In the past, security professionals went by the old ‘protecting us from ninjas’ model. It was all about
               your perimeter. You had a firewall, a data center, all your secrets were locked behind concrete. It was all
               about guarding the doors and windows (and, perhaps, as in the previous rare case, the ceiling).


               Much like a stealthy ninja, even the best and most robust security systems can neither detect nor protect
               against a fail on someone else’s system or falls outside of the scope of the security system’s capabilities.
               Consequently, the most common way to think about security is: where is your risk? How can you
               mitigate it?

               Increasingly that risk is supplier management, exposing your business to the risk of a software vendor’s
               vulnerability.

               Extent of the problem

               Who outside of security professionals remember the details of how a company was breached? When
               it hits the news, everyone knows who got breached, but not much else. All breaches sound bad in a
               newspaper or blog post: they lose their customers’ data and they lose their customers’ trust. Did it really
               matter that the issue started with a third-party problem in a periphery device in a retail store or a vulner-
               ability in a product without obvious direct access to data? It makes no difference. Their security failed.
               That is what people remember.

               Often it failed because of a third-party integration, but that nuanced story is pointless. Not that they didn’t
               make their own set of mistakes, but in most cases where there’s a breach— even when it’s terrible —
               security teams tried their best to do the right thing, and they fell to something on the margins.


               And third-party breaches continue to dominate the headlines.

               For  instance,  the  SolarWinds  breach  [link:  https://www.cnet.com/news/solarwinds-hack-officially-
               blamed-on-russia-what-you-need-to-know/] almost certainly will go down as one of the biggest, most
               serious breaches in history.


               The breach here wasn’t a “hack” like in the movies; instead it was a seemingly valid patch to a great tool
               IT teams are using every day.

               Their customers were now exposed through no fault of their own and now the companies themselves
               have to deal with the potential fallout and probable future attacks stemming from this leak.


               The ultimate consequences of this vulnerability are still opaque, but at the very least attackers got
               privileged access into many global companies and government entities.

               While there are innumerable causes for a security failure, the public sees it this way: if you fail, you fail.
               So how do you cover for this risk, and how do you reduce risk in the supply chain?

               Turns out, that can be really tricky if you depend on only one way of doing things. You’ve got to have a
               multi-pronged approach.

               ONE: Vendor Screening

               This type of risk has hardly been invisible. Many organizations have a Security Assurance Group: staff
               members who focus on answering supplier management questions for customers, to assure them the
               risk is manageable. Many companies require prescreening and for vendors to follow specific security
               protocols.





             86    Cyber Defense eMagazine – April 2021 Edition
                   Copyright © 2021, Cyber Defense Magazine.  All rights reserved worldwide.