Many security professionals worry about intruder access via supply chain exploitation. It's scary to think that an adversary can bypass one or more security controls by infiltrating a business partner, vendor, software provider, or hardware supplier. This article shares five tips for mitigating key elements of supply chain risk.
- Start by asking partners, vendors, and other third parties questions about their security practices. A simple survey of standard security measures can reveal a lot about a counterparty's security, or lack thereof. Begin by assessing new business relationships; then incorporate the questionnaire into contract renewals with existing partners.
- Think about the implications of misplaced trust. Imagine how your security posture and business practices would, or should, change if an element of your supply chain proved untrustworthy. What is the impact of that change in trust? Identify the top three or five most critical partners in your supply chain and label them "too trusted to fail."
- Devise a containment strategy to limit the damage caused by a counterparty that is "too trusted to fail." If one of these counterparties is compromised, that should not destroy your business or its security posture. If the anticipated damage is too great, begin taking steps immediately to limit the expected damage. For example, if every aspect of your security program ties back to a vendor supplying two factor authentication tokens, devise backup strategies to deal with those tokens becoming untrustworthy.
- Create visibility mechanisms to identify when elements of the supply chain are compromised. For example, if suddenly you could no longer trust the vendor supplying two factor authentication tokens; ask how you would detect if those tokens were being exploited. Build visibility and detection mechanisms into your security program to identify compromised supply chain vendors, before they notify you of a problem.
- Consider enlisting third parties who can provide information on the security state of counterparties. Mandiant Cloud Alert™, for example, is a way for an organization to receive an independent view of the security state of any organization connected to the Internet. Using cloud-based, "hands-off" technology, Mandiant Cloud Alert scores netblocks according to the amount of suspicious or malicious traffic seen emanating from those networks. If one or more of your vendors scores poorly in Mandiant Cloud Alert's rankings, your enterprise may be at risk from a vendor who has trouble operating a clean network.
With this five-step program, your security team can take proactive steps to mitigate key elements of supply chain risk.