Cyber Major

One of The concerns we have little control of is our vendors, suppliers, partners, free lancers or, in other words – the chain of supply.

In the Annual Global Threat Report 2024 issued by CrowdStrike (A highly recommended read) there are a couple of pages analyzing the main threat actors. And back in October 2023 Gartner predicted a staggering 45% rise in supply chain attacks by 2025.
My main understanding from the various articles and researches on the subject is that the chain of supply vulnerabilities and threat actors are on the rise.

We want to keep our organisation safe, this is a baseline of any normative organisation. We want safety. We also want to work with vendors freely. The reliance on outsourced vendor services has been on the rise since 2020 (will be discussed in a separate blog) and have made organisations reliant on those service providers for their business. We can’t give up vendors without compromising the organisation’s business continuity. So what should we do? Do we need to choose between security and the business?

The answer is ‘NO!’
Restricting the business is not a good answer, especially in the 21st century where there are so many security solutions and frameworks available to help mitigate exposures/vulnerabilities.
I should mention that ignoring it altogether is not very good solution either… based on my personal experience alone, ignoring a problem doesn’t make it go away.

So what is the recommended action item?
First of all, lets map those vendors. Some of them could be exposing us to almost nonexistent or significantly small risk (like your lunch delivery guy) and others could be exposing you to major ones (for example your IT supplier) The moment you got them mapped you know where to concentrate your efforts.

The next thing to do is to assess the risk you are exposed to.
For example if we take IT as an example, IT providers usually have admin users, maybe they have ownership of an Endpoint Management Service (i.e. Intune/Jumpcloud), or access to the organisation’s users endpoints (Teamviewer/Anydesk). How do we ensure that access is not abused? How do we mitigate our exposure?

Now that you mapped and assessed the risk, all you need to do is mitigate.
There are several Actions which we can do and on several vectors. For example the legal vector will have you sign with any and all providers an NDA or a DPA or both depending on the type of organisation you are. The vector of transparency will have them filling a security questionnaire for you so you know what you are up against. And the final, main vector is the technical one which will include access limitation, Admin users management and monitoring activity.

I want to delay on one of the most important suggestions (and the simplest to comply with) – implement a phone based MFA at every log-in.

The year 2024 was characterized by several chain of supply incidents, some of which I participated in as an Incident Response Team Leader. I managed three different type of clients – two governmental organisations and one privately owned Tech company. All of them were attacked through their chain of supply and the common exposure to all three was the lack of MFA when connecting to their environment.
So when the supplier got hacked, the way to their environment was not limited in any way or form. and MFA based on a phone (i.e. sms/security app) would have prevented that connection and protected the organisation since only the phone owner has access to sms.

This is the tip of the iceberg on managing your chain of supply but that’s a good start.
Follow for more and feel free to ask questions

Yours Truely

Major Cyber