When considering third parties to provide some form of support or product for your organization, do you consider the supply chain risks that typically come from incorporating other companies’ input into your product? Supply chain risk has become so prevalent that NIST SP 800‐53 rev5 has a heavy focus on supply chain risk throughout all the control families. In some recent examples, we have seen supply chain vulnerabilities used to compromise a down‐ stream organization, with that downstream organization usually being the target of the initial attack. Some things that organizations can do to help protect themselves from these supply chain risks include:
Use FedRAMP‐authorized services.
FedRAMP certification, based on NIST standards, allows the downstream client to feel confident that the third party has been properly assessed.
How do the vendors release updates? Are they analyzed before uploading?
Ensuring the communications to receive the update are secure can protect against man in the middle attacks. Ensuring the updates have not been modified can also protect against supply chain attacks.
Do they sign their executables and dlls?
Having these files signed and validated at runtime ensures the integrity of them.
Do those vendors provide hashes of installation packages and updates?
Any changes to the files would change the hash, thus making the installer aware of a change to the product.
Do they incorporate threat intelligence and threat hunting into their security posture
Understanding the current threat landscape, newly released vulnerabilities, and chatter from bad actors about your company, coupled with effective threat hunting to detect malicious activity within the third‐party organization, are important in protecting the supply chain.