Page 136 - Cyber Defense eMagazine September 2023
P. 136
Let’s look at three recent examples:
• The Log4j Vulnerability (2021): The discovery of the Log4j vulnerability spotlighted the
vulnerabilities lurking within the open-source software supply chain. Log4j, a logging library
integrated into a myriad of applications, had a critical flaw that allowed malicious actors to
remotely execute arbitrary code. The ubiquity of this library meant that its vulnerability exposed
countless systems worldwide, highlighting how a single weak link in the software supply chain
can put a vast network of enterprises at risk. The incident served as a wakeup call for
organizations to reevaluate and strengthen their software supply chain security.
• SolarWinds Hack (2020): An alarming testament to the chain-link vulnerability was the SolarWinds
breach. A seemingly minor weakness in the software update chain of a widely used IT
management tool became a conduit for a massive cyber espionage campaign. This breach
affected multiple high-profile entities, including U.S. federal agencies and Fortune 500 companies,
demonstrating how a single compromised link can endanger many.
• Capital One Data Breach (2019): In this incident, a former Amazon Web Services (AWS)
employee exploited a misconfigured firewall in Capital One's operations, resulting in the exposure
of data of over 100 million customers. While Capital One was the primary victim, the incident
raised eyebrows about the shared responsibilities and inherent risks of using third-party cloud
service providers.
• Target Breach (2013): Target's systems were infiltrated through an indirect attack on their network
-- an HVAC vendor. This third-party vendor had less stringent security measures, making them
an easier target. Once breached, the cybercriminals navigated into Target’s more extensive
network, eventually accessing millions of customers' credit card details.
rd
Each of these incidents has become a critical milestone in the collective understanding of 3 party risk.
Target highlighted the connection between Non-IT service providers and the IT environment. SolarWinds
demonstrated an inherited infiltration, cascading risk from one entity to another. Capital One cast doubt
on our understanding of the shared responsibility model. Log4j opened our eyes to the double-edged
sword of open-source software.
Lessons from these three events can form the foundation of a solid strategy to mitigate the risk of a
supply chain compromise.
1. Thorough and Recurring Vetting: Begin partnerships with a comprehensive cybersecurity
assessment. Before integrating any third-party service, software, or tool into your organization,
ensure that it meets the highest cybersecurity standards. Commit to reviewing those
assessments on an annual basis to ensure your partners remain vigilant.
2. Manage Your Asset Inventory: Catalog and track all third-party software components in your
environment, especially those that are open source. Understand their usage, dependencies, and
potential vulnerabilities. Prioritize the use of well-vetted, reputable software components. When a
threat does materialize being able to mitigate it quickly and surgically is vital.
3. Continuous Monitoring and Communication: Establish real-time monitoring of all interactions
between your environment and your partners’ environments. This includes email, data transfers,
software updates, and any other digital touchpoints. Regularly communicate with partners about
shared cybersecurity threats and best practices.
Cyber Defense eMagazine – September 2023 Edition 136
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.