How to mitigate risks caused by supply chain software

Performing penetration testing and engaging in red teaming are two ways companies can identify and evaluate cybersecurity risks to the software they use to manage supply chains.

As the number of cyberthreats to enterprise supply chain software continue to increase, organizations must limit their impact by evaluating those risks and developing ways to mitigate them.

Test your software to evaluate risks

Penetration testing and red teaming are two ways you can evaluate the risks to your supply chain software, said Thomas Etheridge, vice president of services at CrowdStrike, a cybersecurity firm in Sunnyvale, Calif.

"You look at how an attacker might take advantage of that software and application to introduce a threat to downstream organizations or companies," he said.

In penetration testing, a company hires an outside firm to determine whether an application is susceptible to an intruder gaining access or manipulating the app through vulnerabilities in the software, Etheridge said. The firm will do scans of the software to see how easy it would be for an attacker to gain control or access to that application.

A red team engagement can be likened to a penetration test on steroids. A red team really gets to test whether an application is vulnerable, according to Etheridge.

"It is taking really seasoned resources who know attacker tactics and techniques and doing some threat intelligence to understand what information they have that an attacker is interested in gaining access to," he said. "And then using those attacker tactics and techniques to actually perform an attack on that application. It's much more advanced than typical penetration testing or scanning."

Organizations need to evaluate their cybersecurity postures from a technical, as well as a process perspective, said Matthew Butkovic, acting technical director for risk and resilience in the CERT Division of the Software Engineering Institute at Carnegie Mellon University.

Butkovic agrees that the way companies can evaluate their technical architectures is by performing penetration testing and engaging in red teaming.

"The most important point is that companies are mimicking a type of adversary behavior," he said. "So they'll evaluate themselves assuming they have a very sophisticated adversary or a less sophisticated adversary."

Identify risks with a risk assessment

Another way an organization can identify whether it's exposed to cybersecurity risks is by doing a risk assessment, said Eddie Habibi, founder and CEO of PAS Global, a provider of industrial control system cybersecurity in Houston.

Many companies, including the big four consulting firms, offer this service, which provides clients with a checklist to ensure they are following certain methods and taking the right steps to protect their systems, he said.

But it's not enough for an organization to identify how secure its software is -- it also has to deal with the risks that were identified following the assessment or test.

One of those steps is to confirm third-party suppliers are meeting the cybersecurity requirements of the enterprise.

"Let's say XY company in your supply chain has 1,000 employees and maybe 5,000 computing devices," Habibi said. "You do an assessment of those devices to see if they're up to date with the latest patches of Windows, for example. That is one of 100 or 200 checks that can be done to assess the security posture of a company."

Organizations should also determine the current state of the supply chain software they're running, said Adam Brown, manager of security solutions at Synopsys, a provider of application security services in Mountain View, Calif.

"That could be done with an audit or even something like a penetration test that will give you an idea of how secure you are or not," he said. "What you'd be looking for is whether the software is vulnerable and if the necessary patches have been applied."

But it's not enough for an organization to identify how secure its software is -- it also has to deal with the risks that were identified following the assessment or test. However, the enterprise may not have to address every risk that was identified, Brown said.

"These things tend to be risk-ranked, so you have everything from critical to high, medium and low to informational," he said. "While you might not need to fix the informational finding, you absolutely want to concentrate really hard on making sure that the critical findings are mitigated as soon as possible."

According to Brown, good penetration testers will have remediation advice within their reports. At the very least, there should be recommendations for fixing the problems, which could be as simple as applying patches or upgrading to the latest version of the supply chain software.

"Maybe one of your vendors hasn't really thought about security properly and maybe there's an architectural problem," he said. "Then the whole thing would have to be rearchitected. I would hope that the vendors themselves would have gone through some security activities as part of the design."

If that's not the case, the enterprise may want to require that vendors connect to its network via a virtual private network connection rather than via the internet.

"That way, only trusted suppliers can get into the network where the supply chain software is running," Brown said. "It's not ideal, but it goes some way to mitigating vulnerabilities at least by making it safe from complete outsiders -- hackers who might be looking for these kinds of flaws."

Dig Deeper on Supply chain and manufacturing