Supply chain cyberattacks are increasing as companies outsource a growing number of services. Today, your enterprise is more likely than ever to have third parties touching sensitive data. Even when your security controls are robust, an attacker can breach a weaker network—like the network of one of your suppliers, service providers, or partners—and use it as an indirect route into your network. In 2018, many highly publicized breaches were the result of supply-chain attacks: Atrium Health, the Australian Defence Department, Best Buy, City of Bakersfield, City of York (England), Delta Airlines, Facebook, Kmart, Nordstrom, and Sears among others.
According to a Ponemon Institute survey, the highest-rated cybersecurity concerns for 2019 are third-party risks and data breaches. Misused or shared confidential information was stated as the "most worrisome" security incident for 64% of respondents.
Supply Chain Touchpoints and Risk
How can business associates, vendors, suppliers and distributors adversely affect your security posture? Here are a few examples:
- If a network connection between your organization and a business partner’s becomes compromised, malicious actors can gain access to critical endpoints and servers. Testing for the ability to move laterally within your organization, the ability to exploit critical systems and subsequently exfiltrate sensitive data (e.g. electronic health records, PII, etc.)—may enable defending against this type of vulnerability. Interconnecting networks are common, for example, in the healthcare ecosystem, where Health Information Exchanges (or HIEs) transfer sensitive medical records between hospitals, insurance providers and pharmacies. Other examples include financial institutions, private cloud networks and automated clearing houses (ACHs).
- A portal shared by a company and its vendors, e.g. a help desk portal or partner marketing portal, can potentially serve as an entry point for further compromise, as was the case with the infamous Target breach. For example, if access credentials to that portal are compromised, a hacker could plant a water-holing attack in the portal, leading to further infections by company employees who visit that portal and click on a malicious link (or worse—get infected by an invisible drive-by-download). Testing security around the portal, could once again, help an organization improve its security posture (e.g. checking WAF, segmentation, endpoint security etc.).
In an Ideal World
How can you know when third-party partners represent real cyber risk? It's difficult. If your organization's vendor management program does not take security measures into account for each partner, you have little visibility into their security postures. In addition, your organization might not track which third parties have access to sensitive or confidential information, how they use it, or when they share it with other vendors. And few organizations conduct security audits of their third-party partners.
In an ideal world, enterprises would evaluate partners, suppliers, resellers, and service providers in a variety of ways. They would ensure that each partner's IT security, data protection, user privacy, and security policies are defined and audited periodically. They could require partners to satisfy specific security conditions as part of their SLA before consenting to do business with them. Some companies might even conduct pentesting to check a partner's security posture.
In the Real World...
Assessing third-party security is a task that will require you and your partners to work together in identifying shared touch points and ensuring they are protected. You can assess security controls and gather valuable data that enables all parties to improve their defenses. Breach and Attack Simulation (BAS) technology, such as Cymulate, enables you to quickly test and measure your infrastructure's ability to defend against multi-vector attacks, whether they originate from within your network our outside of it. With quantifiable risk data in hand, you can then mitigate risks as you decide. Here are real-world steps you can take:
- Test what's deployed and how well it's working: Cyber security experts stress the importance of understanding your external infrastructure and gateways into the network. Use BAS to test existing security controls. Testing for functionality and efficacy delivers consistent, quantifiable data in the form of a risk metric—regardless of vendor brands deployed in various attack vectors.
Experts also recommend implementing threat intelligence to catch propagating malware, data exfiltration, and unauthorized access attempts. Cymulate BAS tests your infrastructure and measures its strength against the latest threat intelligence, telling you how well you are prepared for current attacker TTPs.
- Measure response readiness: In addition to evaluating security controls, use Breach and Attack Simulation to assess incident response readiness. By checking whether your incident response (SOC) team identifies simulated cyber attacks, they will be better prepared for a real breach.
- Focus on outcomes: Although compliance controls are valuable frameworks for building out a security infrastructure, they cannot assess effectiveness against real threats. Use BAS to identify how controls actually respond in the face of attacker behavior. A quantifiable risk metric is assigned to each test, so you can easily see security gaps or weaknesses.
- Prioritize any mitigation needed: Accurate risk scores provide a realistic picture of your security posture and enable you to prioritize mitigation efforts based on defined business risks. For example, a BAS test of email security might reveal that attachments containing ransomware, worm, or trojan penetrated email defenses approximately half of the time. The simulation may, for example, identify malicious links as presenting the highest risk and conversely, identify the risk from ransomware as being the lowest, depending on your security controls.
Now you can make the decisions that are best for your organization. You can address each layer of email security to make sure that it has the capability to defend against threats, is configured correctly, or tuned appropriately. You might need to upgrade a solution to a current version or replace it with something more effective. Or you can decide that the current level of risk to email is acceptable in light of available resources and other priorities.
With a fluid third-party ecosystem, you can quickly and accurately assess the organization's security posture at any time, in any area, and across all threat vectors. Make BAS a strategic component of your cybersecurity strategy, either complementing existing annual pentesting or replacing it. BAS gives you a comprehensive—yet easy—way to find out which partners meet your cybersecurity expectations and ensure that your defenses are optimized no matter what.
 What is a supply chain attack? Why you should be wary of third-party providers. CSO Online, January 25, 2019
 How to Reduce the Impact of Supply Chain Attacks by Cybersecurity Procedures, DZone Sept. 4, 2018 https://dzone.com/articles/how-to-reduce-the-impact-of-supply-chain-attacks-b
 Measuring and Managing the Cyber Risks to Business Operations, Ponemon Institute, December 2018
 Supply Chain Cybersecurity: Experts on How to Mitigate Third-Party Risk, Digital Guardian, July 27, 2017