In the first part of this series, we explained how you are ‘only as secure as the company you keep’ and detailed the threat posed by supply chain attacks such as the 2017 NotPetya attack and contemporary activities of Magecart cybercriminal groups. However, for most people, using a supply chain is not optional. Here, we will go through ways of vetting your supply chain.
It’s tempting to think that supply chain attacks are only a concern for huge companies, such as Maersk (a major victim of the NotPetya attack), or nation states, as with the UK government’s worries about the prevalence of Chinese products in their critical national networking infrastructure. However, the size of one’s supply chain does not necessarily indicate the level of risk it poses. A company with a larger supply chain, for example, will likely have a larger security team to compensate, and a large, well-vetted supply chain poses less of a risk than a small, poorly-vetted one.
It’s important as well to realise just who your supply chain includes. Obviously, there are all the upstream companies whose products and services you utilise or incorporate in your own dealings. This need not be just technical suppliers, either—an attacker who gets themselves a job at the catering company you use, say, suddenly has a way into your building and a role that most people are unlikely to suspect. Consider recent reports that gangs may be getting members jobs within HM Prison Service in order to better smuggle contraband inside when you wonder if an attacker would really go to that sort of effort in order to sneak in.
Thorough vetting of all other companies in your supply chain is vital to your security. There are a handful of standardised questionnaires that you can use such as the very comprehensive Standardized Information Gathering (SIG) toolkit, the cloud-focused Consensus Assessments Initiative Questionnaire (CAIQ) or Google’s own Vendor Security Assessment Questionnaire (VSAQ). The accreditations your prospective supplier holds, such as Cyber Essentials in the UK, are also a useful barometer for judging how seriously they take information security. Finally, some awareness of the geopolitical environment the company operates in may be important, particularly for sensitive work—might they be compelled to disclose your secrets?
Your supply chain extends far beyond just those companies with which you have working agreements. It likely includes a lot of companies you will have never heard of, but whose software you or your employees use regularly. Few users of the popular CCleaner application would have considered owner Avast part of their supply chain, and this oversight may have cost them dearly when a backdoor was smuggled into the software in 2017, granting remote access to 2.27m machines in an instant. Software and hardware must be vetted much as supplier companies are before they are added to your company network. Ideally, employees should be restricted to installing software and hardware from a company whitelist.
In the third and final part of this series, we will look at what you can do to protect yourself, even in the event your supply chain being compromised.