How NOT to be the Weakest Link in the Supply Chain

Overview 

Supply chain security, vendor risk management, third-party security. Each of these synonymous cybersecurity terms has become widely used, thanks to the increase in the exploitation of threat vectors from outside of an organization. 

So, what can software vendors and third-party technology partners do to ensure they don’t become the weak link in the supply chain? 

In this webinar you’ll get two different viewpoints on supply chain security from two NetSPI team members, Field CISO, Nabil Hannan, who will explore the topic from the software development perspective, and Managing Director, Chad Peterson, who will approach it from a business risk perspective. 

• Their differing views on supply chain security  
• The anatomy of a supply chain attack  
• Considerations and best practices for securing the supply chain   
• How vendors can get proactive to show potential partners that they are NOT the weakest link  
• The future of supply chain security 

Key highlights: 

• 1:27 – Defining the supply chain
• 2:54 – Supply chain and risk
• 5:15 – Anatomy of a supply chain attack
• 14:50 – Proactive measures to protect against supply chain attacks
• 29:53 – What’s next with supply chain security?

Defining the supply chain 

When it comes to supply chain security, it’s important to look at it from two sides – business risk and insider threat.

Business risk includes: 

• Critical assets and intellectual property 
• Internal risk programs 
• Business partners  

Insider threat includes:

• Internal software development 
• Unique capabilities of the adversary  

Supply chain and risk 

From a business risk perspective, the supply chain landscape has changed substantially over the years. 

Here are some of the key motivators of change:

• Perimeter transparency: Today’s environments extend well beyond the traditional brick and mortar business, with cloud and software as a service and remote work now being the norm.  
• Reliance on business partners: Organizations today are relying on partners to support essential pieces of their business, including business processes, infrastructure, and application development.  
• Increased attack surface: Outsourcing and the transparency of the perimeter have resulted in a loss of control for internal security teams. Additionally, external and internal environments have become blurred and there’s now an increased emphasis on privileged access.  

As a result of this changing landscape, the anatomy of attacks has evolved for many organizations.  

Some of the ways in which attacks are changing include:

• Island hopping: Because companies are doing a better job of protecting their own environments, attacks are no longer exclusively focused directly at the organization, but rather within the supply chain. Emerging attack methods include network-based, reverse email, and watering hole attacks.  
• External motivations: Organizations are increasingly outsourcing their software development for cost savings and to have additional resources to expedite and accelerate software development. To support this, more software developers are being hired from outside the U.S., which can pose challenges with managing insider threats in the supply chain. 
• Internal motivations: It can be challenging for organizations to know for certain that when they hire developers, they’re not malicious and that they’ll truly perform the work they’ve been hired to do. Another related concern is when U.S.-based employees outsource their own software development jobs to developers in China or elsewhere, which can give individuals outside the company access to an organization’s code or other sensitive data. Many organizations don’t have a full picture of what’s happening within their company, which can pose supply chain security risks in the long run.  

Traditional malware vs. malicious code 

A key piece of effective supply chain security is understanding the differences between traditional malware and malicious code.

• Traditional malware is installed on systems from external sources, usually downloaded through different attack vectors like phishing, and is a result of outside attackers trying to compromise systems at a larger scale, such as sending a phishing email to thousands of people at once, hoping at least someone will click on it.  
• Malicious code is code is much more targeted and inserted into software that’s built internally, usually inserted by an internal employee, and looks and feels like regular, non-malicious code. Internal adversaries include different types of employees, such as software developers, administrators or operations team members, and change management team members, all of whom have access to internal systems.  

Proactive supply chain security measures  

While the supply chain threats that businesses face today are significant, there are some proactive measures organizations can put in place to ensure supply chain security is effective.

Consider the following proactive measures at your organization: 

• Security awareness training: Ensure you’re training your staff on security best practices to follow. Have a process in place for the training to be provided to all new employees, as well as an annual refresher training with all employees. 
• Policy and standards adherence: Implement organizational policies and standards that are a reflection not only of best practices, but are followed and in line with business processes.  
• Vendor management: Assess all new vendors using a risk-based vendor management program. The program should also address retesting vendors in accordance with their identified risk level.    

The three proactive measures outlined above are some of the foundational steps your organization can take to elevate your supply chain security. Some of the other critical components to consider bringing in to improve supply chain security include attack surface management, penetration testing, and red team exercises.  

What’s next in supply chain security?  

When it comes to internal software development and associated risks from a supply chain perspective, the next steps to take after identifying malicious risk are not as simple as some may think. The reason it’s not straightforward is because the typical vulnerability escalation process now includes the adversary, because internal resources are seen as potential threats. As a result, “just fix the vulnerability” isn’t a viable mitigation strategy and organizations need to instead define governance the process and controls around managing malicious code.  

Malicious code risk mitigation steps can range from rather benign to very serious and may include: 

1. Suspicious, but not malicious 
2. Circle of trust invitation 
3. Passive monitoring 
4. Active suppression 
5. Executive-level event 

NetSPI’s supply chain security capabilities  

Leading businesses trust NetSPI for continuous threat and exposure management, leveraging our team, technology, and comprehensive methodology to detect and remediate vulnerabilities.

Learn more about how our Attack Surface Management, penetration testing, and red team testing capabilities can help identify where security gaps exist in your software supply chain. Connect with an expert team member by scheduling a demo today.