The recent supply chain attack, in which a backdoor was introduced by bad actors into the widely deployed SolarWinds platform, has revealed several dimensions of cybersecurity that were lacking in organizations across the globe.
By Dick Bussiere, Technical Director, APAC, Tenable
It is a stark reminder of how a single seemingly unconnected breach of a trusted third-party supplier can introduce malicious code directly into unrelated, separate infrastructures. Yet, supply-chain security is often overlooked among Indian organizations largely because the financial and technical capabilities of service providers and subcontractors don’t often match the capabilities of their clients. This is evident in a PwC report, which revealed that 76% of Indian organizations did not allocate adequate funds for cybersecurity in their budgets.
The writing is on the wall: if supply-chain security is not part of the cybersecurity plan, organizations in India are at risk of being breached. So, what lessons can CISOs learn from the SolarWinds incident to change the way they secure and manage their supply-chain infrastructure?
Continuous visibility: With interconnected networks, software systems, and subsystems being supplied by third parties, an organization’s infrastructure becomes intimately intertwined with that of its suppliers. This makes understanding how an attack against a supplier could impact your organization a critical part of maintaining cybersecurity. The solution to gaining this understanding is to have continuous monitoring and threat intelligence relating to the full supply chain, and risk-based vulnerability management.
Inventory management: An organization may have numerous third parties in the supply chain and knowing whether its vendors maintain optimal cyber hygiene can be important in identifying the threat landscape. Here are some fundamental questions CISOs need to ask:
- Have the vendors suffered any security breaches which could have introduced malware into the code or services being supplied by that vendor? Do vendors employ strict role-based access control models and separate duties around code repositories and technology stack?
- Have vendors in the supply-chain deployed automation to enforce role-based access control settings
- Are vendors constantly reviewing token and credential usage?
- Is the vendor taking measures to ensure that the third-party code that they are using is free from malicious content?
- Most importantly, when was the last time the vendor completed a third-party security review of their software development life cycle (SDLC)?
Zero trust model: The thought that any trustworthy, vendor-issued updates can be spoofed is concerning. This was evident in the SolarWinds breach, where the attack took place deep within the software development pipeline, and the code was signed with a valid certificate trusted by customers. From a risk management point of view, a zero-trust approach is important. Assuming that any system in an organization’s infrastructure can become rogue overnight is crucial to securing the supply chain. Having a baseline that includes accurate asset inventory, and an understanding of business processes, traffic flows, and dependency mappings are essential to establishing where trust relationships exist and where a zero trust model should be implemented.
Minimize access to sensitive data: After breaching a defense, the first thing cyberattackers do is to move laterally and look for privileged accounts. This is because privileged accounts have access to sensitive information. The more privileged access roles there are, the larger the attack surface, so such accounts need to be kept to a minimum.
It is important to identify who has access to privileged accounts and audit the appropriate level of privilege for each role within the organization. Implementing identity access management and encrypting all internal data can make it difficult for cybercriminals to establish backdoors to infiltrate during a supply-chain attack.
It is no doubt that a cyberattack on a third-party vendor creates cyber, operational, compliance, and reputational risks for all organizations the vendor works with. It can also have short-term and long-term impacts that could take months and sometimes years to resolve, resulting in financial loss. The ripple effects of SolarWinds are a painful example of how crucial it is for organizations in India to prioritize third-party security.
About the Author
Dick Bussiere is the Technical Lead for APAC at Tenable. Based in Singapore, Bussiere is responsible for evangelizing the criticality of cyber hygiene and vulnerability management as a continuous process to enhance an organization’s security posture.
Bussiere is also responsible for Tenable’s operational technology offering in the region, consulting with operators of critical infrastructure on how to bolster their defensive position.
Bussiere is the holder of five patents related to networking and network security. He’s also an active participant in the Institute of Electrical and Electronics Engineers and Internet Engineering Task Force working groups.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.