Six degrees of security separation
Updated: Sep 16, 2019
How to know when your Suppliers' network or platform security may be placing more than just themselves at risk.
How many times have we seen headlines that a reasonably secure organisation has been compromised through its supply chain.
Logically, it is far easier for an attacker to go after a smaller service provider than a head-on attack against a massive corporate.
So why does this happen?
Let's examine some of the security related supply chain risks and some key measures to address these:
1) Your supplier does not understand / follow / comply with / keep informed about your security requirements.
It's cold comfort when your supplier suffers a data breach to say that commercially they were required to comply with your security policies and standards.
A supplier's logical response is often - We were never informed of any policies or standards.
So how do you keep your suppliers informed of your evolving security needs?
Establishing real (and realistic) security related service levels (and ideally practical security Standards) which are embedded commercially, reported on regularly, validated independently. This can then include a combination of self-assessment as well as spot-checks depending on the nature of the services and information involved.
Regular supplier security and risk dialogue. Including open discussion about your (and their) changing risks and issues. e.g. How they may be tackling the risks associated with Ransomware, Network and Application Vulnerabilities etc.
Include your suppliers in regular Security Incident Response drills and preparation and planning.
Establish a relationship and open (bidirectional) flow of security related information to help keep a focus on the management of cyber risks.
2) Your supplier has limited / no capability or expertise for managing security.
Its an unfortunate fact of modern business that information is effortlessly created, captured, stored, processed and transmitted.
As information has value, as both an asset in its own right, or as leverage for other purposes (fraud, extortion, corporate espionage, etc), protecting it typically involves:
Knowing that you have the information, and its potential value (to the owner or someone else).
Knowing where it is, where it has been, and who has (or should) have access to it.
Knowing how the information has been protected, whether through technical measures or old school (e.g. the mythical standalone system not connected to a network) throughout its lifecycle (all the way to destruction and confirmation),
Being able to track, record and prove all of the above.
There are many examples of accidentally exposed data on decommissioned hard disks.
Most commonly, the root cause of issues in data mishandling that leads to a breach are the lack of suitably skilled internal resources (or human error) with the responsibility of protecting data (or the internal failure, or in some cases deliberate decision not to engage them).
3) Failure of another downstream supplier, technology, system, partner, contractor etc
In the same way that you depend on your suppliers, they will likely depend on others.
So how can you hope to navigate such a situation?
When establishing a relationship with a new supplier, establish an understanding of their downstream dependencies. This can be done as part of on-boarding, or (better yet) periodically as part of your ongoing supplier management dialogue.
Tips in this space include, having them walk you through their DR, BCP or CMT arrangements for any key systems or processes that involve the Storage, Transmission or Processing of your data.
One thing to be mindful of here is that this may include any data which is created as part of the services they provide, either in form of Backups and Transport media, MetaData (Database indexes etc) or Machine Data (logs etc).
4) Disinterested, Overworked, Malicious, Disgruntled, Compromised employees
Some interesting questions to ask a potential supplier include:
What arrangements are in place to lock down a compromised administrative account?
How frequently do you change administrative account passwords?
Are all users required to have a unique Network/Application/Database account?
Do you enforce strong (Multifactor) authentication for all remote access or admin activities?
How quickly can you disable a suspected compromised account?
Do you have an independent and immutable source of log information for your Network/Application/Database?
So what other actions can we take to help improve security in our supply chain?
Add your suppliers to your open source intelligence monitoring and discovery.
Use security performance and experience as part of your commercial review processes (do you really want to use a supplier who has a track record of data breaches).
Use your internal security team or external security partners to help evaluate the security capability and performance of existing or potential suppliers.
Some additional links and resources that may be useful:
In summary, supply chain security is not a platform or product, but an ongoing process involving your suppliers as well as your commercial and security teams.
If you need help assessing or securing your supply chain, contact us
Author: Clinton Smith