How Not To Let Your Supply Chain Leave You Vulnerable

Sep 23, 2021
Charles Coaxum
VP of Customer Experience

Share with Your Network

“There are only two types of companies,” observes Cisco’s Gee Rittenhouse in a recent blog“Those that know they’ve been compromised, and those that don’t.”

I’d argue it’s a (very) worthy pursuit to figure out which type of company yours is. But it may be just as important to make the same determination about the companies that inhabit your supply chain. 

After all, cybersecurity concerns pose a challenge for organizations digitizing their partner and supplier ecosystems. You can do everything reasonable to lock down your own infrastructure (and you should), but if your supply chain is vulnerable, you may be vulnerable as well. 

Business leaders see the need

Supply chain security is often overlooked, to the potential detriment to those who aren’t looking. And analysts agree. For instance, Gartner named cybersecurity as a top supply chain theme for 2021. “Supply chain leaders,” notes a Gartner report from 2019, “must prepare for the coming wave of requests to integrate cybersecurity and risk management across supply, demand and production ecosystems.” Back then, Gartner reported that data security was the No. 1 concern among executives responsible for supply chains of all types. 

Since Gartner published that report, supply chain ecosystems have continued to be digitized, with vendors and partners increasingly looking to gain operational efficiencies by accessing enterprise systems, VPNs, work environments and more. In fact, 23% of supply chain ecosystems will be digital by 2025; today, just 1% are.

What you can do now to secure your supply chain

It’s natural to recognize the need but not know exactly how to address it. Fortunately, best practices abound. They’re based on the lived experience of enterprises and guidance from respected organizations.

The National Institute of Standards and Technology (NIST) outlines some helpful supply chain cybersecurity risks and best practices in a publicly accessible document. While NIST’s tips largely focus on your software supply chain (all the products and digital services you purchase from providers), many are applicable to your entire ecosystem of suppliers, vendors, service providers and partners—virtually everyone who accesses your IT infrastructure or your enterprise or customer data. I’ll summarize some of these here.

Go looking for trouble

First determine where your potential exposures lie. Consider all third-party service providers with physical or virtual access to information systems, software code or IP, as well as any that might have physical access to your sites. Look for:

  • Poor security practices common among smaller, lower-tier suppliers
  • Compromised software or hardware purchased from suppliers
  • Counterfeit hardware, or hardware with embedded malware
  • Third-party data storage or data aggregators. 

Then look for potential risk areas

Next, evaluate the relative risk of working with specific vendors. A good place to start is the environment you know best: yours. Begin by interrogating your own processes, and how weaknesses in them might invite unnecessary risk of exploits.

  • How closely are you controlling third-party access to your systems? Do you use two-factor authentication or other safeguards to prevent unauthorized access?
  • Are access controls determined by individual or by role?
  • Do you have security policies in place regarding accepting files from outside parties via email?
  • What level of verification do you require to access your VPN? Do you run background checks on prospective VPN users?

Then begin asking pointed questions of your providers. Ask them:

  • How closely are you controlling third-party access to your systems? Do you use two-factor authentication or other safeguards to prevent unauthorized access?
  • What physical security measures are in place at your business? Do you document them?
  • What access controls, both electronic and physical, are in place? Do you document and audit them? How?
  • How do you encrypt and store data?
  • What’s your process for destroying data once a partnership ends?
  • Do you conduct employee background checks? Regularly or just upon hiring?
  • And crucially: What are your security expectations for your own upstream suppliers? And if you stipulate security requirements, how do you monitor or enforce them?

These are general security questions. Later, I’ll cover questions to ask regarding how your partners manage vulnerabilities.

How Customer Success teams can help

Once you determine what you can do better, establish a plan to make those improvements internally, and communicate your expectations of partners and suppliers externally. Work with your security system vendor’s Customer Success team to help you draw up and execute a success plan for both. Set goals, such as timelines for closing authentication loopholes or implementing 2FA, and then measure your progress against those milestones.

This is an important effort, and especially so if you work with smaller partner and supplier organizations whose security operations may not be as robust as yours. Certainly, keeping your own house in order is your last, best defense against attacks. But ensuring that you have a hard perimeter around your ecosystem isn’t just a good idea, it’s a necessity.

Lessons from working with a global logistics leader

The Kenna Security Customer Success team has acquired even more best practices by working with a number of our customers to help them lock down their partner ecosystem. Among them is one of the largest logistics and delivery companies in the world (which as you might imagine has an extraordinarily extensive supply chain). 

Start with leadership reporting and buy-in. Our focus is risk-based vulnerability management (RBVM), which enables Security and IT teams to prioritize the vulnerabilities that matter most so they don’t waste time patching low-risk vulns. By starting at the top, we can help educate stakeholders on risk scores, which are intuitive measures of relative risk that can be applied to assets, workgroups, functions, departments, and the organization as a whole. When everyone understands the value of risk scores, and their ability to measure risk over time, it’s easier to create a safer ecosystem from the decision-maker on down.

Score highest-risk partners first. It’s a common Customer Success strategy to focus on the areas that are the most hurting or exposed. This allows you to see quick results that in turn encourage further buy-in. You’ll always focus on overall organizational risk, of course, but as you begin to drill down to particular areas of your supply chain, focus on partners and vendors with the highest risk and compliance issues, based on industry benchmarking.

Create security councils. These groups meet regularly and bring together all parties impacting vulnerability management to understand the initiatives for the current patching cycles. In these meetings, members can discuss and share risk trends, explore trending vulnerabilities, identify out-of-compliance assets, discuss SLAs, and more. 

Get specific with partners. When working with existing or evaluating new vendors, ask about the controls and best practices they have for their own RBVM programs (and if they don’t have an RBVM program, tell them to contact us). Some questions to ask:

  • How does the partner/vendor categorize a critical vulnerability?
  • Do they use CVSS/scanner scores to prioritize vulnerabilities?
  • Do they use a methodology such as Kenna that leverages threat intelligence to identify vulnerabilities that are easily exploitable and are actively being weaponized?
  • What is their plan to address critical vulnerabilities as they are released? Are the right teams alerted when high-risk vulns are released?
  • Can the partner/vendor prove they have a plan to address vulnerabilities in a timely manner and prove they are remediated? Do they maintain remediation SLAs?
  • Is there a Security Policy document that outlines the remediation timelines for vulnerability criticality and network location? Can you review it?
  • Are the remediation timeframes acceptable and do they align with the customers RBVM program?
  • Do the applications in scope receive a penetration test on a periodic basis? Are the findings remediated in an acceptable timeframe?
  • Are critical findings forced to be remediated before they are pushed to production?
  • Are risk-based vulnerability metrics presented to leadership on a periodic basis?
  • Is risk going down? How do they know?
  • Are SLAs being met?
  • How do they compare to their peers? Do they benchmark their progress against others in their industry?
  • Does the vendor/partner have an incident management program to detect, prevent and contain incident related activities?
  • How can they ensure IP whitelisting is in place so that connections from specific IP addresses are allowed in?
  • Do they have a disaster recovery program that’s acceptable to you?

More tips from security experts

When it comes to supply chain security, these additional best practices can help you protect yourself—and your partners.

  • If possible, assign a point person to own supply chain security. It’s hard to accomplish this without a Security professional driving the effort. That person can work with the business stakeholders who interact regularly with their supply chain partners and who can kick start the process by making it clear that improving security is now a condition of doing business with your organization. Here again, your Customer Success organization may be able to lend a hand in creating a format for those communications, and for establishing a procedure to monitor and verify that partners are taking the required steps. 
  • Write critical security protocols into your service agreements. Set a standard for all partners and vendors, and include “one strike” provisions so you are protected from future negative events if a hack occurs. 
  • Retire old user accounts. The Colonial Pipeline ransomware hack resulted from attackers using an old account to access Colonial’s VPN. Do your suppliers have access to your VPN? How diligent are they in keeping track of inactive accounts? How diligent are you?
  • Require suppliers maintain a risk-based vulnerability management program (RBVM). More organizations are moving to a risk-based approach to vulnerability management, especially now that leading analysts have concluded the future of vulnerability management is risk-based. Gartner even cited RBVM as a top security project for 2021. Adopting an RBVM program aligns with specific guidance offered in a 2021 Harvard Business Journal article enumerating the ways companies can secure their digital supply chains (those involving software, hardware and cloud services). In addition to exhorting IT managers to use automation to simplify vulnerability remediation, they stressed the need to prioritize vulnerabilities so you and your partners don’t waste time patching low-risk vulns. 

Tell your partners: This protects everyone’s business and brand

Probably the last thing anyone wants is for a customer or partner to demand they change the way they do things to accommodate that company’s standards. But with so much at stake, and with exploits on the rise, it actually benefits all of us to do everything we can to keep bad actors from getting in and causing costly damage to your operations, your revenue prospects and your reputation. 

After all, what Gee Rittenhouse said is absolutely true. The only question is which kind of company you’d rather be, and which kind you’d rather work with.

Read the Latest Content

Threat Intelligence

18+ Threat Intel Feeds Power Modern Vulnerability Management

You need lots of threat intelligence feeds to cover all of the threat and vulnerability data categories in the world. Learn about the threat intel feeds...
Data Science

Ask Us About Our Data Science

In vulnerability management, data deluge is a recurring problem. Learn what data science is and how it can help your company.
Risk-Based Vulnerability Management

What is Modern Vulnerability Management?

Modern vulnerability management is an orderly, systematic, and data-driven approach to enterprise vulnerability management.

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.