Software Trust Manager 10-16-2021

How to Secure Your Business through The Supply Chain

Brian Honan

The COVID-19 pandemic has brought many changes to us, both in our personal and our business lives. Not all of those changes have been positive, as we struggled with lockdowns, restrictions in how we conduct our daily lives and the impact on our economies. However, some changes have been positive: we have seen the uptick in remote working, companies adopting new digital ways of working (such as cloud computing), and on personal levels, we have looked at how to better take care of ourselves.

My own new personal takeaway from the pandemic has been to ditch the car when I can and to use my bicycle more often. So I now cycle to work as much as I can: it’s a nice 5-kilometer commute, although I reserve the right to change my mind once the Irish winter closes in. Now what has cycling got to do with cybersecurity, I can hear you ask? Funnily enough, that is a connection I would not have made until one morning the chain on my bicycle snapped.

That of course brought me to thinking about the old cliché, “A chain is only as strong as its weakest link.” But it also made me realize that a fault or failure in one part of a system (the bicycle chain) can have a disastrous impact on the overall system (the bicycle itself), and that this in turn can have many effects outside that system. In this case, the broken chain resulted in me being late for work and having to push back a call with my team scheduled for first thing that morning.

In cybersecurity, we’ve seen how an attack on small part of a system can have huge ramifications. Earlier this year we witnessed the ransomware attack on the Colonial Pipeline billing system. When the billing system was ransomed and unavailable, Colonial Pipeline could no longer stand over the billing invoices they would be sending to their customers. So while the gas pipeline itself was not directly impacted, Colonial Pipeline took the decision to shut the pipeline down until the billing system was recovered. This in turn led to a price rise in gasoline in some gas stations on the east coast of the United States.

More recently we witnessed a ransomware attack against Kaseya, a provider of IT Management Software for Managed Service Providers (MSPs) and IT teams. The attackers infected Kaseya’s distribution server with ransomware, which in turn distributed that ransomware to MSPs, and these MSPs in turn then spread that malware into their client environments. It is estimated that over 60 MSPs and 1,500 companies were impacted, with the criminals behind the attack demanding a $70 million ransom. A supermarket chain in Sweden had to shut the doors of its stores due to their point-of-sale systems not working as a result of this ransomware attack. This in turn led to many Swedes not being able to get their normal shopping.

These attacks demonstrate the complexity of today’s modern business world and how inter-reliant we are on third parties, such as partners, clients, suppliers or other vendors to those parties, and how a disruption in one part of the supply chain can have effects for the business. Many businesses are closely intertwined with other business either via internet services, interconnected networks, API integrations or many other types of connections, so this third-party risk is growing at an exponential rate.

The traditional approach to manage this third-party risk has been to send out security questionnaires — often based on industry good practices such as NIST SP-800, COBIT or the ISO 27001:2013 Information Security Standard — to the vendors. The more sophisticated approach has been to convert these questionnaires into a spreadsheet and get the vendor to answer questions with proof to support their answers and to return the finished questionnaire. This questionnaire is then reviewed by someone responsible for vendor management, and if the responses are acceptable, the vendor is deemed secure enough to do business with. This process may then be repeated every year, or in many cases, may indeed never be repeated.

Securing the supply chain, in particular a dynamic and ever-changing supply chain such as the software supply chain, has to move from a checklist-based process where we rely on vendors to detail their security features by answering a myriad of questions, which in most cases are never validated and are simply a compliance measure to be stored away for the next audit, to a more proactive and verifiable approach.

The use of digital certificates, in particular in the software supply chain, can provide organizations with the assurances they need that the third-party systems, applications and data are coming from trusted and verified sources. Employing digital certificates along your software supply chain gives you and your partners confidence that all parties within that chain are legitimate and that all exchanges are secured.

Digital certificates, when deployed throughout your software supply chain, provide you with the ability and platform to verify all code at each stage of the software production process. Employing a Public Key Infrastructure (PKI)-based digital certificate management solution empowers your organization with the capability and confidence to ensure that you can analyze and verify the integrity of all code along your software supply chain. This means if a vendor, or one of their suppliers, should change an element of their code, it cannot become part of your production environment without being properly verified and analyzed along the whole software supply chain. If configured accordingly, this whole process can be automated to ensure secure or approved code can be quickly and efficiently added to your production environment, and any code that comes from untrusted sources or has not been properly digitally signed does not get included within your environment without first being formally approved.

In addition, having a robust digital certificate management solution based on PKI provides you with the ability to automatically expire a certificate corresponding to when a contract with a vendor ends, or the capability to revoke certificates for vendors, or even their sub-vendors, should you suspect they have been compromised, giving you the control and confidence that your software supply chain is operating in a secure manner.

Just as our lives have changed in response to the pandemic and more of us adopt new ways of living in our business and personal lives, we need to ensure the chains that we rely on, be they on a bicycle or in our suppliers, are robust, secure, and should they fail, that we have a quick and effective way of resolving any related issues.

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

11-21-2024

10 ways AI, quantum and trust will shape the year ahead 

Why certificate automation is an absolute must