Reducing Vulnerability: Strategies for Managing Cybersecurity Risks in IT Supply Chains

Alert

July 26, 2024

In today’s corporate sphere, virtually all companies depend, to some degree, on software systems supplied by third-party vendors. These include systems for accounting, back-office operations, and IT and cybersecurity support. Despite the prevalence of this practice, some organizations undermine the potential risks associated with dependence on third parties. Unfortunately, the recent widespread CrowdStrike outage that occurred on Friday, July 19, 2024, highlights the impact organizations of any size may face. A problem with a software rollout caused the systems that rely on CrowdStrike to crash, posing threats and failures to the systems it was intended to safeguard.

As a result, the primary question coming up with Executive Leadership teams and Board members beyond the immediate incident response and operational issues associated with this failure is: How can my organization avoid a substantial impact like this on my organization in the future?

All organizations that rely on third-party software are potentially exposed to risks associated with their software supply chain. This includes the following:

Lack of comprehension of risks involved in the software supply chain
Insufficient policies and screening processes for vendors
Presumptuous software and patch implementation procedures
Inadequate code review
Poor management of administrative access rights
Failure to embrace zero-trust architecture principles
Lack of continuous supply chain monitoring

Three Steps To Help Mitigate Supply Chain Failures

What actions should your organization take to prevent this type of impact? Here are some pragmatic steps to consider when establishing your supply chain relationship:

1. Understand and Quantify Your Software Supply Chain Risk

Maintaining a comprehensive inventory of all software components and their dependencies is crucial for an organization. It’s essential to understand the entire supply chain, encompassing all third-party and open-source libraries.

Understand and Document

Start by understanding and documenting ways in which third-party software is incorporated and utilized within your organization. Document all your third-party software providers and how the software supports your business. If you are developing in-house applications, it’s imperative to understand how and where your development and operations team pulls code and document how that software supports the business. For every software, document how patches and updates are received and implemented.

Evaluate

After you’ve conducted a detailed inventory of all your third-party software, you should assess each one and conduct a “potential risk” analysis of each software platform. The objective is to determine the various types of software supply chain failures that your organization could encounter using the software. For optimal outcomes, it’s likely you’ll need to bring in an outside team for a comprehensive discussion on the topic. However, vendor software failures are generally categorized into areas such as functionality, performance, security, reliability, integration, usability, compliance, support, scalability, maintenance, compatibility and deployment.

Quantify Potential Impact of Failures

Lastly, begin the process of quantifying the impact of software supply chain failure on the business for every software. If your organization is doing this for the first time, the key is to keep it simple and not let perfection hinder progress. However, keep in mind that nobody anticipated the extent to which CrowdStrike could impact desktop systems the way it did. Break the different failures into the following groups:

<24-hour impact
<5-day impact
<30-day impact
Time to replace impact (this is the amount of time it will take to remove the software from the environment and replace it with another comparable software)

Use this information to calculate a dollar valuation related to the total or partial downtime of the impacted business units. It could be beneficial to involve someone from your finance team to review and validate your assumptions.

2. Implement Risk Mitigation Steps

At this point, your organization should have a more transparent understanding of your software supply chain and the potential risks associated with its failure. Now it’s time to act and respond. Typically, risk responses follow one of three pathways:

Risk Avoidance: Eliminate the conditions that enable the risk to occur. For instance, the organization may decide, after examining the process of in-house software creation and deployment, to prohibit developers from using publicly accessible code snippets online and ensure that all code is truly developed in-house. Policies would be established to enforce this practice and, if deemed appropriate, decide to introduce thorough code review procedures for all third-party software, including the application of tools for static and dynamic code analysis to identify any potential vulnerabilities or harmful code.

Risk Reduction or Mitigation: Minimize the chances of the risk occurring or the severity of its impact. This can involve preventative and readiness measures. For instance, the organization may be using a third-party virus protection application deployed to all servers and laptops. If the organization became concerned about the code quality provided by the vendor, it could disable automatic updates at the server and laptop level, and instead, roll the change into test environments or in a scaled release strategy that could detect issues before the update is deployed across the entire environment.

Risk Sharing or Transfer: Shift the risk or its outcomes to a third-party, such as a subcontractor or insurance company. The important part of this task is to document what actions related to the risks, ensure that the organization’s leadership agrees, and implement as planned.

Common Responses to Software Risks

Here is a list of common responses we see our clients utilize when mitigating software supply chain risks:

Vendor and Software Component Validation: Evaluate all your third-party vendors and software components prior to their integration into your systems. This involves assessing their security practices, performing routine audits, and validating their code and processes.
Code Review and Integrity Checks: As mentioned earlier as an example, enforce stringent code review protocols for all third-party software.
Continuous Monitoring and Threat Intelligence: Establish continuous monitoring of the software supply chain for any indications of breach or emerging threats. Leverage threat intelligence sources to stay informed of new vulnerabilities and attack methods that could affect the supply chain.
Secure Software Development Lifecycle (SDLC): Incorporate security measures into every phase of the software development lifecycle. This encompasses secure coding techniques, frequent security testing, and integrating feedback from security reviews into the development workflow.
Incident Response and Recovery Planning: Develop and regularly update an incident response plan specifically tailored to supply chain incidents. Ensure that there are clear protocols for detecting, responding to, and recovering from supply chain compromises. Conduct regular drills to test the effectiveness of the plan.
Access Control and Least Privilege: Enforce strict access controls and adhere to the principle of least privilege for all systems and components within the supply chain.
Contractual Security Requirements: Include specific security requirements and compliance obligations in contracts with third-party vendors. Ensure that vendors are contractually obligated to follow the best security practices and report any security incidents promptly.
Supply Chain Risk Assessments and Audits: Carry out regular risk assessments and audits of the supply chain to pinpoint potential vulnerabilities and areas for improvement. Utilize these evaluations to update risk management tactics and boost overall security stance.

3. Develop Software Supply Chain Incident Response Plans and Perform Tabletop Exercises

As an important best practice, organizations should develop a cybersecurity incident response plan and include scenarios specifically tailored to software supply chain incidents. Be sure that there are clear protocols for detecting, responding to, and recovering from supply chain compromises. An organization should test the assumptions you documented above and revise them regularly. The most effective and efficient way to test incident response is using tabletop exercises (TTXs) focused on seeing how the company would respond to cybersecurity incident, and in this case, how it would respond to a software supply chain failure. TTXs are best led by an independent, experienced third-party that can provide recommendations for improvement and help management refine its assumptions around a model for a software supply chain failure.

Understanding Regulatory Compliance Requirements and Standards

Many organizations we work with have chosen to be or are required to be compliant with any number of cybersecurity standards and guidelines, such as the Federal Risk and Authorization Management Program (FedRAMP), Cybersecurity Maturity Model Certification (CMMC) and HiTRUST. These can be helpful to many organizations as they focus on managing software supply chain risks. Here are some key National Institute of Standard for Technologies (NIST) standards that address software supply chain risks and that your organization may be required to comply with:

NIST SP 800-161 Rev. 1: Supply Chain Risk Management Practices for Federal Information Systems and Organizations provides guidance on identifying, assessing, and mitigating supply chain risks throughout the lifecycle of information systems. It focuses on incorporating supply chain risk management (SCRM) practices into organizational risk management processes.
NIST SP 800-171 Rev. 3: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations includes requirements for protecting controlled unclassified information (CUI) that can help mitigate risks in the supply chain. It covers aspects like access control, incident response, and system and information integrity.
NIST SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations is a comprehensive set of security and privacy controls, including specific controls related to supply chain risk management. It emphasizes the importance of addressing supply chain risks as part of an overall security and privacy program.
NISTIR 8276: Key Practices in Cyber Supply Chain Risk Management (C-SCRM): Observations from Industry highlight key practices in cyber supply chain risk management observed from industry. It offers insights and recommendations for organizations to strengthen their supply chain security posture.

These standards and guidelines collectively help organizations identify, assess and mitigate risks associated with their software supply chains. They provide a structured approach to implementing effective supply chain risk management practices.

Unlock Secure Insights Into Your Microsoft Azure Environment To Mitigate Risks

In the aftermath of an IT outage like what CrowdStrike experienced, Microsoft issued fixes and instructions to recover their affected systems, however the third-party vendor is not alone by providing sole support. Cherry Bekaert is a Microsoft partner, and our professionals can step in to help alleviate IT outages like those experienced by CrowdStrike by offering a range of solutions and services aimed at enhancing system resilience, security, and overall IT infrastructure management. Here are some ways we can assist:

Cloud Solutions: Enable your organization to migrate your workloads to Azure, establishing high availability and disaster recovery through Azure’s multiple data centers and redundancy features
Advanced Security Protocols: Utilize Microsoft’s security solutions such as Microsoft Defender for end users to better detect and respond to potential threats
Azure Backup and Site Recovery: Securely back up your data and quickly restore it in the event of an outage or data loss
Compliance: Conduct frequent security measures and compliance to identify vulnerabilities
Training and Awareness: Establish customized training on best practices for maintaining system resilience and security

By leveraging these Microsoft recovery solutions, organizations can rapidly recover from outages, maintain data integrity and enhance overall system resilience to prevent future disruptions.

Conclusion

The recent failure of CrowdStrike serves as a major reminder of the potential consequences of a security breach or outage. So, what’s next for companies who are concerned about a future breach or outage? It is crucial to start asking the right questions, understanding potential threats, and developing a contingency plan. Implementing strong risk management and IT practices is essential for companies concerned about supply chain cyber risk. The good news is the strategies provided in this article offer companies a way to mitigate their cyber risk and maintain business continuity in the face of potential disruption.

How Cherry Bekaert Can Help

Third-party risk management (TPRM) is a critical component of any cyber, IT and risk management program. Cherry Bekaert’s Information Assurance & Cybersecurity and Managed IT Services practices can guide organizations through comprehensive TPRM programs, risk assessments, internal controls evaluations, IT infrastructure assessments, cyber and incident response plans to enhance their third-party management program and mitigate risks sustainably and effectively.

To discuss how Cherry Bekaert can help you assess and improve your TPRM posture or your cyber and IT security programs, please contact our cyber and IT security practices today or reach out to your Cherry Bekaert advisor.