Today we’re gonna talk about the supply chain, and more specifically supply chain attacks.
The software supply chain is vulnerable, and every vendor is vulnerable so everyone must do their due diligence.
The supply chain is such a hard element to secure because it spreads cross company which means when choosing who you work with, it’s essential to have an evaluation.
Something a lot of people don’t regularly think about is that roughly 90% of all applications contain some form of open source code 11% of which have known vulnerabilities. Attackers are starting to realize this and as such we’re seeing an increase in supply chain threats. So, smaller companies need to be extra vigilant as their developing and working with larger reputable clients.
How about foreign products. What are some of the chief exporters we know? Who do you think of? I know what I do and when I look at most stuff, I see…Made in China
• Almost all nations states, industries, and enterprises are at a potential threat from their respective adversaries, whoever that may be, let’s say the U.S. with China for example specifically the PLA, but also think of the other lower-cost sub chains.
• It’s really difficult to tackle securing the supply chain given how interconnected we all already are, but with awareness, folks who are responsible can start to ask the right questions, who’s in my supply chain, is my supply chain secure, how do I secure my supply chain, are my vendors being audited, what certifications do they have.
• We folks as consumers do it every day, for example say I want to buy some ethically made, sustainable, or fair-trade clothing…I would go and look for brands and suppliers who are fair trade certified, have USDA certified organic cotton, and whatever other certificates there are out there from GOTS the Global Organic Textile Standard to Oeko-Tex (oh-co-tex). I’d even look for a fair Labor Association accreditation. You see, we don’t just take things at face value when it comes to our own supply chain. The same should go for our enterprises. Something my friends and my family here me say way too often is Question everything or even more, Trust is a luxury I cannot afford, boy does my mom hate when I say that.
A primary question when auditing potential vendors everyone should ask is “What is the due diligence that’s being done with the supplier production and their suppliers from start to the end development of the product?” You want to self-assess, and get outside assessments done on your security, but obviously only from reputable firms. Don’t just go to some random company who says they do a pentest but what they actually do is run a Nessus or Qualys scan and call it a day, that’s not security, that’s vulnerability management, which is only a step on the way to security maturity.
For cybersecurity there’s a multitude of security maturity frameworks companies can get certified for, for example NIST 800-53, ISO 27001, FIPS-140, GDPR, even PCI-DSS for the Payment Card Industry, you know the lil machines you swipe, insert, or tap your credit/debit cards on.
You wanna, make sure to deploy some governance around your development cycles. Take software development for example, a good practice isn’t just DevOps but rather Dev Sec Ops.
With many of the attacks today from DragonFly attacks to the more recent Solar Winds breach, we’ve learned that Software Code signing alone is a poor defense in securing the software supply chain.
If you’re large enough and have a budget, try to build or buy a SoC and try to deploy some behavioral analytics-based threat detection. Last video mentioned Fire Eye’s initial detection of their sunburnt payloads wasn’t any fancy malware. It actually stemmed from them investigating an unusual logon with an unknown device and suspected IP.
• Think of it this way. A credit card company usually flags your card when it sees large purchases in another state, because they think that’s not you but someone using your card.
• That’s why there’s a checkbox that says, “Remember This Computer” or “Remember Me” and also why companies like Facebook etc. save your IP Address and device information in a database and cookie or cache
The thing we’re repeatedly seeing is high profile companies being hit with low profile cyber-attacks. Why target a company and try to battle its defenses when you can fight it’s vendors who are often smaller suppliers and infiltrate through that easier attack vector?
The best way to defend against this is by developing a secure foundation to begin with and or start to make cybersecurity a focus while acknowledging your risks.
• Look at your exposure to third party risk
• Look at the supplier’s security maturity
• Run some risk assessments, or even better leverage monitors that allow you to get insight into your security governance, compliance, and risk.
Basically, at the core, you want
Analysis and Monitoring
And a toolbox of solutions should a problem arise
A SoC is a great way to help you gain all of that, but it’s not full proof. Nothing is, but at least it gives you the ability to detect the threats.
A lot of folks have changed the question of if you’re going to get hacked, to when you’re going to get hacked. Which employs a certain realism but also makes the focus on the remediation and how to spin yourself back up component after a breach. Cyber insurance has gained in popularity, and many folks have started to prioritize back-ups, leveraging things like redundant load balancers for example, HA Proxy which I made a post about on jameskainth.com
Check out what Google [posted](https://privacy.google.com/businesses/) to ease the concern of some of their clients, they talk about using defense in depth, so security in layers, they go into compliance, incident response, and more on their privacy subsite for businesses.
There’re so many things you can leverage that you can really dive into once you start focusing into cybersecurity and securing your companies, like making sure you’re using encryption, and you look at data at rest vs data in transit, etc. You’ve got the CIA triad with Confidentiality, Integrity, and Availability, I can’t go over all of cybersecurity in this one video, but I will say look into it if you’re wondering, or feel free to @me j3st3rjam3s that’s with 3s. Security is hard, hell it’s expensive but it starts with awareness and help, and soon you’ll be on your way to security maturity. Secure the supply chains!
Now I’m sure some of you are saying James we can’t do all this, and you haven’t even gone into these topics in depth, and that’s right, I can’t go into the larger topics in depth in one video, but your curiosity is peaked go do some research *wink*
And no, we can’t be secure by ourselves, we can’t truly be secure until everyone around us is as well.
Adolus said it best, “This isn’t something that we can do as individual companies. We need cooperation on software threats and vulnerabilities across companies and across sectors. We need coordination between vendors, users, and consultants. And we need that cooperation to be in real time, not after the fact.
Thanks for watching this video don’t forget to like and subscribe and I’ll see you in the next video.