering new vendors.
Compliance Risks
You’ll need to make sure your vendor can meet any regulatory compliance requirements your company has, which will subsequently affect your supply chain. For example, suppose a vendor bribes foreign government officials on your behalf. In that case, your company will be charged with violating the U.S. Foreign Corrupt Practices Act and all the legal ramifications that it entails.
Financial Risks
When collaborating with other companies, the risk of financial loss is always present. For example, if your contractor goes bankrupt or faces its own supply issues, this could have significant economic consequences for you and your organization.
Reputational Risks
Reputational risk is the most unpredictable type of risk because incidents that affect your reputation might happen out of nowhere. Damage to your contractors’ reputations can also harm yours, so consider reputational risk when choosing providers.
Cyber Supply Chain Principles and Supply Chain Risks
NIST identifies primary principles to consider for successful C-SCRM. These considerations are comprehensive and broadly apply to critical infrastructure, business processes, and intellectual property.
Understand the Security Risks Posed by Your Supply Chain
Examine the specific dangers that each supplier exposes you to, the products or services they provide, and the value chain as a whole.
Supply chain risks come in a variety of shapes and sizes. A supplier, for example, may not have enough security, may have a hostile insider, or its employees may not correctly handle your information. Gather sufficient information to better evaluate these security concerns, such as an insider data collection report or risk assessment.
Develop Your Organizational Defenses With “Assume Breach” in Mind
Assuming a breach means an organization approaches its cybersecurity posture by anticipating that its networks, systems, and applications are already compromised. Treating an internal network as if it’s as open as the internet readies the system for various threats and compromises.
Set Minimum Security Requirements for Your Suppliers
You should establish minimum security requirements and metrics for suppliers that are justified, proportionate, and achievable. Make sure that these standards reflect not only your evaluation of security risks but also the maturity of your suppliers’ security arrangements and their capacity to achieve the requirements you’ve set.
Minimum requirements should be documented and standardized to streamline enforcement. This technique will help you lower your effort and prevent giving these parties unnecessary work.
Cybersecurity is a People, Process, and Technology Problem
People, processes, and technology are the triad of solving problems. Supply chain management also focuses on these three areas to enhance supply chain performance, make it more secure, and do more with less.
Look at the Entire Landscape
There are multiple security standards that interact with each other in a variety of cybersecurity frameworks and best practices. A few examples are the NIST Cybersecurity Framework (CSF), Center for Internet Security (CIS) Controls, and the International Organization for Standardization (ISO) series.
To be efficient and flexible, your C-SCRM should follow the guidelines established by your third-party risk management program. That is especially important today, where outsourcing is common. Always remember that your C-SCRM program is only as good as the data security provided by your least secure third- or fourth-party supplier.
Encourage the Continuous Improvement of Security within Your Supply Chain
Encourage your vendors to keep improving their security measures, emphasizing how this will help them compete for and win future contracts with you.
Advise and support your suppliers as they seek to make these improvements. Allow your suppliers time to achieve improvements but require them to provide you with timelines and project plans.
Listen to and act on any issues arising from performance monitoring, incidents, or bottom-up supplier reports that imply current approaches aren’t functioning as well as they should.
Best Practices for Cyber Supply Chain Risk Management
An organization can employ a variety of best practices in its C-SCRM program. Best practices improve the ability to identify and mitigate potential risks over time. In addition, these practices include remediation steps to apply if you experience a data breach.
Here is a list of some of the best practices to keep in mind as you set to work on your cyber supply chain risk management program:
Security requirements need to be defined in requests for proposals (RFP). In addition, use security questionnaires to hone in on the current standards practiced by each bidder.
An organization’s security team must assess all vendors, and you must remediate vulnerabilities before sharing information, data, or goods and services with them.
Engineers must use secure software development programs and keep up-to-date on training.
Software updates need to be available to patch systems for vulnerabilities, and they must be downloaded and installed in real time.
Dedicated staff that is assigned to ongoing supply chain cybersecurity activities.
Implement and enforce tight access controls to service vendors.
The new NIST guidance reflects the increased attention companies are paying to manage cyber supply chain risks. It is a useful resource for enterprises of all sizes, though some of the recommendations may be too burdensome or complex for smaller organizations to reasonably adopt. Small businesses may lack the sufficient purchasing power to require their suppliers to complete certifications or participate in contingency planning, as NIST suggests, and may not have the resources to create internal councils and intricate review procedures.
Why Supply Chain Attacks Keep Happening, and How
Authored by Alison Stuart, Sales Lead at CyberSecOp
What Is a Supply Chain Attack?
Supply chain attacks have crept to the top of the cybersecurity agenda after hackers alleged to be operating at the Russian government’s direction tampered with a network monitoring tool built by Texas software firm SolarWinds (CNBC), costing the company $18 million in the first three months of 2021.
The hackers used a supply chain attack to insert malicious code into the Orion system. A supply chain attack works by targeting a third party with access to an organization's systems rather than trying to hack the networks directly. The third-party software, in this case, the SolarWinds Orion Platform, creates a backdoor through which hackers can access and impersonate users and accounts of victim organizations. The malware could also access system files and blend in with legitimate SolarWinds activity without detection, even by antivirus software. SolarWinds was a perfect target for this kind of supply chain attack. Because their Orion software is used by many multinational companies and government agencies, all the hackers had to do was install the malicious code into a new batch of software distributed by SolarWinds as an update or patch. (WhatIs.com)
Why Do Supply Chain Attacks Keep Happening, and How?
The short answer: ensuring the security of every single third-party vendor you interact with is complicated. Even if you require that your vendors are certified to be meeting some particular security standard such as NIST 800-171, that’s no guarantee that they can’t be compromised.
Why Does It Matter If My Vendors Are Secure, As Long As I Am?
Let’s look at what happened to Target. Target was pretty secure, but their HVAC supplier, Fazio Mechanical Services, was not. In 2013, Target was breached through the credentials hackers acquired from Fazio Mechanical Services, and malware was deployed to Target’s point of sale (POS) systems. Those systems collected credit card data from over 40 million shoppers who had visited Target stores during the 2013 holiday season. (NBC)
So How Did the Breach Impact the Company?
Not only did Target’s CEO, Gregg Steinhafle, step down within 6 months, but the company reported a 46% drop in profits in the fourth quarter of 2013 compared with the year before. (New York Times) Target spent 100 million dollars upgrading their payment terminals to support Chip-and-PIN enabled cards in response to the attack. Theoretically, that should protect them from future such incidents, right? Wrong. The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach is 0. Without end-to-end card data encryption, the card numbers and expiration dates can still be stolen and used in online transactions. (Krebs On Security)
Isn’t this Mostly Ancient History?
The Kaseya breach on July 2nd, 2021, left the private sector reeling most recently. A successful ransomware attack on a single company had spread to at least 200 organizations that the company provided software to (and likely far more, according to cybersecurity firm Huntress Labs). That number made it one of the single most enormous criminal ransomware sprees in history. Kaseya announced Friday afternoon (Kaseya) that it was attacked by hackers and warned all its customers to stop using its service immediately. Nearly 40 of its customers were already confirmed to have been hacked as of the evening of the press release.
Protecting your customers from potentially unsafe vendors is essential:
Research shows that 2017 alone saw a 200% increase in supply chain attacks (DarkReading), and 56% of surveyed organizations had experienced a breach caused by one of their vendors. In Q1 of this year, The Identity Theft Resource Center (ITRC) said 137 organizations reported being hit by supply chain cyber-attacks at 27 different third-party vendors. The ITRC also indicated that the attacks in Q1 have affected seven million people. Data breaches included high-profile cyber attacks on IT provider Accellion’s File Transfer Appliance (FTA), which impacted organizations including Shell, the Reserve Bank of New Zealand, Bombardier, and Kroger.
So How Can You Protect Your Company?
The easiest way to protect your company is to ensure you have an active vendor management program. CyberSecOp offers this service to companies of all sizes - contact us now to learn more or explore our Vendor Risk Management Services.