When it comes to managing the cybersecurity of federal software supply chains, the current mode of trust must morph into trust but have the capacity to verify.
Kelly White, founder and CEO of RiskRecon, a Mastercard company, explained it’s a matter of cybersecurity hygiene. Do the companies the agency does business with maintain adequate cyber hygiene that aligns with the agency’s security profile?
Ransomware via phishing attacks has become a top tactic for adversaries seeking to get their hands on valuable data stores.
White distinguished between ransomware attacks and what he called destructive ransomware attacks. The latter constitute fairly recent phenomena, starting around 2016. He defined destructive as “criminals detonating malicious software inside of organizations and encrypting the systems and thus rendering the organization unable to access those systems and their operations.”
How cyber hygiene helps with software supply chain risk management
RiskRecon recently completed an analysis of 1,000 destructive ransomware attacks that rendered mission critical systems inoperable.
“These are the things that take an organization down to its knees, so they’re particularly impactful and backed up by a very deep compromise,” White said.
RiskRecon analysts established that organizations “that have very poor cybersecurity hygiene, have a 50 times higher frequency of ransomware events than those that have very good cybersecurity hygiene,” he said.
By virtue of continuously monitoring the cybersecurity practices of some 5 million companies worldwide, RiskRecon has a solid understanding of what makes for “good” versus “poor” hygiene, White said.
Perhaps not surprisingly, the research showed three main vectors for launching 85% of ransomware attacks:
Unpatched, publicly facing web applications top the list.
After that come unsecured network services, such as unhardened remote desktop protocols.
Third place goes to phishing emails.
Given that three items account for the vast majority of ransomware attacks, they offer clues to where organizations should put greater emphasis, White said.
He noted that RiskRecon uses passive and open source intelligence techniques. Bad actors can use the same techniques to figure out which organizations are soft targets.
“When you’re doing business on the internet, you can’t help but reveal your cybersecurity state,” White said, “and the robustness of that cybersecurity.”
Cybersecurity basics make a difference
One finding from the RiskRecon study showed how important a basic practice like patching can help improve protections.
The study pinpointed the subset of software vulnerabilities that rated “critical” or “high severity,” things that are often remotely exploited for system compromise. It found “that ransomware victims, on the day of compromise or on the day of detonation, have an 11 times higher rate of critical software patching issues in their internet-facing systems, in comparison with the larger population,” White said.
The corollary: “If you’re doing those things and investing in those activities, you’re going to get better risk outcomes,” he said. Cybersecurity staffs can therefore cite real-world data in making the case for investment in basic measures for their agencies.
Plus, they’ll have objective evidence about suppliers to reinforce suppliers’ attestations of cyber measures or where they fall short, White said. Doing business with companies that have good cybersecurity hygiene is a must, “if you want to get better risk outcomes, lower rates of destructive ransomware events that take your supplier offline and impact your operations,” White said.
Use of open source intelligence won’t replace supplier attestation, “but leveraging open source intelligence can help you understand how the processes and technology that an organization invests in are manifest in the systems,” White said. “Those systems that are facing the internet are pieces of evidence about the quality of their cybersecurity.”