As we know, with the ever-evolving threat landscape of today, attacks are becoming much more frequent, much more targeted and a lot more sophisticated.
As you’re probably aware, SolarWinds was the victim of a cyberattack that inserted a vulnerability (SUNBURST) within their Orion Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run.
This had a huge impact within the market, as some 250 federal agencies and business are now believed to be affected, the New York Times reported. However, I don’t believe we’ve seen the end of this yet, with numerous cyber agencies yet to make a public announcement.
We know this type of attack only impacts those with SolarWinds deployed, however it does indicate the importance to maintain and continuously check supply chain security, which can sometimes be overlooked with the assumption that the organisation (in this case SolarWinds) is secure to deploy across the environment. Supply chains can be large and complex, involving many suppliers doing many different things. Effectively securing the supply chain can be hard because vulnerabilities can be inherent, or introduced and exploited at any point in the supply chain. A vulnerable supply chain can cause damage and disruption, as we can see from this Attack.
Understanding the risks
Firstly, to help review supply chain security, we need to understand the risks... how significant would an attack to your supply chain be? How much would downtime cost you? How would this impact your brand image or reputation?
Without solid visibility into your supply chain, we also won’t understand the security controls the vendor or partner implements.
A few examples of the sorts of questions you should be asking questions would be:
- Do they continuously check for vulnerabilities?
- Do you prioritise patching for exploitable vulnerabilities?
- Do they pen test?
- Do they have or align to ISO 27001?
- Who has access and how do they control this access?
- Are these arrangements continually tested with the likes of best practice assessments?
Once we have this information we can highlight key areas of risk so when it comes to deployment or onboarding, we know the areas we need to improve or focus on. It’s very acceptable and appropriate to give a new supplier a slight grilling, without doing so we open up another avenue of risk, that we have limited visibility of and very little in the way of control.
You can discover what the governments recommended best practice is via the national cyber security centre website by clicking here.
If you'd like to speak to the Charterhouse Cyber Security Team , please do get in contact...