DefenseArk #ThreatIntelThursday | Supply Chain Attacks & Risk Management

Week 31: Supply Chain Attacks

This article is part of #ThreatIntelThursday @OpenAVN, an ongoing series that offers readers authoritative, but easily digestible, information about different malware, how they might be vulnerable to attacks, and what they can do to protect themselves. To read past Threat Intel Thursdays articles, click here. (We suggest starting from Week 1: Malware.)

Supply Chain Risk Management

Supply chains, that is those external elements required to operate organizational functions, are comprised of people, processes and technology. Organizations use risk management, the key element of information security to continue the organization’s ability to achieve their mission, goals and business objectives. Supply chain risk management (SCRM) identifies, assesses, mitigates and monitors risk to organizations’ suppliers. As the operation of organization functions likely requires externally-supplied supplies, a disruption or the sudden unavailability of a given element may prevent operation of a critical function thus endangering operations.

Risk

Risk involves the elements of impact and probability of an event occurring. Even elements with insignificant monetary value may result in disastrous disruption to an organization’s operations. Organizations must look at all elements to determine how disruption of each supply element would impact organizational operations and the probability of that disruption occurring.

Causes of Supply Chain Disruptions

Both natural and human-induced events can cause supply chain interruptions. Supply chains can be affected by natural disasters, financial crises or attacks on computer systems. Natural events like hurricanes, floods, fires, tornadoes or a pandemic can disrupt supplies. Human events like riots, wars, political protest, accidents explosions, or labor/skills shortages can adversely affect supply chains.

First/Second/Third Tier Suppliers

It’s natural to look at the risk of direct or first-tier suppliers — but even multiple suppliers or backup first-tier suppliers, may all rely on the same provider (the second-tier provider). So, organizations must assess and manage second- and third-tier suppliers.

Factors Affecting SCRM

Factors that affect supply chain risk include the following:

• Volume: Some companies follow Pareto’s Law which states that 20 percent of the causes create 80 percent of the problems. By identifying those 20 percent, organizations can address a majority of supply chain risks.
• Geography: Unstable or untrusted countries or regions risk normal supply of critical components.
• Impact on operations: The disruption of key supplies that dramatically affect operations represent a large amount of risk.
• Second tier disruptions: Organizations may identify first-tier (direct supplier) risk and even mitigate that risk through multiple suppliers or backup suppliers, but what if all suppliers rely on the same second-tier supplier?

Organizations and International Standards to Protect Systems

As supply chain risk management seems involved and complicated, there are organization who have created standards to help organizations protect against supply chain vulnerabilities. They include:

• The International Standards Organization (ISO) Standard 27036, Information Security for Supplier Relationships: Guidelines for Information and Communication Technology Supply Chain Security;
• The Open Group Trusted Technology Forum (OTTF) has produced Developing Open Standards and Certification Programs to Help Assure Product Integrity and Global Supply Chain Security.

Computer System SCRM

Computer systems and networks include thousands of hardware and software components provided by a myriad of companies with extraordinarily complex supply chains. Systems, components and processes change frequently — to maintain security, organizations must maintain the integrity of all integrated and integral components. A single chip modified or added by an untrusted adversarial source could exfiltrate data unbeknownst to system managers.

In our next article, we will address supply chain risk as it relates to computer systems.

To defend your system from supply chain attacks and other digital threats, a lightweight but heavy-duty EPP is imperative. BrightScan is a cloud-based, blockchain-powered endpoint protection platform that can be customized to fit your needs and is user-friendly enough for the home office and powerful enough to protect large enterprises.

Contact our Head of Sales, Jourdan Parkinson, to schedule a free demo of our cloud-based EPP, BrightScan, or just to chat about how our products can work for you.

For more of the latest in cybersecurity, subscribe to OpenAVN’s blog right here on Medium. In addition to Threat-Intel Thursdays, we also write about breaking news, thought leadership, and deep-dives into cyber intel.

About the Author: Ted Udelson, PMP, CISSP, Security+, Network+, A+ is the chief learning officer and cofounder of Succinctive Training, LLC. Ted uses his over 35 years of experience in information security and technology to inform his writing for #threatintelthursday.