Organisations rely on technology vendors and partners to help manage their data and infrastructure. Over recent times, there has been an increase in successful cyber attacks against organisations who are part of the technology ‘supply chain’. Examples include IT Managed Service Providers (MSP’s), Software Companies and a range of others such as Call Centres.
There are numerous examples where third-party breaches have significantly impacted an organisation; dating back to the early 2000s when payment cards were compromised, and more recently ransomware attacks that can lock and steal an organisations data. In it’s recent report on Supply Chain Cyber Security, the New Zealand National Cyber Security Centre reported:
In 2019, researchers discovered that malicious cyber actors had created a Trojanised alternate version of update utility software created by ASUS, a large multinational consumer electronics company. The alternate version contained malware but was signed with legitimate certificates and distributed to users on ASUS’ own update platform. The goal of this attack was to target a small and specific set of ASUS customers, while ignoring all other users. The malware remained undetected for a significant period of time because it appeared to be genuine software hosted by ASUS.
According to CIS Control # 15, at a minimum your organisation should acheive safeguard #15.1 (Establish and Maintain an Inventory of Service Providers). The full list of recommendations are below.
15.1 Establish and Maintain an Inventory of Service Providers
15.2 Establish and Maintain a Service Provider Management Policy
15.3 Classify Service Providers
15.4 Ensure Service Provider Contracts Include Security Requirements
15.5 Assess Service Providers
15.6 Monitor Service Providers
15.7 Securely Decommission Service Providers
The United Kingdom National Cyber Security Centre published a blog post providing guidance when managing supply chain risk. The following extract discusses getting the balance right:
Using an MSP is a security trade-off. You will gain the security benefits that come with using the MSP’s expertise, which will often include more cloud security expertise than you’ll have been able to hire yourself. However, you usually also almost always end up having to give the MSP administrative access to your data. This increases the attack surface, as there are now more systems that, if attacked, would compromise your data. As such, the MSPs own IT system can be a juicy target for attackers, given that they (and hence any successful attackers) can use that common system to log in to and manage their various customers’ cloud deployments. As we stated last year in a joint cyber security advisory published by CISA, it’s not just a theoretical risk. Publications from Microsoft and N-able highlight that this real threat uses techniques that are relatively unchanged from those documented by PWC in 2017, and is part of a trend that we expect to continue.
References
https://www.ncsc.govt.nz/resources/cyber-resilience-guidance/supply-chain
https://www.ncsc.gov.uk/blog-post/using-msps-to-administer-your-cloud-services
https://www.ncsc.gov.uk/collection/assess-supply-chain-cyber-security
Incident Response Solutions 