The pace of data breaches and intrusions into computer systems is accelerating at an alarming rate. We are seeing unprecedented advancements in the sophistication of attackers. At the same time, the latest and greatest advances in technology have created greater efficiency and effectiveness for organizations and their supply chains.
However, supply chain vendors are equally vulnerable to advanced attacks. The increasing level of access and integration within host organization environments can present risks and potential new avenues of compromise. Therefore, to manage these risks, host organizations must adapt their security procedures to include vendors, partners and even customers. In addition, to secure the supply chain as much as possible, they must closely evaluate their own people, processes and technology.
There are many ways that a supply chain breach could occur. A software manufacturer could be breached via malware that modifies source code, which is then distributed to enterprises that use the software. This exact scenario played out with SolarWinds in 2020-2021.
Another common compromise vector might be the theft of a vendor’s credentials that grant remote access to an enterprise they partner with or provide support to, which then leads to infiltration of the enterprise network from an already trusted source (the vendor network). Over and over again, we’ve seen trusted access come back to bite us, whether from vendors, partners, or other third parties that organizations work with on a regular basis.
It’s time we do a better job at securing our networks and assets from organizations that, while trusted to some extent, may still represent a significant risk to our organizations just by virtue of being connected or providing software or services to us. But how?
First, we need more effective risk management for vendors and service providers that we employ in our environments or that we use to provision business services (such as cloud providers, for example). Defining critical vendors and service providers (as well as partners) is a starting point, and then we need to carefully evaluate what types of assets and data third-party organizations and solutions will be interacting with.
Second, we need to do a better job of segmenting networks and connectivity points for any associated third parties to better prevent attacker ingress and lateral movement. Some remote access scenarios for “trusted” associates allow almost total access to systems once connections have been properly authenticated. All third parties should be granted access only to assets that they need, following a classic “need to know” philosophy. Network segments (VLANs or subnets) should be set up based on data types and access models, with proper controls like firewalls and intrusion detection to control all the traffic into and out of the environment.
On-Demand Webinar: Getting Serious About TPRM
Join Dave Shackleford, owner and principal consultant of Voodoo Security and faculty at IANS Research, for a webinar that will help you evaluate and benchmark your TPRM program against the latest best practices.
With more organizations focusing on the supply chain than ever before, it’s time to take a hard look at what third-party products and services we have, what third-party providers can access, and what types of behaviors vendors and service providers exhibit during the course of business day-to-day. With the supply chain firmly in the crosshairs of adversaries today, there’s no better time than now to focus on third-party risk and supply chain security.
For more on my recommendations for securing third-party relationships, watch the on-demand webinar, What Getting Serious About Third-Party Risk Really Means.