Combating cyber risk in the supply chain

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazine.com/combating-cyber-risk-in-the-supply-chain/article/381050/


Security threats within the supply chain have been a concern of purchasing,
information security and risk and compliance teams for many years. What's
new is the rapid increase in targeted attacks on a less well-defended area
for most corporations -- the confidential data now commonly shared with
supply chain vendors and partners.

In research released in 2013, the Information Security Forum (ISF) found
that, “of all the supply chain risks, information risk is the least well
managed,” and that, “forty percent of the data-security breaches
experienced by organizations arise from attacks on their suppliers.” The
Target breach began with a simple login to its corporate network—a login
seen as normal by its security systems because the user name and password
were valid. The problem, of course, was that these login credentials were
stolen—yet they were also authorized for access, so they went unchallenged
by Target's authentication system.

Consider the fact that the recent Dragonfly/Energetic Bear hack of U.S. and
European energy companies began with a spear-phishing campaign against
senior employees in energy sector companies. Those senior employees took
the bait and enabled the hackers to compromise legitimate software used by
industrial control system (ICS) manufacturers, inserting malware into
software updates sent from the ICS manufacturers to their clients.

Everyone involved with vendor management — from legal and risk/compliance
teams to information security and purchasing specialists — should now
develop a common, collaborative security strategy (or program) that
includes layering new protections onto processes and policies to defend
against information risk in the supply chain. Adding the following
practices to your existing security controls can help you collaborate
productively for a targeted approach to supply chain cybersecurity.

Map locations of sensitive data: Collaborate across all relevant teams to
determine which data—intellectual property, employee records, financial
information, credit card data — is considered sensitive by your
organization. Security teams should audit for all locations of that
sensitive data on your network, as well as for the locations of copies of
that data that may be accessible to members of your supply chain.

Evaluate risk by vendor: Assess and rank vendors and partners with access
to your network—or any who retain copies of your data—according to their
risk to information security. Two helpful templates for this are the
annotated ICT Supply Chain Risk Management Plan Template in NIST guideline
Appendix H and the ISF Supply Chain Information Risk Assurance Process
template.

Employ an information security survey: Incorporate a simple survey of
standard information security measures early in the process of on-boarding
a supply-chain partner, and request information on its incident response
and business continuity plans. If the partner will not reveal such
details—or doesn't have such plans in place—it's up to you and your legal
team to determine what other forms of reassurance would be sufficient. This
survey should be reintroduced during any subsequent contract-renewal
process.

The results can assist you in ranking your vendors and suppliers based on
the degree of risk each represents. Once your ranking is complete, it can
serve as the basis for a tiered approach to partnership agreements, as well
as to the level of network and/or data access you grant each one and the
security controls they are expected to put in place.

Build security assurances into vendor/partner agreements: Advise your legal
team to add a corporate data security and incident response policy into
vendor agreements and to stipulate compliance with them.

Add Depth and Breadth to Basic Security Practices: Recommended protections
include network segmentation, multi-factor authentication, and strong
passwords, but the ability to receive alerts on anomalous endpoint activity
is now critical, too. This capability should be established at least on
those network endpoints that store confidential information.

Consider cyber “war games” training for vendors and partners: This does not
have to be elaborate or time-consuming to be effective. Your team can
create tests and exercises that require every stakeholder from security,
legal, human resources and vendor teams to practice the critical steps in
incident response after a breach has been detected. One highly informative
exercise involves sending a fake “phishing” email that appears to be from
someone known to the recipient to test your organization's and your vendor
organizations' security habits and awareness. Do they click the link in the
email that says,  “Your CEO Robert asked us to confirm this with you. Just
click the link…”?

Working together, every department and manager involved with the supply
chain and partner organizations can build a safer environment for supply
chain operations. Doing so before a cyber attack or accidental data breach
occurs can close a critical gap in your organization's security posture.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!