VRM Archives

aicpa soc 2, CMMC, findings tech, security compliance, soc 1, Vendor Risk Management

The Insider Guide To Coordinated Vulnerability Disclosure Programs

Posted on May 11, 2022September 20, 2022 by Yogev Kimor

11
May

When you co-ordinate a vulnerability disclosure program, you follow a systematic process for communicating about, responding to and remediating vulnerabilities. Keep reading for tips on how coordinated vulnerability disclosure programs work, why they’re important and 5 steps to creating one.

What Is a Coordinated Vulnerability Disclosure Program?

A coordinated vulnerability disclosure program (CVDP) is a structured, systematic strategy for sharing information about vulnerabilities to various internal and external stakeholders whenever a vulnerability occurs. It’s a way of ensuring that information about a known vulnerability is not just available, but also that response operations are as efficient as possible. But remember not all vulnerabilities should or must be disclosed. Deciding how to react, whether to block or avoid is also an important decision.

The Benefits of Coordinated Vulnerability Disclosure

Coordinated vulnerability disclosure programs ensure that you can react efficiently and minimize the risks that vulnerabilities create. Disclosure programs minimize risks not just for your business, but also for your suppliers, partners and customers. The benefits include:

– Reduced vulnerability impact

The overall impact of the vulnerability is likely to be smaller when stakeholders coordinate their response. Patches can be developed faster, and rolled out to affected applications or systems before hackers attack them. This translates to a lower risk that the vulnerability will be exploited.

Consider CVDP as a “neighborhood watch” for your IT assets by encouraging everyone in your supply chain to report risks they discover.

– Build internal processes

Having a coordinated plan in place for vulnerability disclosure helps ensure that your employees each work efficiently to respond to vulnerabilities. A coordinated program defines what each internal stakeholder needs to do when a vulnerability appears.

– Combined stakeholder response

External stakeholders, too, can coordinate their activities much more effectively via a coordinated vulnerability disclosure program. With a program in place, each affected entity can share information efficiently and collaborate with security researchers as needed. Coordinated programs help to establish trust and positive cooperation across the supply chain with regard to vulnerabilities.

– Avoid surprises

When you have set policies in place for what to disclose and how to react to it, stakeholders from across the supply chain have the information they need to react effectively. This breeds transparency and mitigates the risk of unanticipated actions by one organization (such as a decision that a vulnerability is not severe enough to merit action) that could disrupt the responses of others.

On top of this, when you share information quickly and in a coordinated way, you avoid the risk that affected organizations will learn of a vulnerability from the media. The result is an embarrassing scenario and one that leads to slow, inefficient responses and potential damage to an organization’s reputation.

– Ethical corporate behavior

Finally, there is an ethical element to coordinated vulnerability response. Having set procedures in place, and defining how your business will interact with others during vulnerability response, sends a message that you care about transparent operations that benefit the community as a whole. It’s a sign that you’re not just tracking security risks for your own sake, but because you understand the broader impact (ESG) they can have on suppliers, partners and customers.

Did you know that your supply chain security can affect your stock value?

5 Steps for Creating a Coordinated Vulnerability Disclosure Program

Now that we know what coordinated vulnerability disclosure means and why it’s important, here’s how to implement it.

1. Create secure reporting channels

As cybersecurity analyst Keren Elazari says, “hackers can be helpful allies” in finding vulnerabilities. What she means is that good-willed third parties who are reviewing your code or systems can be a critical asset for finding security risks that you haven’t seen.

However, you need to provide secure channels through which third parties can report vulnerabilities in order to benefit from them. These channels could be as simple as resources like “security.txt” files that identify where and how someone can report a vulnerability to you.

Consider, too, integrating incentives into these reporting channels, for example, by creating a vulnerability reward program – a practice that companies like Google have used with great success.

2. Assess vulnerability severity

Every vulnerability carries a different degree of risk. What’s more, the risk can vary for different stakeholders within the supply chain.

For these reasons, your coordinated response program should include a process for assessing how severe the vulnerability is, then include that information in the disclosure report, along with technical details on how the vulnerability is exploited.

With that information, security analysts at organizations like CISA can disseminate vulnerability data that is as meaningful as possible.

3. Remediation

Determine, too, how the vulnerability should be mitigated. Does it require the creation of a patch by software vendors, for example, or can it be mitigated by changing environment configurations?

This information helps to coordinate vulnerability response because it provides actionable guidance to stakeholders on what they need to do to remediate the vulnerability across the supply chain.

4. Public awareness

In a coordinated response process, the group that identifies a vulnerability will take appropriate steps to notify users about it via all relevant channels – such as vulnerability databases, email lists and media reports.

Included in these notifications should be a timeline about which information to disclose and when to disclose it. In some instances, you may not want to include certain technical details right away; for example, if a patch is not yet available to fix a vulnerability, you may not wish to disclose how to exploit the vulnerability, in case hackers use that information to execute zero-day attacks that can’t yet be prevented.

5. Assess your response

The final step in a coordinated response program is to generate feedback about its effectiveness. Assess each disclosure by answering questions like how transparent it was and whether stakeholders had easy access to the information they needed to respond. These insights help ensure that you can continuously improve your program over time.

Coordination leads to the best outcomes

As Daniel Cuthbert, Global Head of Cyber Security Research at Santander, said in a Black Hat talk, “missing links create a vulnerability unto themselves.” In other words, the less information you have available in vulnerability disclosures, the higher your risk of damage.

Coordinated vulnerability disclosure programs minimize these risks by allowing all stakeholders to respond as effectively as possible to newly discovered vulnerabilities. They remove the blind spots in vulnerability response, while also demonstrating goodwill commitments to transparency on the part of your business.

When it comes to planning for coordinated vulnerability response, Findings can help. Findings provide end-to-end visibility into software supply chain risks, ensuring you have all the information you need to plan for effective, comprehensive vulnerability disclosure.

iso, iso27001, iso27017, iso27018, security compliance, Supply Chain Security

Crisis Management: The Missing Link In Supply Chain Security

Posted on May 2, 2022September 20, 2022 by Yogev Kimor

02
May

It’s easy to treat crisis management as an afterthought within the context of supply chain security. Businesses may assume that attacks are unlikely to happen, especially if they’ve invested in risk assessment and mitigation. Just ask some of the major vendors that have been at the root of cybersecurity crisis in the recent past, despite having taken breach prevention quite seriously.

What is a cybersecurity crisis management strategy?

A crisis management strategy provides a protocol for organizations to identify, eliminate and recover from cybersecurity attacks as swiftly as possible; its purpose is to position the organization for minimal impact of a cybersecurity incident. The protocol will unquestionably reduce the stress on your executive and IT teams in a crisis situation and everyone else involved in mitigating an attack.

The protocol typically includes, who does what in the event of a cyber incident, who is in charge of managing the crisis, aka Cybersecurity Crisis Response Team (“Response Team” or “CCRT”). It also covers which systems need to be checked for impact and where the backups are located; which partners, vendors and customers need to be notified and at what stage does the Board of Directors and media need to be addressed and how.

For many organizations, this strategy is not only the responsible thing to do, but may also be a compliance mandate.

Two policies we suggest you look at:

Your Vulnerability Disclosure Policy Can be Easier Than You Think

Meeting The CMMC Compliance challenge Head On

But where do you start? In contrast to many other security protocols – like privacy disclosure requirements, which are usually straightforward enough – there is no predefined playbook you can follow or set of boxes you can check off, to plan for crisis management.

It is therefore up to each organization to research and create their own set of protocols. We’ve highlighted what should be in yours below.

Supply chain security: Your crisis management plan

Step 1: Risk assessment

The first step is to identify your supply chain security risks.

Do this by assessing which regulations and legal requirements your business is bound to when it comes to cybersecurity. You should also evaluate your contractual obligations. Next, identify vulnerabilities that exist within your supply chain security and risk management report. Do these vulnerabilities need to be reported to other vendors within your supply chain? Or can they be easily patched? Finally, examine how a breach may impact your business’s operations.

The easiest way to check your metal here is to take risk assessments test surveys and run some gap analysis – doing so will give you a complete score on where your current efforts stand compared to where you should be and industry standards.

If you find any “show-stoppers,” you must stop your process and fix it before moving forward to avoid failure at a later stage.

With this insight, you can develop a plan for managing the impact.

Step 2: Formalize your security and risk management plan

Once you’ve identified the risks, document them and put them in writing, along with a plan that spells out which steps various stakeholders need to take during an incident to mitigate the risks.

Specifically, your plan should detail:

Whom – such as vendors, partners, customers, regulatory authorities – you need to notify about a supply chain breach. And, your head of cyber security should also be formalized.
Which processes various stakeholders – such as executive, IT and public relations teams will follow to do their part in handling the incident.
How you’ll maintain the necessary level of transparency (which should be defined within your Vulnerability Disclosure Program).
What information to disclose to the media, and how to disclose it. Not every part of every incident needs to be publicized, but you should think strategically ahead of time about how to engage with the media.

Step 3: Practice cyber drills

In order to ensure your crisis management plan actually works as you intend it to, you should run through cyber drills, which mean engaging stakeholders in responding to simulated incidents.

If you have the resources, you can hire a professional penetration testing team to create a mock incident, then test your business’s response. Alternatively, you may use your own teams to create a simulated supply chain attack, using a red team/green team model.

The more drills you practice, the better, but you should perform one drill annually at a minimum.

Step 4: Make crisis management a collective business responsibility

Next, work to ensure that everyone in the business – not just the IT team and security experts, but everyone from PR and customer relations to sales and marketing, to the C-suite and beyond – understands your supply chain crisis management plan and knows how to play their role within it.

Do this by publishing the process in a place where all stakeholders can view it. You can also ask stakeholders to explain their role in crisis management, based on the published plan.

Be sure, too, that the plan nominates someone to take the lead in crisis management unless your business already has an obvious person (such as a CISO) to take on this role.

Step 5: Leverage crisis management

Finally, to get even more buy-in for the plan and generate business value from it, educate your sales and marketing teams in particular about the investments you’ve made in crisis management.

This is important because sales and marketing teams can tout your crisis management investments when selling your products to other companies that require a high level of supply chain security and risk management. The more commitment you can demonstrate to managing supply chain risks effectively, the better positioned you’ll be to win customers who need strong supply chain security guarantees.

Winning such business is certainly not the only reason to invest in crisis management planning, but landing more customers this way can’t hurt.

CMMC, findings tech, iso, iso27001, iso27017, iso27018, security compliance, Vendor Risk Management

4 Reasons Why Your CISO Wants To Implement A CMMC Framework

Posted on April 12, 2022September 20, 2022 by Yogev Kimor

12
Apr

“Let’s pursue a new compliance framework just because we feel like it!” is not a phrase that you tend to hear business leaders utter excitedly. After all, making the changes necessary to comply with new compliance rules is a significant undertaking. Unless a specific legal requirement is at stake, businesses tend to embrace them slowly.

However, the Cybersecurity Maturity Model Certification (CMMC) is an exception. Although CMMC is not strictly required for most businesses, implementing it should be a priority for many CISOs today.

Indeed, a CISO’s main job is to harden cybersecurity wherever possible. Doing so requires identifying security risks, developing practices and policies to mitigate those risks, and creating regular reports that track the effectiveness of cybersecurity investments. Because the CMMC encourages these practices, pursuing CMMC compliance is an excellent way for CISOs to achieve their primary goals.

“All DoD contractors will eventually be required to obtain a CMMC certification,” as CSO Online notes, which may be another reason CISOs implement CMMC compliance. But it shouldn’t be the only one: Whether or not you need to do business with the U.S. Department of Defense, pursuing CMMC compliance is a great idea.

Four reasons to implement CMMC

You achieve several critical benefits when you invest the time and effort required to implement CMMC compliance.

1. Independent cybersecurity validation

Among the recent changes to CMMC is a new independent validation requirement for businesses with CMMC level 3 compliance. Independent validation provides a more thorough security check and vulnerability reporting than you can get from following other security guidelines, like those from NIST (which closely resembled the original version of CMMC).

Thus, CMMC is a more rigorous cybersecurity framework in many respects than anything else you can find.

2. Holistic cybersecurity best practices

CMMC is designed to encourage solid cyber hygiene for businesses of all types and industries.

It encourages a proactive cybersecurity culture (ESG benefits because it demonstrates a commitment to privacy). It facilitates education for all employees – including non-technical stakeholders – about security best practices. And it underlines the importance of managing supply chain security risks, one of the most severe categories of threats that businesses face today.

3. Increased revenue

From a purely business perspective, the additional sales opportunities that CMMC compliance opens up can lead to revenue growth.

When you achieve CMMC compliance, you can do business with U.S. government agencies that might otherwise be off-limits. This means more clients, but it often means more significant client contracts because government agencies tend to be high-value, long-term accounts.

4. Enhanced security maturity

Even in cases where clients aren’t government agencies and don’t require CMMC compliance, being CMMC compliant can nonetheless be a significant boon to business. It helps you demonstrate a commitment to cybersecurity and serves as a stamp of quality/security on the security front, which can help you close more deals and retain more clients.

The enhanced security maturity that comes with CMMC compliance can help you stay ahead of the competition, which may comply with less rigorous mandates but not with CMMC.

Here are the CMMC Compliance Requirements: Everything You Need To Know

Granted, CMMC implementation is not a simple task: It’s essential for CISOs to understand the challenges before undertaking a CMMC compliance initiative:

Process: You have to apply for CMMC compliance. That’s another task for CISOs to manage on their already full plates.
Buy-in: CISOs need to get buy-in from shareholders and management for the CMMC process. That’s important not just culturally but also because business leaders will need to play a valuable role in the CMMC application process by filing forms, tracking progress and reporting, etc.
Multiple steps: Applying for CMMC compliance is not a one-and-done affair. It usually involves multiple steps, with changes or additional information required as you progress through the process.
Maintenance: You need to keep your compliance strategy continuously updated to meet CMMC compliance requirements. That increases your time and effort even further.
Cost: For most businesses, CMMC compliance will require new tools and processes, which come at a cost. And depending on what level of CMMC compliance you need, an outside advisor may also be required.

None of these challenges should prevent businesses from pursuing a comprehensive CMMC framework to protect against cyberattacks compliance. But it’s essential to be aware of the potential objections and barriers before starting the process.

Even if CMMC compliance is technically optional for your business, there’s a good reason not to treat it as an option. Instead, CISOs should embrace CMMC implementation as an intelligent way to strengthen their business’s cybersecurity – and, in turn, open up new business opportunities.

Learn more by scheduling a demo.

findings tech, iso, iso27001, iso27017, iso27018, security compliance, Vendor Risk Management

Your Vulnerability Disclosure Policy Can Be Easier Than You Think

Posted on April 4, 2022September 20, 2022 by Yogev Kimor

04
Apr

It’s easy to recognize the importance of creating a vulnerability disclosure policy. Vulnerability disclosure policies, or VDPs, are important because they help you track vulnerabilities within your supply chain and determine how to disclose security risks that arise within the supply chain. That’s a best practice for any business, not to mention a formal requirement for companies wishing to do business with the DOD and U.S. government agencies.

It can be pretty hard, however, to figure out how to define and enforce such a policy. If you’re like many businesses, you may struggle to determine which types of vulnerabilities to disclose, how to report them, and how to integrate these rules into a policy document that your business uses as a systematic guide whenever supply chain vulnerabilities arise.

Fortunately, it’s easy enough to work past these challenges. By taking a step-by-step approach to creating a vulnerability disclosure policy, you can define and enforce disclosure rules tailored to your business’s needs with much less effort than you may imagine.

More information below on managing and building relationships with your vendors:

The insider’s guide to coordinated vulnerability disclosure

Watch below: How you can interact with vendors and suppliers – headache free

The main purpose of vulnerability disclosure

Establishing an effective vulnerability disclosure policy starts with understanding what such a policy is supposed to do.

Vendor disclosure programs have two main benefits:

Streamlined vulnerability reporting: A VDP defines who in your organization handles vulnerability reporting. This is important because many companies don’t know who the right person is to generate and distribute reports. Without a predefined reporting policy, you’re likely to end up with delays, or reports that never happen at all because no one knew who was supposed to create them.

Real-time reporting: Just as important, VDPs make it possible to react in real-time to vulnerabilities and breaches. As soon as you detect a security issue, you can report it to stakeholders or CISA, as required based on factors like which systems the incident impacts and how severe it is. The ability to disclose issues immediately and be fully transparent demonstrates a strong commitment to security on the part of your organization, which in turn helps your brand weather security events. Rapid disclosure may also be a compliance requirement for some businesses, as we’ve noted. But rapid disclosure means you need a complete view over your whole supply chain, not an easy task unless you have an automation tool to help with checking and reporting vulnerabilities.

Every VDP should be designed with these benefits in mind.

The six components of a vulnerability disclosure policy

To enable efficient, real-time vulnerability reporting, you should create a VDP in the form of a document that details six key facets of vulnerability disclosure.

1. Compliance policies

Your VDP should specify which compliance rules your business needs to meet, and which vulnerability disclosures those rules require.

The details in this section of the VDP will vary depending on your business and its compliance context. Not only do compliance requirements vary between geographies and industries, but businesses may also be exposed to different mandatory disclosure rules based on factors like the size of the business and the nature of a given breach. These are a few of the important policies you may come across ISO27001, NIST, ENISA, CMMC ISO, GDPR, HIPPA, CPPA (to name a few), and these need to be kept up-to-date with compliance rules changing every so often.

Whatever your specific requirements are, the goal of this section of your VDP should be to spell out the business’s disclosure responsibilities relative to its compliance mandates.

2. Contractual obligations

In addition to compliance mandates, your business may be required by the contracts it signs with vendors, customers or partners to disclose vulnerabilities. Thus, one section of your VDP should address contractual vulnerability disclosure obligations.

Be sure to detail in this section not just when and to whom you have to disclose security issues, but also how the disclosures should be communicated. Typically, your agreements with other businesses will specify how communication is to be maintained in this context. By including this detail in your VDP, you ensure that you can find it easily, without having to piece through contracts.

3. Supply chain obligations

If vulnerabilities arise somewhere in your supply chain as opposed to your own systems, you may need to disclose those, too. Your VDP should include a section that spells out your obligations in this regard. It should also include information about how you maintain visibility into your supply chain and determine that a vulnerability has affected it.

4. Risk management and assessment

Every vulnerability is unique, and the ability to contextualize it based on its seriousness is critical for effective disclosure. Toward this end, define within your VDP how to calculate the overall security severity of each vulnerability, as well as how this security score impacts your disclosure procedures.

If you use risk assessment tools to automate the scoring process (as you should if you want it to take place in real-time and with minimal effort on the part of your team), include that information in the VDP, too.

5. Insurance coverage

In many cases, insurance can cover at least some losses incurred due to a security issue within your supply chain. For this reason, be sure that your VDP details which security insurance you have and how it applies to disclosures.

6. Incident response plans

Disclosing vulnerabilities is one thing, mitigating is another.. Your VDP should include an overview of how your business responds to security incidents in order to ensure that they are remediated. In addition, if you’re required to keep stakeholders aware of progress toward remediation while an incident response is underway, spell out how you’ll do that within your VDP.

Take a look at how Log4j, Kaseya and other recent supply chain attacks have caused damage

How vulnerability disclosure statements optimize security

With a comprehensive VDP statement, you ensure that you are prepared to react in a way that minimizes the incident’s impact on your business, your vendors, your partners, your customers, and your supply chain in general.

In turn, you can make informed decisions about the following:

When to keep doing business with vendors who introduced a vulnerability into your supply chain
How to work with vendors to keep their risk levels low – and, by extension, keep your supply chain secure
When to switch to different vendors to lower your risk
Communicate effectively both “upstream” (meaning with your vendors and suppliers) and “downstream” (with customers and partners) when a vulnerability arises, as the image below from FIRST.org, a global organization focused on security improvements, illustrates

You can’t prevent every vulnerability or security incident. But you can prepare ahead of time to react quickly and effectively in meeting your obligations to disclose security issues when they happen – whether they stem from a vulnerability within your own IT estate or a problem that originated with another business in your supply chain.

You can make the vulnerability disclosure process even more efficient, which automates supply chain security detection and reporting.

Findings – Optimizing Supply Chain Compliance

findings tech, security compliance, Vendor Risk Management

Why Cyber Insurance Won’t Save You When You’re In Need

Posted on March 21, 2022November 7, 2022 by Yogev Kimor

21
Mar

Cyber Insurance Is Great – Except When It’s Not

It would be great if cybersecurity insurance provided an affordable, reliable means of protecting your business from the innumerable cyber threats it faces today.

Unfortunately, it doesn’t. While cyber insurance has its purposes and can be a good investment, it’s hardly a panacea when defending against cybersecurity risks. It’s a type of product that has hit a “plateau,” as Harvard Business Review puts it because cyber insurance has not evolved quickly enough to meet modern security threats.

That’s why, for example, cyber insurance won’t reliably protect you against supply chain security attacks. Even if you find a policy that does address supply chain threats, actually claiming your insurance benefit may take so long that the insurance doesn’t end up doing your business much good following a significant breach.

Please keep reading for an overview of the advantages and drawbacks of cyber insurance and tips on when it does and doesn’t make sense to rely on cyber insurance alone.

Here’s the top reasons why CMMC will be good for your business

What Does Cyber Insurance Cover?

Cyber insurance was introduced in the 1990s and was hailed to protect against IT-related risks that are typically not covered by other types of business insurance. The original intent was to give companies a means of protecting against the financial fallout resulting from data breaches and disruptions to critical IT systems.

Several insurance companies offer cyber insurance today, including Hiscox, The Hartford, CNA, and Nationwide.

5 Potential Disadvantages of Cyber Insurance

On the surface, cyber insurance probably sounds like a simple way to make sure a cyber attack doesn’t render your business bankrupt. In reality, though, cyber insurance isn’t necessarily so rosy. There are a number of potential pitfalls or drawbacks to purchasing cyber insurance.

1. High Costs

The first is the simple cost of cyber insurance. Although cyber insurance premiums were relatively affordable in the past, they have surged in cost in recent years, as this graph of policy costs shows:

Source: https://blog.alta.org/2021/09/cyber-coverage-premiums-increase-25-survey-shows.html

Thus, the cost of cyber insurance may be too high for many businesses today.

2. Management Challenges

Cyber insurance is not a set-it-and-forget-it affair. You have to manage your coverage actively by ensuring that your policy is kept up-to-date as your risks change – which they typically will, because you’ll roll out new systems or collect new types of data, for example, your original policy may not have covered that.

Most cyber insurance policies also place strict requirements on the insured to keep detailed records, secure their systems, and manage risks. If you fail to demonstrate that you took the steps required to protect your business against a breach, an insurer may deny your claim.

This isn’t to say that managing cyber insurance is infeasible. But it is to say that businesses shouldn’t underestimate how much effort goes into it.

3. Coverage Limitations

It’s easy to fall into the trap of assuming that as long as you’ve purchased cyber insurance, you’re covered against any and all cyber-related risks.

The truth, unfortunately, is that cyber insurance policies will always have exclusions or limitations regarding what they cover. “Insurers are demanding great security and are cutting back the amounts of cover they are willing to offer,” ZDNet reports. If you don’t read your policy disclosures very carefully, you may find that a breach you thought was covered is not.

Also, remember that merely interpreting coverage rules can be complicated – so complex that you may need to go to court to prove you are entitled to coverage. That’s what Merck had to do in a recent claim involving $1.4 billion in losses following a cyberattack. Merck, whose insurer said the claim was excluded from its cyber insurance policy because it was an act of war instead of a standard cyberattack, prevailed in that case.

But for smaller companies, in particular, this should be a warning: Going to court to defend your cyber insurance entitlements can be costly and time-consuming. Even if you have a legitimate claim, you may never get a payout if your insurer contests it and you lack the resources to defend it.

4. Claiming Insurance Takes Time

Even if you don’t have to go to court to get your insurer to payout, there’s no guarantee that cyber insurance will result in immediate financial assistance following a breach. The claims process could take months or even years, especially if it requires collecting detailed information about the source of a breach to determine whether the breach is covered.

If a cyber event causes significant financial disruption, then your business may not be able to survive it if the insurance claim process takes too long.

5. The Supply Chain is Not Insured.

In general, cyber insurance covers risks that affect your IT resources directly. Software supply chain threats originate in third-party systems and are not usually covered.

This is especially bad news given that advanced supply chain attacks are projected to increase by about 650 percent in the coming years. It means that investing in cyber insurance is not reliable for protecting against supply chain risks. For that, you need different tools – like a software supply chain risk assessment and disclosure platform.

Here is your supply chain security crisis management plan

The Future of Cyber Insurance

Cyber insurance may well evolve to close the gaps described above in the future. We may see a reduction in costs, for example, or the creation of new policies that specifically address supply chain risks. Indeed, the U.S. Government Accountability Office has found that more insurers are creating dedicated cyber insurance policies, which could lead to more comprehensive coverage down the line.

Even if that happens, though, it’s impossible to guarantee that any cyber insurance product will fully protect your business against all threats. That’s why it’s critical to invest in other tools that help you detect and respond to risks. The security blanket of a cyber insurance policy doesn’t suffice to keep your business safe.

We agree, by all means, to invest in cyber insurance if it makes sense for your business. But don’t blindly entrust your company’s financial health to insurance alone.

Instead, invest as well in solutions like Findings, which automates cyber risk assessment and management – including not just within your business’s environment but across your supply chain.

findings tech, security compliance, Vendor Risk Management

3 Predictions about CMMC 2.0’s Impact on Compliance Operations in 2022

Posted on March 14, 2022October 6, 2022 by Yogev Kimor

14
Mar

Most compliance frameworks change from time to time. But it’s sporadic to see the exceptional level of change that the Cybersecurity Model Maturity Certification, or CMMC, is currently undergoing. In a bid to make CMMC compliance more straightforward and affordable – and, by extension, help smaller businesses sign contracts with the U.S. Department of Defense, which requires CMMC compliance from its vendors – the U.S. federal government has revamped or rewritten critical components of the CMMC. The updated version is known as CMMC 2.0.

But, if you follow compliance news, you probably already know that the CMMC is evolving. You may not yet know what the CMMC changes mean for the typical business.

To provide some insight into that topic, here’s a look at the top three changes likely to result from the CMMC overhaul. Changes have already started to take effect over 2021 and will continue throughout 2022 for many businesses as they adapt to the brave new world of CMMC 2.0.

Here are the CMMC Compliance Requirements: Everything You Need To Know

Prediction 1: Increased CMMC compliance self-assessments

One of the most meaningful updates the government has made to CMMC is allowing self-attestation of compliance. Previously, businesses hired outside auditors to attest to their CMMC compliance.

Couple that change with the fact that the CMMC 2.0 has only three compliance steps instead of five, and it would seem very likely that we’ll see more and more businesses performing CMMC self-assessments in 2022 and beyond. Instead of hiring outside auditors and consultants, companies will take the more cost-effective self-assessment approach.

This change will also likely translate into a more significant number of SMBs becoming CMMC-compliant. In the days of CMMC 1.0, when compliance assessments cost a lot more, it was harder for smaller businesses to gain compliance attestation.

It’s essential to keep in mind that not every business can self-attest, of course. According to the DoD, only about 140,000 of the 220,000 total companies in the defense industrial base hold “federal contract-related data,” which entitles them to self-assessments. The rest will have to use the traditional, more costly assessment approach to get a higher level of assessment.

There are specific procedures to follow, including having a senior company official attest to your compliance and submitting the attestation to the Supplier Performance Risk System (SPRS). Keep in mind, too, that even if you self-assess, you can’t simply file a report and call your business CMMC-compliant. Still, the process is cheaper and easier than relying on outside consultants.

Prediction 2: More CMMC compliance transparency

More self-assessments will likely also contribute to a tendency among companies to embrace the principle of transparency when it comes to CMMC compliance. That’s because disclosing security vulnerabilities is an essential step toward making self-attestations credible.

As a result, expect transparency to become the rule, not the exception, for companies pursuing CMMC compliance. In particular, more businesses are likely to establish vulnerability disclosure programs to communicate clearly about security issues.

This will mark a significant shift from the present. Traditionally, companies have tended to be tight-lipped about vulnerabilities. They had only disclosed them when they were legally required to do so. But in the future, adopting a transparency approach to security and openness will help businesses establish their credibility and good-faith commitment to the CMMC – and, by extension, it will help position them to win government contracts.

Prediction 3: CMMC compliance will demand-supply chain security automation

While VDPs are one step toward transparency and self-assessing your CMMC compliance, another critical practice is automating software supply chain security. Given the sharp uptick in software supply chain security risks, that’s especially true.

Supply chain security automation tools make it fast and accessible to identify security risks within the supply chain and document and disclose them based on compliance requirements. Instead of manually tracking and disclosing risks, as they do today, businesses seeking CMMC compliance are likely to embrace supply chain security automation.

SMBs, in particular, are poised to take more significant advantage of supply chain security automation tooling, which will help them decrease compliance costs and complexity. (This is another reason, by the way, why the updated CMMC framework is likely to result in more involvement by SMBs in the CMMC space.)

Crystal balls

These are our predictions about how CMMC 2.0 will change the way businesses approach CMMC compliance. But since we here at Findings have built a world-class supply chain security and compliance automation platform, we’d like to think we have a pretty well-informed perspective on this topic.

We’d also like to think that, as more and more businesses seek solutions for automating CMMC compliance, they’ll turn to Findings. Findings offer the automated assessments, best practice recommendations, and reporting features businesses to need to self-assess and simplify compliance operations. In turn, it reduces the number of questions you need to answer during compliance processes from hundreds to just a few.

Ultimately, Findings places compliance with frameworks like CMMC within reach of every business, not just those with teams of compliance experts and expensive compliance consultants.

Learn more by signing up for a free trial

aicpa soc 2, findings tech, iso, iso27001, iso27017, iso27018, security compliance, soc 1, Vendor Risk Management

The Top 20 Cybersecurity and Supply Chain Conferences of 2022

Posted on March 1, 2022October 6, 2022 by Yogev Kimor

01
Mar

As the supply chain security and cybersecurity landscape evolve, the industry becomes increasingly savvy about protecting digital assets. This year brings a slew of events dedicated to managing and enhancing cybersecurity knowledge and awareness. Some events will take place in person, while others will be virtual, making it possible for anyone to participate. We love this new reality!

These conferences will not be missed, so open your calendar app and plan accordingly!

Cybertech Global TLV

March 1 – 3, 2022

Tel Aviv, Israel

Cybertech features a diverse array of speakers from dozens of countries worldwide who are leaders in the cyber industry. Top executives, government officials, and leading decision-makers in the field will give the talks and lectures at the event. Cybertech includes conference sessions, special events by invitation, and a grand exhibition allowing attendees to meet and mingle with one another.

Speakers include known industry personalities from Israel, the US, and Europe, including Amir Sage, Cyber Coordinator of the Cyber Security Department in Israel’s Ministry of Foreign Affairs; Merav Kenan, CEO of the Israeli High-Tech Association; Umino Atsushi, Director of the Office of the Director-General for Cybersecurity, MIC, Japan; and Janne Kankanen, CEO of the National Emergency Supply Agency of Finland.

Pharma Supply Chain & Security World 2022

Corvus Global Events

March 15 – 16, 2022

Online

Counterfeit drugs are an ongoing problem for pharmaceutical companies that enter the supply chain at several points. This virtual event focuses on optimizing supply chain challenges in the pharmaceutical supply industry. In this online conference, participants will learn to create value across the supply chain by streamlining and designing an optimal supply chain network.

Innovations like IoT, AI, ML, and blockchain will be explored for their applications in transforming the pharmaceutical supply chain.

Among the speakers at the Pharma conference is Emre Gollu, Supply Chain Associate Director at UCB, and Himanshu Agrawal, Director – Global Process Owner & Innovation Lead, Supply Chain Logistics at GSK.

Women in Cybersecurity

March 17 – 19

Cleveland, Ohio

The three-day WiCyS conference is the flagship event of Women in Cybersecurity. This organization has been around for a decade and is dedicated to advancing the role of women in the field of cybersecurity. The conference brings together veterans and newcomers to the industry from all walks of life and offers resume review and career mentoring opportunities.

This event is focused on opportunities for women but is open to all genders.

A slew of workshops, presentations, panel discussions, and more will feature speakers such as Sarba Roy, Product Security Engineer at Intel, and Natalie Pittore, Chief of Enduring Security Frameworks at the NSA.

CISO Sydney

March 22 – 23, 2022

Sydney, Australia

Managing digital assets and services risks for supply chain security will major this year’s CISO Sydney event. At this event, Australia’s leading experts in information security will share their insights into improving cybersecurity culture and awareness. CISO Sydney encourages participants to “Be inspired, collaborate, disrupt.”

The featured keynote speaker is the Honorable Karen Andrews, MP Minister for Home Affairs of the Australian government.

She will discuss the government’s plans to protect the country, communities, and industries against cyberattacks. CISO Sydney promises to be a lively, social gathering exploring how Australian organizations approach cybersecurity from a holistic perspective.

Cybertech Miami

(This conference was postponed)

Miami, Florida

This year’s Cybertech family of conferences will include an inaugural event in Miami. The summit will gather cyber leaders from the United States and Latin America to discuss challenges and solutions in cybersecurity today.

Some of the themes will include the role of media organizations in cybersecurity, cyber influence on intelligence-gathering, and the impact of 5G technology on cybersecurity. The full lineup of speakers at Cybertech Miami is yet to be announced, but seeing as this event is part of the Cybertech Global family, it promises to be an exciting, dynamic conference.

The Official Cyber Security Summit

March 25, 2022

Atlanta, GA and online

This 7th annual daylong conference is jam-packed and focuses on educating attendees about protecting vulnerable business applications and critical infrastructure. It offers attendees the opportunity to meet some of the leading solution providers in the United States and discover products and services bringing innovation to enterprise cyber security.

The sessions, presentations, and panel discussions feature some top cybersecurity experts today. Admission includes meals and networking opportunities, and a virtual live-stream option is available.

Chad Hunt, Supervisor of the FBI’s Computer Intrusion Squad, will be a keynote speaker at the summit. Those looking to get a head start can already access the summit’s online Security Content Sharing portal to learn about protecting businesses from cyber attacks.

GFMI’s 14th Edition Third-Party Vendor Risk Management for Financial Institutions

April 11 – 13, 2022

New York, NY

The Global Financial Markets Institute’s 14th edition event will offer third-party risk professionals innovative perspectives on supply chain resilience and provide new insights into managing third-party risk.

Taking place in the heart of the world’s financial center, speakers at this event include some of the foremost experts in cybersecurity and risk management from the big banks.

Key sessions include Scotiabank’s talk on boosting supply chain resilience and MUFG Union Bank’s session on identifying concentration risk. Among the notable speakers are Donald Saxinger, Chief of IT Supervision at FDIC, and Dolly Singh, Managing Director, Global Head of Corporate Third Party Oversight at JP Morgan.

Supply Chain Meetup

April 26 – 28, 2022

Online

Focused on the retail supply chain’s current state and evolution, Supply Chain Meetup is a virtual gathering that provides collaboration, networking, learning, and career development opportunities. The online event will bring together hundreds of experts from across the retail supply chain. The full lineup will be announced in the coming weeks.

Cybersecurity and Privacy Professionals Conference

May 3 – 5, 2022

Baltimore, MD

This event allows attendees to discuss trends and issues in information security and privacy with their peers and hear from some of the leading solution providers in the field.

The theme of this year’s conference is The Future is Ours to Shape: Developing Staff and Operations for Tomorrow’s Cybersecurity and Privacy. Cybersecurity and privacy professionals were invited to submit their proposals for this grassroots educational event, including information-sharing, networking, and collaboration.

Cybertech Asia

(Postponed: Cybertech Asia has been postponed till May 2023 )

Sands Expo, Singapore

Cybertech Asia will take place in Singapore next summer. The event will be being held in partnership with Milipol, Asia-Pacific’s leading international homeland security international event. The conference will feature a range of sessions and special events on cybersecurity. The entire speaker schedule is yet to be announced, but interested parties can already get involved through an online portal that can be used for networking with other conference-goers.

Cybertech Asia serves as a dialogue on threats and solutions that impact the global community. Topics covered at the conference include finance, mobile, health, mobility, insurance, and more.

RSA San Francisco

June 6 – 9, 2022

San Francisco

At the four-day RSA Conference, cybersecurity professionals come together to discuss perspectives and challenges and network with one another. The event features an Expo in which attendees will find products and solutions and a digital-only option for those unable to attend the conference in person.

Some of the notable speakers include Dr. Christopher Pierson, Founder and CEO of BlackCloak. Tim Weston, Cybersecurity Coordinator at the DHS/TSA, and Alyssa Miller, Business Information Security Officer at S&P Global Ratings.

Gartner Security and Risk Management Summit

June 7 – 10, 2022

National Harbor, MD

The Gartner Management Summit is aimed at chief information security officers and leaders in cybersecurity and risk management. It will feature keynote speakers from leading IT security personalities alongside experts from Gartner’s team of unbiased analysts. The conference will focus on establishing an agile security program, fostering a human-centric security culture, and devolving risk ownership.

Participants will choose to attend sessions from among eleven unique tracks, such as Cyberthreat: Mitigation, Preparedness, Exposure Management; Infrastructure Security; Midsize Enterprise; Identity and Access Management, and several others.

Cybertech Global UAE – Dubai

June 13 – 14, 2022

Dubai, United Arab Emirates

Cybertech Dubai will focus on timely topics in cybersecurity with industry experts and government officials worldwide. Cybertech Dubai features a diverse range of speakers in the global hub that connects Europe, Africa, and the Far East.

The sessions and special events will focus on AI, Advanced IoT, big data, cloud, blockchain, and more. Leaders will deliver talks in government and enterprise from throughout the US, Europe, the Middle East, and Asia.

Total Security Conference Hong Kong

July 7, 2022

Hong Kong

CISOs, heads of IT, heads of security, and regulators face a rapidly-changing climate filled with new vulnerabilities. As cyberattacks become more sophisticated and remote work becomes the norm, security and risk mitigation priorities evolve. The 8th annual Total Security Conference focuses on ensuring a seamless transition to virtualization through efficiently securing data, endpoints, and operational touchpoints. This conference features information sessions, meetings, and networking to allow corporate, public, and government agencies to enhance their approach to cybersecurity.

The lineup of speakers is not yet finalized; stay tuned…

CSO50 Conference and Awards

September 2022

Location to be announced

The CSO50 Conference and Awards feature risk strategies for rising threats. It will showcase innovation to protect and defend risk leadership and innovation to preserve and defend risk leadership and innovation.

Top leaders in risk management and cybersecurity will be awarded at the conference and present talks on recent developments in the industry.

Some of the speakers slated to present at this conference include Keith Slotter, VP Corporate Security at JetBlue Airways; Nicole Ford, VP & CISO at Carrier; and Jessica Bair, Director of the Cisco Secure Technical Alliance at Cisco.

National Cyber Summit

September 21 – 22

Huntsville, Alabama

NCS2022 is billed as the nation’s most innovative cybersecurity-technology event. It offers educational, collaborative, and workforce development opportunities for industry visionaries and rising leaders in the field.

The summit will bring together leaders of both enterprise and government organizations to discuss digital forensics, supply chain cybersecurity research, data mining, and the societal impacts and ethics of cybersecurity. Several tracks of the conference will run concurrently, and the list of speakers includes Chris Cleary, Principal Cyber Advisor of the US Navy; Brian Turner, Executive Assistant Director of the Criminal, Cyber, Response, and Services Branch of the FBI; and Merritt Baer, Principal Security Architect at Amazon Web Services.

InfoSec World

September 26 – 29, 2022

Coronado Springs, Lake Buena Vista, Florida

One of the longest-running events of its kind, InfoSec World is in its 28th year and offers some of the industry’s premier education and networking opportunities. This year’s conference includes summits and workshops on supply chain security, ransomware, threat testing, cryptocurrency, cloud security, and more. Each of these topics will be expanded upon at the conference, such as the cloud security summit and supply chain workshop, taking place on the event’s final day.

Speakers are yet to be finalized, and the world’s leading companies have been presenters at previous InfoSec conferences. InfoSec World provides attendees with the tools and information they need to stay at the forefront of today’s cybersecurity challenges.

International Cyber Expo

September 27 – 28, 2022

London, England

The International Cyber Expo unites government, industry, and academia at a series of roundtable discussions, pavilions, exhibitions, demonstrations, and a summit. All focused on the primary issues facing cybersecurity professionals today. The expo will also showcase the latest products, technologies, and services from over 350 leading industry suppliers. Attendees will include leaders in cyber policy, government, CISOs, export leaders, and other C-suite professionals coming together to discuss protecting and securing high-level networks.

Cyber Security World Asia

October 12 – 13, 2022

Marina Bay Sands, Singapore

This event brings together industry leaders from some of the top cybersecurity companies throughout Asia and the world. Cyber Security World is suitable for security professionals in dozens of roles who share a common desire to invest in cybersecurity and defend their businesses from cyber threats.

This year’s lineup is still being finalized, but past exhibitors include the world’s leading cyber security suppliers and the latest technologies and solutions. An exciting rapid-fire pitch showcase will feature at the conference, allowing companies to pitch their products and solutions to potential investors, partners, and customers.

Insider Threat Summit

3 November 2022

Monterey, California

The Insider Threat Summit unites government agencies with private enterprises to discuss the problem of insider threats. This year’s conference will focus on vulnerabilities about cybersecurity challenges. Topics will include risk analysis and continuous evaluation or monitoring, AI and machine learning, economic espionage, counterintelligence, threat monitoring, and more.

There you have it – our picks for the top 20 cybersecurity and supply chain security events of 2022. Whether you plan to attend in person or join some of these events virtually from the comfort of your own home, you’re sure to gain valuable insights into the latest cybersecurity developments.

Waiting for that next conference and eager to learn more about automating your supply chain security? Request a demo

findings tech, security compliance, Vendor Risk Management

Prioritizing Third-Party Assessments by leveraging Inherent Risk

Posted on January 31, 2022October 6, 2022 by Jonny

31
Jan

In third-party risk management, inherent risk is defined as the level of risk on your organization.

Therefore, the inherent risk represents the natural level of risk that your organization will incur by working with a particular vendor (without managing that risk and/or mitigating security gaps).

Why is Inherent Risk so Important?

As a work tool, inherent risk enables the security team to map the organization’s critical vendors. Subsequently, the organization can prioritize the third-party assessment process.

Here is a quick example:

Let’s assess two vendors: Vendor A and Vendor B.

Vendor A offers on-premises software development services with an inherent risk score of 80. The score is calculated by:
The risk from potential data leakage from unsecured development methods;
Exposure to the company’s business information and procedures; and
Exposure to employee personal identifiable information (PII).

Conversely, Vendor B offers a cloud-based Security as a Software (SAAS) product with an inherent risk score of 86. The score is calculated by:
An additional, potential uncontrolled attacking vector;
The cloud service provider and the vendor’s implemented security controls; and
The service availability risk.

By mapping all of the potential ‘known’ risk factors, the security team can prioritize an assessment audit for Vendor B because Vendor B’s inherent risk score is higher than Vendor A’s.

Inherent Risk vs. Residual Risk

The difference between inherent risk and residual risk is that inherent risk represents the risk score before the organization takes any action to mitigate the risk. (The residual risk, therefore, represents the risk remaining after the vendor replied to a security/regulatory assessment request, and all the gaps have been mitigated.)

More significantly, residual risk is the risk an organization is willing to take after all considerations have been accounted for.

How to Create an Inherent Risk Score Methodology?

To calculate the inherent risk for a vendor, the organization’s security team needs to consider all the aspects of the organization that the vendor’s proposed service can compromise.

A handful of examples are as follows:

Technology – In case of downtime, how the technology will affect your service.
Compliance – Appreciating the vendor’s compliance with the relevant regulations and how it processes their data.
Legal – Exposure to lawsuits and fines.
Privacy – The risk from handling, managing, and/or processing PII by third-party vendors.
Business Continuity Plan (BCP) – Continuity, availability, and integrity are the three key factors of risk that an organization will be exposed to whenever they work with a vendor.

To create an effective inherent risk methodology, you must consider:
a. The impact of the vendor’s service on your business; and
b. The probability (or, rather, the likelihood) that their service will become an issue to your organization.

Ultimately, during the procurement or ongoing process, you need to ask (either yourself or the relevant personnel in the organization) a set of questions. The answers to those answers will enable you to produce a risk score that provides you/your organization with a clear understanding of the threat your organization faces due to working with a particular vendor.

How to Implement a Successful Onboarding Process for a Vendor?

A security assessment process is a lengthy one, mainly if the assessment is done manually over an excel spreadsheet.

Generally speaking, the process for many organizations contains:

A new vendor starts the procurement process;
The procurement officer approaches the security team;
The security team return to the procurement officer with the inherent risk (vendor profiling) questions;
The procurement officer sends the assessment to the vendor by email in an excel spreadsheet.
The vendor answers the questions in the excel spreadsheet (or ignores them).
A final decision is made.

The described process may take between three to four months to complete, and this does not even take into consideration:

a. The gaps that may have been found during this process (the residual risk);
b. The reduction plan that the vendor needs to respond to; and
c. The high risk the organization may face is because of the time that passes from starting to work with the vendor to the mitigation of the gaps.

Furthermore, the security team faces significant problems managing the risks from all the other third parties working with the organization by conducting a manual process.

Neglecting the “Longtail” Vendors

Due to the effort, time, human resources, and cost of maintaining the onboarding mentioned above process for all the organization’s third-party vendors, organizations tend to focus on 15%-20% of their most critical vendors. Consequently, organizations tend to neglect their “longtail” vendors, i.e., small, low- to medium-risk vendors.

At Findings, we conducted an internal study that found organizations at an astonishing 30% exposure to significant market vulnerabilities (SolarWinds, Kasya, etc…) due to their neglect of their “longtail” vendors.

Since the COVID-19 pandemic started, it has become routine for nefarious players online to exploit the vulnerabilities of third-party vendors to attack an organization. An organization can’t “hope for the best” anymore. The security team must scale the process to the entire supply chain.

How to Streamline the Procurement/Security Process?

To set, manage, and scale an efficient third-party assessment process that will enable all parties to have a continuous, hands-on capability, the organization must streamline the process using automation tools.

By implementing an automation tool, you need to look for a service that supports the process end-to-end, one that gives you the flexibility to make changes and adjustments when necessary.

Findings’ Approach to Inherent Risk

Streamline the internal process between departments to evaluate the inherent risk for every vendor rapidly;
Provide a pre-defined inherent risk model; and
Customize your own inherent risk.

How Can You streamline the Internal Process between Departments to Evaluate a Vendor’s Inherent Risk?

Findings have replaced internal back and forth communication by emails during the onboarding process of a potential new vendor or as an ongoing requirement by regulations. Instead, we used the questions found in the excel spreadsheet (the “questionnaire”) and wrapped them into a process that we call “BO” (Business Owner). In other words, our platform enables an internal resource to open a new vendor audit request to the security team.

Additionally, the process is designed to automatically produce an inherent risk score, so the security team only needs to open the new request, see the score, and prioritize accordingly.

Lastly, every member of the process is always notified whenever there is a change in the vendor’s status during the process.

findings tech, iso, iso27001, iso27017, iso27018, security compliance, Vendor Risk Management

For Holistic Supply Chain Security, Think Beyond CMMC 2.0

Posted on January 23, 2022April 9, 2023 by Yogev Kimor

Findings.co | supply chain | security | ESG

23
Jan

When it comes to supply chain security, fixating on Cybersecurity Maturity Model Certification (CMMC) compliance is kind of like going on a fad diet. Just as achieving overall nutritional health requires more than subsisting on, say, cabbage soup or grapefruit juice for a week, CMMC compliance is only one step toward good cybersecurity hygiene. Achieving CMMC compliance may help you mitigate software supply chain security risks in the short term, but you’ll need to do more than pass a CMMC audit to ensure ongoing, reliable supply chain security.

CMMC compliance is important, to be sure, which is why we’ve prepared a comprehensive guide to CMMC compliance controls and requirements. But as this blog explains, your cybersecurity strategy should extend beyond CMMC compliance alone, even in the age of CMMC 2.0.

CMMC 2.0 compliance: The basics

There has been a lot of buzz about CMMC compliance over the past year. The hype reflects, first, the recent release of the updated CMMC 2.0 compliance guidelines, with which businesses need to comply if they want to sell to the U.S. Department of Defense. CMMC 2.0 has been called a “leaner and more flexible version” version of CMMC, making it easier to achieve compliance – provided vendors take the time to master the many new changes that CMMC 2.0 brings.

At the same time, software supply chain attacks like the SolarWinds hack, which impacted a number of government agencies, has helped shine a spotlight on CMMC as a way for organizations to mitigate risks that lie within their supply chains.

The fact that it could take up to two years for CMMC 2.0 requirements to come into effect means that businesses have some time before they actually need to implement changes. Still, given how complex CMMC is, now’s a great time to start preparing for compliance, if you operate in an industry that CMMC affects.

Here are the CMMC Compliance Requirements: Everything You Need To Know

What’s in the CMMC protocol?

For that purpose, our CMMC 2.0 compliance checklist, which spells out the steps to take to prepare for CMMC 2.0 compliance, is a great place to start.

As the CMMC checklist explains, adapting to CMMC 2.0 rules requires:

Determine whether CMMC applies: The first step in meeting CMMC 2.0 requirements is figuring out whether you even need to meet them. As our checklist explains, CMMC’s scope is evolving; in some cases, businesses are requiring their partners to be CMMC-compliant as a way of enforcing good cybersecurity hygiene, regardless of whether there is a government mandate for CMMC compliance. Thus, if you didn’t need to meet CMMC mandates before, you may now, even if you don’t do business with the DoD.
Determining your CMMC compliance level: There are now three CMMC compliance levels – Foundational, Advanced and Expert. The level you need to meet depends on what type of business you do and how many risks exist within your own supply chain.
Identify CMMC 2.0 compliance gaps: Once you know which compliance level you need to meet, you can determine what you’re currently not doing, but need to start doing, to meet its compliance requirements. You can use a tool like Findings to perform a compliance assessment in order to identify gaps.
Remediate CMMC compliance gaps: After identifying your gaps, remediate them by addressing the security risks within your supply chain. Here again, Findings can help automate the process by providing remediation guidance.
Conduct a CMMC audit: For CMMC level three compliance, you’ll need to conduct an audit and certification using DoD-qualified auditor. For other compliance levels, you can use Findings to perform continuous self-assessments to ensure that you remain CMMC-compliant for the purposes of securing your supply chain, even if you aren’t required to demonstrate compliance to an external auditor.

A holistic supply chain security strategy

As noted above, CMMC compliance is one pillar of a modern cybersecurity strategy. But it’s only that: One pillar.

Indeed, even a former CIA officer says that even the updated version of CMMC is likely not enough to address all cybersecurity risks.

Let us elaborate on that point: Because the CMMC rules were designed with supply chain security specifically in mind, achieving CMMC compliance is a great way to mitigate security risks within your supply chain. This is why, again, more and more businesses are requiring CMMC compliance even if they don’t do business with the U.S. military, and therefore don’t have an official mandate to be CMMC-compliant.

But as you’ll see if you check out our CMMC compliance checklist in detail, the CMMC rules don’t cover every facet of supply chain security management. To do that, you need a holistic set of people, process and controls to secure your supply chain. More specifically, you’ll require:

Processes: Security processes are what the CMMC does cover. It spells out processes for implementing protections like access controls and physical security.
People: Processes in frameworks like the CMMC are complex. To follow them, you need people with the requisite expertise. Keep in mind, however, that you can reduce the level of expertise necessary by leveraging tools – such as Findings – that help to automate complex compliance processes.
Technology: You need technology in the form of tools that allow your people to implement processes like those detailed in the CMMC. The CMMC doesn’t tell you which tools to use; it just tells you what the tools should be able to achieve.

They don’t, for example, extend to creating a Vulnerability Disclosure Program.

Nor do they enforce the rapid security incident response that is necessary in today’s fast-moving world, where identifying supply chain risks is only half the battle. The other half is remediating the vulnerabilities quickly enough that your supply chain doesn’t kink up and place your business at risk.

To meet challenges like these, you need an automated, efficient means of identifying and managing supply chain risks across the entire risk lifecycle. CMMC compliance addresses only part of this challenge.

Conclusion

Findings can help businesses of all types build a supply chain security strategy that includes, but is not limited to, meeting CMMC 2.0 requirements. Use Findings to identify your compliance gaps and remediate them to meet CMMC 2.0 rules. At the same time, lean on Findings to ensure you can react rapidly and systematically when supply chain risks emerge.

Schedule a demo to learn more.

aicpa soc 2, findings tech, security compliance, soc 1, Vendor Risk Management

What Do Log4j, Kaseya, Godaddy, And Panasonic All Have In Common? Supply Chain Attacks Damage Revealed

Posted on January 13, 2022August 31, 2022 by Yogev Kimor

13
Jan

Remember when Bill Nighy famously sang in Love Actually that “Christmas is all around us“?

If Nighy were singing that song today – and if he were playing a cybersecurity expert rather than a washed-up pop artist – the lyrics might instead go, “Supply chain attacks are all around us.”

Supply chain cyber-attacks remain a severe and persistent challenge for businesses across the planet.

They pose a tremendous and longer-term threat – partly because many businesses remain so poorly prepared to detect this type of cyber risk, let alone manage it, and partly because software supply chain attacks keep occurring despite dogged efforts to stop them.

To prove the point, here’s a look at four of the most significant software supply chain breaches that have taken place over the past year. Some have received widespread coverage in the media, while others have remained out of the spotlight except within cybersecurity circles. But they all underline just how pervasive supply chain risks have become for businesses of all types and sizes.

The Log4j supply chain fiasco

For starters, take the Log4j vulnerability, an exploit that observers have called the “biggest vulnerability in decades” and promises to “haunt the Internet for years.”

The vulnerability, which was disclosed in November 2021, affects an open-source logging utility called Log4j, which is widely used as part of Java-based software stacks – so widely that it threatens “millions” of applications across the Internet, at companies ranging from tech titans like Google and Microsoft, to humble SMBs, and everyone in between.

The vulnerability enables attackers to gain remote access to applications that use Log4j. From there, attackers can also breach the underlying servers and network – which means the Log4j hack is essentially a wide-open door to businesses’ entire IT estates. This makes Log4j a worst-case scenario when it comes to supply chain risks. To get a better idea of the pandemic type spread and the devastation it caused, attacks were discovered on the 9th of December, and by the 11th of December 40, 000 attacks were reported. This increased to 800,000 attacks within 72hours of i’s discovery. Attackers tried to exploit 48% of global corporate networks, showing staggering numbers and the power these hackers have.

It’s hard to put a specific dollar figure on the Log4j vulnerability, mainly because it was recently disclosed. It remains to be seen how quickly affected systems will be patched. But given the severity of the vulnerability and the vast number of businesses it impacts, it’s not unreasonable to imagine that enterprises that fail to address the vulnerability quickly could collectively face billions of dollars in losses due to sensitive data exposure, operational disruptions, and compliance violations.

The SolarWinds breach

Probably the second most famous supply chain breach in recent history targeted customers of SolarWinds, whose network monitoring software was hacked. By inserting malicious code into the source code of the SolarWinds platform, attackers were able to build themselves a backdoor into the private networks of at least 18,000 government agencies and private companies.

The attack has already cost SolarWinds itself $18 million. It’s unclear what financial losses look like for businesses impacted by the breach. Still, as with Log4j, the economic fallout could be steep for organizations that suffer data leakage and IT disruptions by failing to address the risk quickly.

What’s especially noteworthy about the SolarWinds breach (beyond the high-profile targets it compromised) is that the attack reportedly began in early 2019 but wasn’t disclosed publicly until December 2020. It’s an example of a supply chain attack wherein hackers had access to a private environment for well over a year before any victims even knew it was happening.

The Kaseya supply chain breach

A similar supply chain crisis befell users of Kaseya, an IT management platform used by thousands of Managed Service Providers (MSPs) and other businesses in the IT industry.

In the Kaseya attack, threat actors manipulated Kaseya’s software to allow them to deploy REvil ransomware into IT environments that are managed using the Kaseya platform. As a result, this hack of a single platform reportedly placed more than 1,500 companies at risk.

That’s a small figure compared to some of the other major supply chain breaches of the past year. But it’s still stunning when you realize that the violation of a single software platform gave attackers access to the networks and data of well over a thousand organizations.

The Panasonic breach leaks customer data.

Panasonic disclosed in November 2021 that one of its file servers had been compromised. The breach was active for months before being discovered.

Although Panasonic was initially tight-lipped about which data attackers were able to access, subsequent reports assert that customer information was leaked. It remains unclear exactly how many customers were impacted or what their actual financial losses might be; what we do know, however, is that by breaching a single server at a primary vendor, attackers were able to compromise sensitive information associated with a large number of businesses.

In that sense, the Panasonic breach represents a unique supply chain attack: One that compromises data that businesses share as part of supply chain operations. It’s a reminder that it’s not just your software vendors who can create security risks within your supply chain but also any businesses with whom you share sensitive internal data.

The GoDaddy breach of 2021

In a similar incident, GoDaddy, the widely used hosting company, announced in November 2021 that a data breach had led to the exposure of data involving 1.2 million customers.

Especially notable about this incident is that it wasn’t just recorded like customer names and addresses that were leaked. SSH keys and database login information were also reportedly exposed, giving attackers the ability to access millions of systems hosted on the GoDaddy platform.

In that respect, this data breach was just as bad as a software breach like the SolarWinds or Log4j vulnerabilities, which gave attackers remote access to the environments of companies that use those platforms.

The Accellion breach

Accellion is well known for secure file sharing and collaboration software. In December 2020, Accellion’s file transfer application suffered a zero-day exploit. Shortly after, they provided a patch for the vulnerability; This was not enough, and during the following month’s threat, actors successfully targeted Accellion again. New vulnerabilities were revealed, and threat actors combined multiple zero-day exploits and a new web shell targeting. Following this, another patch was released.

The security breach had devastating consequences affecting 300 customers worldwide. There are claims that the cyber group UNC2546 is likely responsible for the chaos as they sent emails to people threatening to publish their data.

You are sure to know these organizations caught in the ripple effect, such as Shell Oil Company, the University of California system, the Australian Securities and Investments Commission, and the Reserve Bank of New Zealand.

Sadly, the breach impacted millions of individuals’ sensitive data by stealing ID numbers, credit card information, and banking details.

The class-action lawsuit filed by the plaintiffs’ stated that Accellion failed to secure their FTA platform and implement sufficient security for their customers’ sensitive information.

According to a Reuters report, Accellion has paid $81million in settlements for the data breach.

The HP printer vulnerability

You may not think of your printer as a significant cybersecurity risk. But if you own one of the more than 200 HP printer models affected by a major vulnerability, it’s time to think again.

The vulnerability enables a buffer overflow attack, which hackers can use to execute their chosen code from a remote location. Although the code would run on a printer rather than a computer or server, most printers are connected to local networks. This vulnerability could serve as a beachhead, which attackers can use to launch attacks against other devices on the web.

There are no reports of significant attacks that exploit the HP printer vulnerability. Still, it’s not hard to imagine hackers using this flaw to launch major ransomware attacks against businesses that use HP printers.

The Nvidia hack

Nvidia, the primary manufacturer of GPUs (Graphics processing units), was one of the highest-profile companies to suffer a large-scale breach in 2022.

The attack, which a hacking group called Lapsus$ claims to have carried out, led to the leakage of 1 terabyte of sensitive data. Nvidia has not given a complete account of the lost data, but it included proprietary source code and employee login information. Lapsus$ hackers have already posted some of the stolen data online.

While it’s difficult to put a monetary figure on the cost of the attack without more details about exactly which data was lost, it’s safe to say that the financial impact was substantial. The breach harmed Nvidia’s reputation, but the exposure of sensitive source code could also help Nvidia’s competitors learn more about how some of its most profitable products work – which is not a good thing from a business perspective.

The Okta breach

Lapsus$ has also been busy this spring posting sensitive information it claims to have stolen from Okta, an authentication company used by thousands of organizations worldwide.

The attack happened not because hackers expertly exploited a vulnerability but because they gained physical access to an Okta employee’s laptop. (Lapsus$ later claimed that it breached a thin client instead of a computer. Either way, it’s clear that gaining access to a single employee’s device allowed the hackers unfettered access to a large portion of Okta’s infrastructure.)

Given that Okta is in the business of preventing unauthorized access to applications and infrastructure, this attack is a little ironic. It’s also a reminder of why companies should take measures – like enforcing two-factor authentication, to ensure that an attack against a single device can’t turn into a large-scale, supply chain cyber security threat.

Staying ahead of supply chain attacks

Incidents like those described above are reminders that supply chain attacks are all around us. If your business hasn’t been affected yet, you’re probably just lucky.

But the good news is that there are practical steps you can take to minimize your risk of suffering software supply chain breaches. Start with vetting your vendors and partners to adhere to solid cybersecurity standards. You may also consider enforcing compliance rules within your supply chain networks. Remember to educate your cybersecurity team in managing the particular risks associated with supply chain threats.

Schedule a demo to learn how Findings can help automate supply chain risk management.

What Is a Coordinated Vulnerability Disclosure Program?

The Benefits of Coordinated Vulnerability Disclosure

– Reduced vulnerability impact

– Build internal processes

– Combined stakeholder response

– Avoid surprises

– Ethical corporate behavior

5 Steps for Creating a Coordinated Vulnerability Disclosure Program

1. Create secure reporting channels

2. Assess vulnerability severity

3. Remediation

4. Public awareness

5. Assess your response

Coordination leads to the best outcomes

What is a cybersecurity crisis management strategy?

Supply chain security: Your crisis management plan

Step 1: Risk assessment

Step 2: Formalize your security and risk management plan

Step 3: Practice cyber drills

Step 4: Make crisis management a collective business responsibility

Step 5: Leverage crisis management

Four reasons to implement CMMC

1. Independent cybersecurity validation

2. Holistic cybersecurity best practices

3. Increased revenue

4. Enhanced security maturity

The main purpose of vulnerability disclosure

1. Compliance policies

2. Contractual obligations

3. Supply chain obligations

4. Risk management and assessment

5. Insurance coverage

6. Incident response plans

How vulnerability disclosure statements optimize security

What Does Cyber Insurance Cover?

5 Potential Disadvantages of Cyber Insurance

1. High Costs

2. Management Challenges

3. Coverage Limitations

4. Claiming Insurance Takes Time

5. The Supply Chain is Not Insured.

The Future of Cyber Insurance

Prediction 1: Increased CMMC compliance self-assessments

Prediction 2: More CMMC compliance transparency

Prediction 3: CMMC compliance will demand-supply chain security automation

Crystal balls

Why is Inherent Risk so Important?

Inherent Risk vs. Residual Risk

How to Create an Inherent Risk Score Methodology?

How to Implement a Successful Onboarding Process for a Vendor?

Neglecting the “Longtail” Vendors

How to Streamline the Procurement/Security Process?

Findings’ Approach to Inherent Risk

How Can You streamline the Internal Process between Departments to Evaluate a Vendor’s Inherent Risk?

CMMC 2.0 compliance: The basics

What’s in the CMMC protocol?

A holistic supply chain security strategy

Conclusion

The Log4j supply chain fiasco

The SolarWinds breach

The Kaseya supply chain breach

The Panasonic breach leaks customer data.

The GoDaddy breach of 2021

The Accellion breach

The HP printer vulnerability

The Nvidia hack

The Okta breach

Staying ahead of supply chain attacks

Welcome to Findings

Payment

Thank you for signing up!

Thank you for signing up!