All businesses rely on a supply chain for services, materials, labor, technology, etc., and in today’s economy, no business can stand alone. To survive, companies must address, or at least acknowledge, the risks inherent in their supply chain, and as with many approaches to risk, managing supply chain risk requires a holistic approach. Risks in this domain can come in many forms, from environmental catastrophe, financial stress, injury, quality, and delivery times to criminal activity. Reducing these threats, having options, and having backup or recovery plans are common sense approaches and are something that most businesses do to varying degrees. Historically, supply chain risks have been mitigated by financial disclosures, performance bonds, insurance ratings like the experience modification rate (EMR), past performance, etc.
An element of supply chain risk is cybersecurity risk, and dealing with cyber risk in the supply chain is nothing new. One of the most infamous examples of cyber supply chain risk was the 2013 Target hack, where 40 million debit cards were compromised. The attack was initiated through a third-party supply chain vendor, an HVAC company. However, rating cyber supply chain risk is a complex task and one with barriers. For the most part, companies will not allow an internal assessment of their information system by an unknown third party. This leaves the only option as an external assessment, and the first commandment in external assessments is not to touch the vendor’s information system, that is, to not get inside the vendor network. The issue is that if you touch a company’s system, you can end up owning it.
Nevertheless, assessments of a company’s cyber-hygiene have been in place for some time. These assessments are through questionnaires the company will fill out. For the most part, these questionnaires focus on the basics of cyber-hygiene: are there long passwords, are access and are users segmented, is the information backed up, etc.? There is often a signature block for a company corporate official or the owner to attest compliance. As can be imagined, attesting to these answers in the questionnaire is less than reliable.
The issue in cybersecurity assessments for third-party systems is often what is good enough when access to the system is prohibited, and the only solution is an external or non-intrusive assessment. This results in an evaluation of the outward-facing elements of the vendor’s information system. There are a number of software tools that will assess and give a good idea of the system’s external defenses. These tools are non-intrusive and do not provide a view of the internal system administration. They do not access the issues of passwords, user access, segmentation, etc. These internal administration issues can only be addressed by a questionnaire. What is good enough is then a combination of external assessments and a questionnaire. However, the only assessment of value is a software assessment of the system’s external defense. The experience is that the questionnaires are answered with the only goal of reducing work and getting a pass.
What is good enough for testing is a matter of opinion, as there are innumerable software tools and tests, and there is monitoring; these choices are often a matter of the beauty of the dashboard, reporting options, and cost. In general, most assessment applications are threat intelligence-based, meaning they are focused on combatting Common Vulnerabilities and Exposures (CVE); Mitre Corporation, a Federally Funded Research and Development Center, lists these. As these assessment tools are non-intrusive, they can only assess the rigor of the external system configurations they will look for and test to ports and firewall configurations. In addition, the software will check for ransomware exposures and access access potential, possible malware detection, and configuration errors and exposures. In general, this will give a decent view of the systems’ exposures. There is always the ability to test more, but there is a cost associated with each test.
The issue returns to cyber supply chain risk management and what is good enough? The point is that what is good enough is framed by only being able to assess external-facing system configurations and defenses. Software assessment tools can provide a view and score of a system’s vulnerabilities, and it is this score that is very often a good indicator of what follows, no matter how the system security questionnaire is filled out. The point is to do something: determine what to test and test, provide the results to the company, and monitor. These actions will go a long way in securing your business supply chain. These actions will also move the defense supply chain to a higher level of cyber defense.
CVE – CVE (mitre.org)