Page053

Supply Chain Risk Management

Supply Chain Risk Management (SCRM) describes the process of managing risk to purchasing products and services from third parties. NIST describes this process as “A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the supply chain and developing mitigation strategies to combat those threats whether presented by the supplier, the supplied product and its subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal)” [^15^].

The SolarWinds hack is a recent example of a large-scale supply chain incident. The General Accounting Office (GAO) describes the attack:

Beginning in September 2019, a campaign of cyberattacks, now identified to be perpetrated by the Russian Foreign Intelligence Service (hereafter referred to as the threat actor), breached the computing networks at SolarWinds—a Texas-based network management software company. The threat actor first conducted a “dry run,” injecting test code into SolarWinds’ network management and monitoring suite of products called Orion. Then, beginning in February 2020, the threat actor injected trojanized (hidden) code into a file that was later included in SolarWinds’ Orion software updates. SolarWinds released the software updates to its customers not realizing that the updates were compromised. The trojanized code had provided the threat actor with a “backdoor”—a program that can give an intruder remote access to an infected computer. According to cybersecurity researchers, the threat actor was then able to remotely exploit the networks and systems of SolarWinds’ customers who had downloaded the compromised software updates using a sophisticated computing infrastructure.

Since SolarWinds is widely used in the federal government to monitor network activity on federal systems, this incident allowed the threat actor to breach infected agency information systems. SolarWinds estimates that nearly 18,000 of its customers received a compromised software update. Of those, the threat actor targeted a smaller subset of high-value customers, including the federal government, to exploit for the primary purpose of espionage [^16^].

Risks Associated With Hardware, Software, and Services

Procurement is the process of acquiring hardware, software, or services from a third party. In many, if not most, organizations there is often little insight either sought or provided regarding the security of the solution. If involved, traditionally, security considerations were an afterthought and incorporated rather late in the procurement process. Leveraging the security department early and often can serve as a preventive control that can allow the organization to make risk-based decisions even prior to vendor or solution acceptance. While security will certainly not be the only, or most important, consideration, the earlier security is involved the more of a chance there is for meaningful discussion about the security challenges as well as countermeasures that might be required as a result of the procurement.

Vendor Governance

Given the various ways organizations leverage third-party organizations and vendors, there is a need for employing vendor governance, also called vendor management. The goal of vendor governance is to ensure that the business is continually getting sufficient quality from its third-party providers. Professionals performing this function will often be employed at both the originating organization as well as the third party. Interestingly, the vendor governance or management can itself be outsourced to an additional third party. Ultimately, the goal is to ensure that strategic partnerships between organizations continually provide the expected value.

Acquisitions

Acquisitions can be disruptive to business, impacting aspects of both organizations. That goes doubly so for information security. Imagine that Tyrell Corporation has acquired Tannhauser, Inc. Tyrell Corporation has made a significant investment in information security, while Tannhauser has not. In fact, there are multiple live intrusions on the Tannhauser network including a live worm infestation. What if Tyrell simply links the two corporate WANs together, with little or no filtering between the two?

Due diligence requires a thorough risk assessment of any acquired company’s information security program, including an effective assessment of the current state of network security. This includes performing vulnerability assessment and penetration testing of the acquired company before any merger of networks. See Chapter 7, Domain 6: Security Assessment and Testing for more information on the types of tests that should be performed.