Supply chain risk is a huge, complicated bucket for businesses – environmental, reputational, ethical and continuity concerns can be overwhelming. But, even limiting consideration to cyber security risk, it's still a massive challenge.
It's easy to hark on about the pandemic changing the working world forever, but it's certainly accelerated the adoption of remote working and cloud technologies (SaaS / PaaS platforms).
Companies have outsourced functions that always used to be in-house. They've purchased tools and products for remote working productivity.
They have a workforce increasingly demanding better productivity tools and more specific toolkits – integrating small, specific applications into their departmental workflows to boost efficiency and engagement.
Anecdotally, we've seen customers increasing their pool of third-party service providers and vendors over the last three years to meet the needs of a changing workforce and working patterns. It's been a rapid process.
There are several ways supply chain attacks can impact your cyber security resilience. Third-party service providers may have access to physical premises or technical infrastructure, and compromising these providers can grant that access to an attacker. If you have smaller or less mature suppliers in your supply chain, they may have immature information security practices.
However, in our experience, most businesses have mature processes to manage these risks in their supply chains. But we often see weaknesses in our customers' software inventory management and their software supply chain.
You can't fix what you don't know about
When a vulnerability is released, the first task is to determine its impact and how to manage any impact. To understand the business impact of a vulnerability in software, you need a complete understanding of the components used across all your systems.
That's a complicated problem to solve. Even a relatively simple piece of software may use hundreds of different libraries and components maintained by various parties, all of which may rely on other libraries. So, when an exploitable vulnerability exists, you want to be able to identify affected systems and mitigate the issue as quickly as possible.
Log4JShell was a prime example of a vulnerability within the software supply chain causing havoc. It's a popular component, and its use was widespread, so when it came to addressing the risk, the first step for most businesses was to determine whether and where it was used.
For many, this involved asking questions of suppliers and software maintainers, reaching out to internal stakeholders and doing research - that's time-consuming, and in the case of Log4JShell (a high-impact vulnerability with exploit code circulating in the wild), it was time that would have been better spent applying the patch.
Businesses with a comprehensive list of components and libraries in use cut out that time in their response and were able to move straight into mitigation.
Log4JShell is a high-profile example as it was a very high-impact issue in a common library, but it's worth noting that modern adversaries actively target open-source libraries to embed malicious code in the supply chain.
In October 2021, for example, we saw an npm package with more than 7 million weekly downloads compromised via an account takeover. For an adversary, planting malware into common packages is a technique which potentially gives access to thousands of victims in a single attack – that's a great return on investment!
Software inventory management
This type of remediation pattern - working out which libraries and components are used where - will become a more common problem for businesses to solve. If you want to be proactive about preparing for a security incident, you should consider how you inventory software assets and what level of detail you have about the components used.
Comprehensive asset management, done well, significantly cuts down on time to mitigation- meaning your exposure window is reduced.
'Garbage in, garbage out' applies to cyber security asset management as much as it does to any other control measure. If you get comprehensive asset coverage to a decent depth, it can be extremely helpful. But if you don't get the right coverage or depth, you may have a false sense of security and still need to scramble to identify your exposure when a vulnerability comes to light.