j-mei - adobe.stock.com
Security professionals recognise that the weakest link is the one most likely to be compromised by a hacker. But an organisation’s security model should not fall apart just because a part of the business, or a business partner, has weak security.
Tim Holman, CEO at 2-sec, says the term “secure as the weakest link” implies that all parts of the business and everything that links each part together are on an equal footing and trust level to everything else. But this idea of securing the weakest link is not working.
A survey conducted by the UK government recently reported that a lack of visibility in supply chains is one of the biggest barriers to effective supplier cyber risk management.
Meanwhile, a study from ISACA found that many cyber security professionals are concerned about the security of their organisation’s supply chain. Two-thirds (66%) of respondents are worried about poor information security practices by suppliers.
While business drives greater levels of technical development, security can sometimes be an afterthought, warns Mike Gillespie, vice-president of the C3i Centre for Strategic Cyberspace and Security Science (CSCSS).
“Experience has taught me that when organisations head for technology to solve a range of issues, as well they should, they do not funnel anywhere near enough resource into protecting themselves from unintended consequences, or from the poorly informed users of this technology, in many cases not even training the users on the basic usage of it, let alone the safe and secure usage of it,” he says.
Over the past few weeks, GitHub revealed that the login details of about 100,000 accounts of a third-party developer service called npm were stolen using compromised OAuth user tokens originating from two separate third-party integrators.
When looking at the security of links between a company and its business partners, BCS volunteer Petra Wenham says: “We must include the company’s IT in that statement and the security of a partner’s IT system.”
Junade Ali, a technologist with an interest in software engineering management and computer security, points to the OAuth vulnerability as an example of the risks organisations face across their supply chains when they connect or make use of third-party systems.
“In the recent past, I’ve worked on changing practices across the industry when it comes to password security,” he says. “I developed the anonymity models used by Have I Been Pwned, the developer tooling needed to improve password security practices and published scientific studies used to change the industry understanding of the best practice.”
What Ali learned was that the reuse of compromised credentials from one low-value website (say, a pizza restaurant) often cascades to compromising someone’s online banking. He adds: “The message here is clear – security isn’t purely within our fiefdom and we depend on others to keep our data safe.”
Collaboration and automation
However, as Martin Tyley, head of cyber at KPMG UK, notes, budgets very rarely cover supply chain risk. He says business and IT leaders need to accept that their organisations will operate with some level of risk, and this is very hard to balance. “Retailers and utilities have an acceptable level of loss,” he says. “What is your tolerance for losing a customer record?”
Francesca Williamson, Information Security Forum
Tyley says organisations need to combine forces across their supply chain with collective interest to understand better what each partner can do to improve supply chain resilience. This, he says, involves all organisations in the supply chain being in a position where they are prepared to share risks with other partners in the supply chain, enabling those business partners to compensate for potential weaknesses in a way that hardens security across the supply chain for everyone.
“Being honest with suppliers about security needs and expectations during the initial stages of procurement, and encouraging them to do the same, will help build stronger relationships and strengthen security,” says Francesca Williamson, an analyst at Information Security Forum.
She urges IT security chiefs and those responsible for the security of the supply chain to establish a security baseline that incorporates security requirements in the contract. This, she says, will help to establish a precedent for the entirety of the supply chain lifecycle.
Assessing risk in the supply chain
Brian Fletcher, a cyber assessment practices adviser at ISACA, recommends that organisations practise their response to a supply chain incident. “These initial exercises can help identify concerns and issues, especially with roles, responsibilities and the incident management chain of authority,” he says.
After completing several of these exercises, Fletcher says organisations should then conduct planned and unplanned walkthroughs of the shared incident playbooks. “Walkthroughs help identify potential issues before an actual incident,” he adds.
Such issues include identifying the backup contacts if the primary contacts are not available or in what circumstances should the organisation and its suppliers switch to alternative means of communication.
Incident scenario suppliers produce and facilitate training incidents, which, says Fletcher, enable organisations to increase the realism of their supply chain incident response exercises. “In these situations, clearly scoped and approved rules of engagement make the training as authentic as possible without impacting operations,” he says. “The key output is a list of lessons learned to improve the resilience of your supply chain.”
When looking at the levels of security controls an organisation has across its supply chain, Wenham says companies should assess both the direct control and indirect control they have.
“Direct control would be where company assets are controlled by company policies, procedures, standards and work guides,” she says. For instance, this may cover maintenance staff who are either employees or contractors who are legally required to follow company policies.
Tips for hardening supply chain security
An organisation needs to identify the boundaries between each supply chain part and who has the technical management of security for each part and its interfaces. The IT security team needs a solid understanding of a company’s business, including all partners, subsidiaries and other external services that are used, be they public or private.
As part of this mapping exercise, BCS volunteer Petra Wenham recommends that the supply chain security team should consider what current industry good-practice security controls they would expect to find, both for the supply chain part under consideration and its interfaces to other supply chain parts.
For each part of the chain, Wenham says the next step is to review what security controls are actually in place, including its interfaces, and compare those with the identified good-practice controls. These reviews, together with knowledge of the company assets that could be exposed by a security breach and the value at risk should a control fail, will lead to a risk profile and a remediation plan to improve security.
Indirect control is where a third party provides services under a legal contract, says Wenham. “That contract would have clauses relating to security and annexes spelling out the security requirements in detail,” she says. “It is no good just saying that the third party must be ISO 2701-compliant. The statement of applicability and the relevant clauses need to be identified together with any necessary expansion.”
Wenham adds that there may be company-specific policies covered by the contract, together with mechanisms to ensure that the security is being maintained regularly, such as independent audits or a copy of a standards renewal certificate.
Automation is key to securing supply chains, as they become ever more complex. Information Security Forum’s Williamson says continuous monitoring is required to achieve the most accurate and reliable profile of a supplier’s security posture, and this is only realistically achievable when automation is incorporated. There are a number of methods available for continuous monitoring, which include, but are not limited to, security ratings, supplier self-assessments and security certifications, says Williamson.
“The greatest value from continuous monitoring is extracted from the outputs produced,” she adds. “Most assessment tools will present the findings in a dashboard which provides a visual representation of the security of suppliers, helping to increase the visibility of the status of the supply chain by providing the results in an easy-to-comprehend format.”
Williamson recommends that business leaders and security heads incorporate supplier assessment tools into the supply chain management process, pointing out that these tools help to achieve greater levels of visibility. “The technology can store, process and analyse a large quantity of data at a much quicker pace,” she says.
Williamson adds that the use of this technology during the evaluation stage of the process has the potential to identify trends or anomalies that may have previously gone unnoticed. “Increasing the level of visibility enables organisations to be better prepared and ready to respond to supply chain threats,” she says.
For 2-sec’s Holman, businesses should probably operate under the assumption that they have already been compromised. As recent studies have found, many organisations are very likely to have been compromised by a supply chain incident. “You should do your utmost to protect what is critical to your business, at source,” he says.