Third-party risk has long been an acknowledged threat to corporate cybersecurity due to the access that partners, contractors and other trusted third parties have to an organization’s systems and sensitive data. However, an organization’s external security risks extend far beyond its trusted third parties.
The SolarWinds, Kaseya and similar attacks have underscored the security risks of corporate supply chains. While an organization may lack a direct trust relationship with a particular organization, this does not mean that these fourth parties cannot affect the company’s cybersecurity.
The security impacts of supply chain attacks
The average company faces numerous supply chain security risks. Some common sources of supply chain risk include:
- External software: The SolarWinds attacker inserted malicious code into trusted applications, providing them with backdoor access to organizations’ information technology (IT) environments.
- Open-source libraries: The use of third-party and open-source libraries and code is commonplace, and 99% of corporate codebases contain at least some open-source code. If this open-source code contains vulnerabilities or malicious functionality, it leaves users vulnerable to attack. Additionally, the deletion of vital third-party libraries can render corporate software unusable.
- Fourth-party partners: An organization’s partners, vendors and suppliers have their own third-party partners, who could be exploited to indirectly target an organization.
- Cloud hosting: Placing data and applications on hosted cloud infrastructure creates security risks associated with the cloud provider and co-hosted cloud users.
Supply chain exploits provide an attacker with another means of gaining access to an organization’s environment or attacking it indirectly. Some of the potential objectives of a supply chain attack include:
- Data theft: Supply chain attacks can provide attackers with access to sensitive data where it is least protected. For example, in addition to providing access to corporate environments, a supply chain attack could enable an attacker to access and steal company data that was entrusted to a more vulnerable third-party partner.
- Malware infections: Supply chain attacks like the SolarWinds hack can provide an attacker with a foothold on an organization’s internal network. From this foothold, the attacker could download and deploy second-stage malware, such as ransomware, to take advantage of their backdoored access.
- Denial of Service attacks: By targeting an organization’s supply chain, an attacker can indirectly perform a Denial-of-Service attack on an organization and harm its ability to serve customers and meet service level agreements (SLAs). For example, an attack on a critical service provider or deletion of a vital open-source library could impair an organization’s ability to operate.
- Multi-stage attacks: An organization that is the victim of a supply chain attack may only have been targeted for its relationships. An organization attacked via its supply chain can have its trust relationships exploited to target customers, vendors and other third parties.
- Human error: Human behavior continues to be one of the leading causes of cyber incidents globally and across all industries. Split-second human decisions often allow for vulnerabilities to be exploited, granting success to the broad spectrum of phishing attacks despite training and compliance mandates. Attackers can also utilize anonymous memory sticks by plugging them into a network connected computing device in order to gain access to the device’s data.
Supply chain exploits expand an attacker’s options for gaining access to and causing harm to an organization’s systems. Managing supply chain risks is an essential part of any organization’s cybersecurity strategy.
Managing fourth-party security risks
Third-party risk management is a significant challenge due to the sheer number of relationships, endpoints and end-users that the average organization has. However, organizations have visibility into their third-party relationships and the ability to directly assess the risks associated with them.
The same is not true of fourth-party and supply chain risks, where indirect trust relationships create security risks for an organization. However, managing these risks is equally as important as managing third-party risks since they pose an equivalent threat to the organization.
Since any system could potentially provide an access vector for an attacker, companies must take steps to minimize the impact of a potential compromise. Fourth-party risk management requires the development of security programs and controls based on the principles of least privilege and zero trust access. These principles and controls must be implemented enterprise-wide in a rigorous manner supported by a continuous monitoring program. By identifying fourth-party risks, eliminating them when possible, and restricting the access of untrusted parties and systems to corporate assets, an organization can manage the risks associated with identifying potential supply chain exploits and vulnerable attack surface vectors.
A thorough review of data sources and data consumers across fourth-party relationships should be done and included in roles-based access control (RBAC) records to prioritize a factor analysis of risk presented by fourth-party relationships. By prioritizing vulnerabilities and potential vulnerabilities, firms can begin to properly measure and quantify the risk associated with their fourth-party relationships in the categories of RBAC, activity-based access control, and policy-based access control. Each has distinctive methodologies and can be selected to tailor to the degree of risk and resilience desired.