Four steps to understanding and mitigating supply chain risk
June 30, 202111:02 am
5 min read
This content is provided by LookingGlass.
In the wake of the SolarWinds incident and the new cybersecurity executive order, supply chain security is a hot topic in the federal government. But it’s not a new subject; entities like the National Institute for Standards and Technology have been developing guidance on this topic for years. It just never rose to the level of a critical concern until recently. Now federal agencies are scrambling to understand the attack surfaces of organizations they work with and networks they don’t own.
LookingGlass is a cybersecurity company that specializes in, among other things, supply chain risk management. They recently put out a whitepaper focused on supply chain risk, and it details four steps federal agencies can take to understand and mitigate their supply chain risks.
Take the adversary view
“One of the first steps to getting a handle on this issue is understanding who some of your critical suppliers are. You can’t protect what you don’t know about,” said Mary Yang, chief marketing officer at Looking Glass. “Agencies need to understand which vendors and what software are connecting into their enterprises. Once you have that list of critical partners, then you can work on mapping out the digital footprint for each supplier and understanding where there’s a potential risk impact.”
A digital footprint will give you a view of what adversaries can see across the public-facing internet. If they can exploit a weak spot from one of your vendors, and leverage that to get access to your systems, they will. So federal agencies need to start by seeing what their adversaries see – not just for their organization but down their supply chain. Agencies can start by going department by department to understand suppliers that have access to critical systems, data, or applications.
For example, does your agency engage with citizens and have personally identifiable information stored in a database? Who has access to that – anyone externally? If digital communications need to be sent to those individuals, is there a third-party provider who has access to those email lists? Are there vulnerabilities, exposures or risks associated with those providers? While the recent supply chain attack against USAID via its email marketing provider, Constant Contact, did not seem catastrophic, it did have brand impact and was another clear reminder of how vulnerable government agencies can be through their suppliers and vendors.
Share threat intelligence
Once you can see across your supply chain, you should overlay threat intelligence on top of that digital footprint. This helps assess the levels of risk involved with each vendor, and – with detailed information of threat intelligence that is relevant to each vendor’s footprint – you should reach out to those vendors to share information on vulnerabilities and reduce risk. Don’t fall into outdated models of accepting point-in-time snapshots of compliance checklists. New vulnerabilities pop up every day, and compliance snapshots are almost immediately obsolete.
And ensure that communication goes both ways. Many times, a federal agency will reach out to a vendor to share concerns, or a vendor that’s required to report a vulnerability will do so, but that’s the end of the interaction. What we have seen since SolarWinds is that more public-private collaboration and engagement needs to occur, especially as agencies and U.S. companies face increasingly sophisticated nation-state actors or Advanced Persistent Threats (APTs.) Agencies and vendors should work together to solve these problems.
Continuous security monitoring
“Continuous monitoring can be a concern for security teams. That’s why ongoing, passive monitoring of your entire attack surface – including your supply chain – is really critical. It can shed light on vulnerabilities and risky services that an organization doesn’t know about,” Yang said. “One of the most basic risky services is Remote Desktop Protocol, which allows someone to essentially get access to a computer or a network remotely. While there are a lot of reasons why RDP can be in use, it is also a service that gets exploited very often by adversaries who are looking for a way in to a network or to deliver malware or other malicious programs.”
By externally scanning across your supply chain for vulnerabilities and exposures, you improve your chances of proactively mitigating threats to your enterprise – especially if you share your findings and detailed threat intelligence with your supply chain vendors.
Not every federal agency has a footprint within the boundaries of the National Capitol Region, and suppliers are also likely to be located all over the country. Many, like the Interior Department or the Small Business Administration, have nationwide operations. Being able to pinpoint not only the external vulnerability but the geographic location of that asset can enable a faster response.
“It’s one thing if that machine is located in the office building that your IT team is located in, it’s another thing if that machine is located somewhere else in the country. Then you’ve got to figure out if someone can mitigate that vulnerability from where they are, or if someone needs to be dispatched,” Yang said. “Being able to drill down to understand the geographic attributes of an asset becomes really important when we talk about mitigating critical vulnerabilities.”
From a supply chain perspective, agencies don’t have this level of control or ability to respond when the vulnerability exists within a vendor’s systems. That’s why the ability to drill down and give vendors as much information as possible – where the asset is located, what’s the exact vulnerability or risky service, and how that impacts their risk posture – is critical to helping manage supply chain and third-party cyber risk.
“Supply chain risk management has to include managing the cyber security risk that organizations and systems and networks outside of your control have,” Yang said. “Cybersecurity is often focused on what happens within the four walls of the organization. So that external digital footprint to help you see what you an adversary sees, geographic drill-down capability and detailed information sharing all become important if you’re trying to manage and mitigate supply chain risks. It’s about trying to influence that rising tide that lifts all boats.”