By Kartik Shahani, Country Manager, Tenable India

Fast-paced Tech Adoption has Atomized the Attack Surface

With employees splitting time between the office and offsite locations, it will become even more challenging for organizations to protect enterprise data as employees connect to public Wi-Fi at the local coffee shop, and access enterprise information on their mobile devices while commuting. These changing conditions will require organizations to take a much more adaptive approach to evaluate how users are configured and managed.

What’s more, over the next two years, organizations in India are enhancing their digital platforms (63%), moving non-critical business functions to the cloud (62%), and expanding the software supply chain (49%) to ensure employees have the right tech stacks to work efficiently in a hybrid environment.

Fast-paced digitization surely facilitated business continuity but also increased the number of cyberattacks. There was an average of 27,966 records breached between May 2020 and March 2021 in India. Organizations with hybrid work models took 271 days as the average mean time to identify a data breach, 63 days longer than the average mean time to identify a data breach in organizations working out of perimeter office.

It’s therefore evident that changes are taking place at light speed but security leaders in India are unprepared to secure workforce strategies. This is a clear sign that tech adoption to facilitate a hybrid work model is outpacing the speed of security in India.

So, what can organizations do?

Redefining What a Vulnerability Is

The hybrid work model has shattered the corporate network into numerous devices across cloud and on-premises. It’s impossible for organizations to rely on yesterday’s tools to secure this new reality. Instead, organizations must adopt a zero-trust model where no one is trusted and everything must be validated. It’s built upon cyber best practices and sound cyber hygiene, such as vulnerability management, proactive patching and continuous monitoring. Identifying each and every user in the network provides full visibility into the attack surface including IT, OT, and IoT. Once security teams know how data flows within the organization, identifying critical assets that need to be secured becomes easier. Limiting access to these assets reduces the attack pathways and allows ease in monitoring the attack surface, identifying end-point vulnerabilities, and patching them regularly.

To prevent another SolarWinds incident from taking place, organizations need to consistently evaluate third-party and contractor access to enterprise data, scan for unmanaged assets to effectively stop attackers.

The future of work is without perimeters and organizations must be prepared to secure their new reality. Also importantly, organizations must ensure that the lessons learned from the past 18 months are reflected in their disaster response and business continuity plans for the future.

About the Author

Kartik Shahani is the Country Manager for Tenable in India. Based in Mumbai, India, Shahani has over 30 years of experience in the IT industry, driving momentum for enterprises. He spearheads initiatives for Tenable in the enterprise security market, manages operations, and continues efforts towards channel activities in India.

He has extensive experience in the telecommunications, finance, and government sectors. Along with his innovative sales strategies, he is instrumental in driving growth in India. Shahani previously worked in RSA Security, a division of Dell EMC, where he was Director for Channel in the Asia Pacific and Japan. Prior to this, he was the Executive Director of Integrated Security for India and South Asia at IBM. 

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post Hybrid Work Model and a Digital-first Economy Raise the Stakes on Cybersecurity appeared first on CISO MAG | Cyber Security Magazine.

By Shmulik Yehezkel, Chief Critical Cyber Operations Officer at CYE

The Year of the Supply Chain Attack

Supply chain attacks were up more than sixfold in the first nine months of the year alone, according to a report from software supply chain management company Sonatype. These attacks, including the high-profile SolarWinds incident of late 2020 whose fallout continues to expand, are extremely dangerous because once a hacker gains access to a significant software supplier, they can also sometimes reach the data and code of their subscribers and customers. This provides multiple routes to new targets, including those that were once considered well-protected. Another advantage for attackers is deniability, as they can use the supply-chain company as a proxy for another target.

Attackers’ Deniability Has Grown

As cyberattacks grew increasingly severe in 2021, they also became harder to trace back to the parties carrying them out. Ironically, this is because we have seen that more hackers–including state-backed bad actors – use open-source tools that are publicly available – from what we at CYE have seen, mainly on GitHub. This helps cover their tracks, providing them a wide range of deniability, and making it more difficult to target them with counterattacks or other forms of retaliation. The anonymous nature of the attacks also allows those who carry them out to avoid dealing with the fallout, like being seen as responsible for causing financial damage or human death or injury.

Reliance on Publicly-available Attack Tools Increased

Although it may sound surprising, most of the cyberattacks we have seen during the past year were not highly technically sophisticated; this is true for both simple cybercriminals and state-level actors. Time and again, we saw them using publicly-available tools to take advantage of known vulnerabilities; as this not only saves them time and money but allows them the cover of deniability. In addition, as much as we do see growing usage of the much-feared zero-day attacks, these are still mainly limited to high-level state actors and superpowers.

On the horizon: The Increased Use of the “Hub” Attack

Going into the next year, we expect the continued growth of supply chain attacks, mainly with commercially-available tools. But hackers will also take things to the next level with what we are calling attacks on “hub-companies.” Hub companies are those with extensive digital connections to suppliers as well as customers. These companies can be average-seeming organizations, as well as insurance companies, credit clearing companies, and SaaS providers. These companies provide links to potentially more valuable suppliers and large customers. In addition to directly getting into the networks of these higher-value targets, like banks or weapons companies, hackers can find in the hub company valuable intelligence and information, like how a supplier interacts with a vendor, for creating effective phishing campaigns. This emerging hub attack is on track to become a preferred method of attack, simply because it is an efficient way to carry out attacks with far-reaching consequences, and provides easier avenues to bigger more well-protected targets.

The Emergence of “CN-All”

We also see change on the horizon for nation-state-backed attacks. These attacks have been on the rise in their number and in their success rates over the last year. But going forward, they will become more ambitious.

Today, the industry classifies attacks into categories: CNE, for computer network exploitation or espionage, CNI, for computer network influence, and CNA for computer network attack; this upcoming year, we are going to see more and more state-level actors carrying out what we call CN-ALL attacks. In this type of attack, state-level actors will combine all of the cyber warfare elements–espionage, influence, and disabling systems. These attacks will be particularly challenging because they require response simultaneously on several fronts. CISOs need to be prepared to deal with the technical aspects of recovering data and accessing backup systems, while also dealing with law-enforcement and legal teams, addressing the media, and, when needed, informing regulatory officials.

In addition, as we saw with the attack last December on Israeli insurance firm Shirbit, widely attributed to Iran, not all the consequences are clear at once. CN-ALL attacks will be about the attacker choosing when, where, and why to execute each phase of the attack. The consequence is that CISOs will have to keep in mind that even when an attack has been found, mitigated, and foiled, it might not be the end of it. In the Shirbit example, the initial part of the attack was the hackers demanding ransom and shutting down the company’s systems, making it unable to renew or issue policies and severely cutting into its business revenue.  But later, it emerged that the attackers then actually sold customer data online, and, some experts say, had an overall goal of humiliating Israel and ruining its reputation as a technology powerhouse. This mix of financial and political goals, or disguising political motives as financial ones, is something we will, unfortunately, see more of this coming year.

No One is Immune

The growth in these types of attacks will require companies to rely on cybersecurity teams made up of professionals with hands-on experience in cyber warfare at the state level, in places like the government, military, and intelligence services, who really understand and have experienced interactions with state-backed hacking groups. We call them ACTs – Advanced Cyber Talents. On a more boring note, because the stakes of attacks are getting bigger, it remains more important than ever to make sure all employees understand the value of strong passwords, learn how to recognize phishing attempts, and use multi-factor authentication. While sloppiness in these areas has long allowed bad actors to reach sensitive and valuable data, now, with the growth of hub and CN-All attacks, this human factor can also result not only in severe damage to their organization but potentially to thousands of others. In addition, from now on, every company, regardless of size, domain, or region of activity, should be aware that it might be a potential target for cybercrime, as well as state-level cyberattacks with a variety of purposes and goals. No one is immune.

About the Author

After more than 25 years in the military and the Israeli defense special forces, Shmulik joined the CYE team as Chief Critical Cyber Operations Officer & CISO. Shmulik leads the Critical Cyber Operation division (C2OPS). The C2OPS division is responsible for CYE operative operations and is composed of four main centers: data forensics and incident response (DFIR), threat hunting & computer threat intelligence (CTI), advanced cyber architecture & engineering, and the VIP security center. Shmulik is a software engineer and cyber security professional with extensive strategic and hands-on experience. Shmulik brings years’ worth of experience leading cyber operations, cyber R&D, information security, and risk management in the Israel Defense Forces, the Ministry of Defense, and the Office of the Prime Minister of Israel.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post Beyond Supply Chain Attacks and Ransomware appeared first on CISO MAG | Cyber Security Magazine.

By Nick Caley, VP of UK and Ireland, ForgeRock

There is no doubt that protecting technology supply chains is now a hot-button issue for companies and governments alike. With one well-placed piece of malicious code, and apparently trusted piece of software can turn into the cyber equivalent of a WMD, allowing hackers to hijack distribution systems and turn a supplier’s customers into digital trojan horses.

With all this attention on the issue, you could be forgiven for thinking this was a new problem. It’s not. Experts have been warning about the threat of these attacks for years.

However, the threat has certainly evolved thanks in part to the acceleration in digital transformation triggered by the pandemic. In 2021, demand for open source “supply” increased by 73%, with developers downloading more than 2.2 trillion open-source packages 2021.

As uptake has grown, so has the threat to businesses. For example, hackers have begun using a technique that goes further upstream toward the origins of the open-source code, essentially meaning that they can infiltrate from top to bottom.

Major attacks like SolarWinds and Kaseya have certainly focused minds and moved the issue up the agenda for many business leaders and policymakers.

But governments aren’t acting quickly enough. The US and UK have either only begun or are midway through processes to formulate concrete guidance for companies to deal with the evolving threat. With only 12% of U.K. businesses having reviewed the cybersecurity risks posed by third-party software suppliers in the last year, the need for clear direction has never been more urgent.

It’s time for businesses to take the matter into their own hands. Here are the three steps to building a real cyber defense against supply chain threats.

Implement a Framework That Engrains Security as an Organisation-wide Value

In the aftermath of the SolarWinds attack which affected multiple federal US agencies, including the National Nuclear Security Administration, the Biden administration enacted its cybersecurity executive order.

One of the key recommendations from this order was a process for new minimum security standards for any company that wants to sell software to federal agencies. The process is expected to conclude by May 2022 and is anchored by the National Institute of Standards and Technology (NIST), a globally recognized standard-setting body under the U.S. Department of Commerce.

While this process won’t conclude until next year, NIST has published a widely-recognized framework that compiles industry standards and best practices for secure software development.

The new process will be additive to these guidelines but, in the interim, this framework is what companies should use as the basis for their own responses. Essentially, it helps engrain best practices and procedures to secure software development covering people, processes, and projects to identify vulnerabilities, understand risks, and quickly integrate lessons learned.

It is crucial that businesses build trust both internally and externally, with suppliers, customers, and partners. Adopting a common security framework will lay the foundations for strong cybersecurity defense.

Slim Down Your Network of Third-party Software Suppliers

According to Gartner, 60% of organizations are now working with more than 1,000 third parties and 71% of organizations reported working with more organizations than they did before. This number is expected to grow even more in the coming years, underscoring how vast and sprawling software supply chains have become.

To manage this growth businesses need to monitor their third-party network by establishing internal triggers that signal when there is a change in an external relationship. As third-party relationships change, leaders must ensure that firstly the risks are mitigated and secondly the relationships are re-evaluated.

By filtering the pool of external suppliers a company works with, it can streamline the points of contact throughout the digital supply chain, and minimize potential points of ingress for cyberattackers.

Additionally, focusing on a smaller network of suppliers whose processes they trust and understand, will allow a company to review supply chain security more regularly and easily as opposed to, say, just the onboarding and recertification phases.

Often when it comes to software supply chain security, less is more.

Ensure Your Access Tools are Fit for Purpose 

Lastly, it’s important to remember that your software systems are only as secure as the access tools you use. Understanding who or what needs access, and under what conditions, is critical to securing internal systems and preventing software supply chain attacks from occurring. The rise of a remote workforce has increased demand for access to new cloud applications, services, and IoT, it is, therefore, crucial that businesses have an identity governance solution that is fit for purpose.

Adding automation to make sure your identity and access management systems are always kept up to date with other changes throughout the business can make a huge difference. Digital supply chains inevitably grow and change as partners and suppliers enter and exit the supply chain. If you are relying on manually managing access requests to reflect these changes, then you are leaving your business exposed to risk through human error. IT and security teams are already stretched, creating conditions where potentially risky entitlements and access requests can slip through the cracks.

This can compound as well and lead to ‘entitlement creep’ across the supply chain as access and roles accumulate within a system, expanding the potential footprint for attackers. Instead, businesses need to harness the ability of AI-powered identity governance solutions. By automating access approvals, AI enables IT and security teams to identify access risks and provide actionable insights to help accelerate the removal of overprivileged accounts while allowing teams to focus on high-risk situations.

Combatting an Exponential Threat 

Protecting businesses from crippling software supply chain attacks is now a priority for the whole of the economy. These attacks are so dangerous because they can cause damage far beyond a traditional breach: a compromised supply chain risks exposing thousands of other companies and public sector organizations.

There no longer needs to be a compromise made between user productivity, experience, and robust levels of security. By streamlining their supply chains, implementing secure-by-design software development, and adopting a modern, AI-powered identity governance solution, businesses can take a risk-informed approach and protect themselves while also protecting society at large.

About the Author

Nick Caley is Vice President of UK and Ireland at ForgeRock is responsible for advising global clients in industry and government on security strategy and digital transformation focused on hybrid data architectures and data-driven business models.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post 3 Steps Businesses Can Take to Protect Themselves From Software Supply Chain Attacks appeared first on CISO MAG | Cyber Security Magazine.

By Dick Bussiere, Technical Director, APAC, Tenable

It is a stark reminder of how a single seemingly unconnected breach of a trusted third-party supplier can introduce malicious code directly into unrelated, separate infrastructures. Yet, supply-chain security is often overlooked among Indian organizations largely because the financial and technical capabilities of service providers and subcontractors don’t often match the capabilities of their clients. This is evident in a PwC report, which revealed that 76% of Indian organizations did not allocate adequate funds for cybersecurity in their budgets.

The writing is on the wall: if supply-chain security is not part of the cybersecurity plan, organizations in India are at risk of being breached. So, what lessons can CISOs learn from the SolarWinds incident to change the way they secure and manage their supply-chain infrastructure?

Continuous visibility: With interconnected networks, software systems, and subsystems being supplied by third parties, an organization’s infrastructure becomes intimately intertwined with that of its suppliers. This makes understanding how an attack against a supplier could impact your organization a critical part of maintaining cybersecurity.  The solution to gaining this understanding is to have continuous monitoring and threat intelligence relating to the full supply chain, and risk-based vulnerability management.

Inventory management: An organization may have numerous third parties in the supply chain and knowing whether its vendors maintain optimal cyber hygiene can be important in identifying the threat landscape. Here are some fundamental questions CISOs need to ask:

• Have the vendors suffered any security breaches which could have introduced malware into the code or services being supplied by that vendor? Do vendors employ strict role-based access control models and separate duties around code repositories and technology stack?
• Have vendors in the supply-chain deployed automation to enforce role-based access control settings
• Are vendors constantly reviewing token and credential usage?
• Is the vendor taking measures to ensure that the third-party code that they are using is free from malicious content?
• Most importantly, when was the last time the vendor completed a third-party security review of their software development life cycle (SDLC)?

Zero trust model: The thought that any trustworthy, vendor-issued updates can be spoofed is concerning. This was evident in the SolarWinds breach, where the attack took place deep within the software development pipeline, and the code was signed with a valid certificate trusted by customers. From a risk management point of view, a zero-trust approach is important. Assuming that any system in an organization’s infrastructure can become rogue overnight is crucial to securing the supply chain. Having a baseline that includes accurate asset inventory, and an understanding of business processes, traffic flows, and dependency mappings are essential to establishing where trust relationships exist and where a zero trust model should be implemented.

Minimize access to sensitive data: After breaching a defense, the first thing cyberattackers do is to move laterally and look for privileged accounts. This is because privileged accounts have access to sensitive information. The more privileged access roles there are, the larger the attack surface, so such accounts need to be kept to a minimum.

It is important to identify who has access to privileged accounts and audit the appropriate level of privilege for each role within the organization. Implementing identity access management and encrypting all internal data can make it difficult for cybercriminals to establish backdoors to infiltrate during a supply-chain attack.

It is no doubt that a cyberattack on a third-party vendor creates cyber, operational, compliance, and reputational risks for all organizations the vendor works with. It can also have short-term and long-term impacts that could take months and sometimes years to resolve, resulting in financial loss. The ripple effects of SolarWinds are a painful example of how crucial it is for organizations in India to prioritize third-party security.

About the Author

Dick Bussiere is the Technical Lead for APAC at Tenable. Based in Singapore, Bussiere is responsible for evangelizing the criticality of cyber hygiene and vulnerability management as a continuous process to enhance an organization’s security posture.

Bussiere is also responsible for Tenable’s operational technology offering in the region, consulting with operators of critical infrastructure on how to bolster their defensive position.

Bussiere is the holder of five patents related to networking and network security. He’s also an active participant in the Institute of Electrical and Electronics Engineers and Internet Engineering Task Force working groups.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post Three Lessons CISOs Can Learn from the SolarWinds Cyberattack appeared first on CISO MAG | Cyber Security Magazine.

By Kevin Reed, CISO at Acronis

I am not alone in this and there were a few takes on how one could guarantee the security of their suppliers. I think you cannot. Or, more specifically, it’s prohibitively expensive and unless you are a government organization, you cannot afford this. Here, I should highlight that there are reports of the U.S. Treasury (https://www.reuters.com/article/us-global-cyber-usa-idUSKBN28Y09L) and Department of Homeland Security (https://apnews.com/article/solarwinds-hack-email-top-dhs-officials-8bcd4a4eb3be1f8f98244766bae70395) being affected by the SolarWinds attack among others, so, apparently, even they failed at solving this problem.

Current approaches to supply chain security mostly boil down to two methods: questionnaires and third-party scans and evaluations.

In my experience, filling in generic questionnaires is mostly a waste of time for multiple reasons. First, your supplier may not even know the answers to some of the questions. For example, according to IBM (https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/), it takes 280 days on average to identify a data breach. This means, a request to “indicate data breaches took place over the last 12 months” may make no sense at all because the organization is still to discover them.

Second, your questionnaires may not expose the full picture: indeed, setting the right question, one needs to know half of the answer. I am not saying, your suppliers will intentionally hide facts from you or openly lie in their answers, however, some may exaggerate a little, and others can exaggerate more. For instance, there was a supplier who claimed to have “robust and comprehensive security policies in place”, which turned out to be a page or two in the employee’s handbook. Although it’s still better than nothing, it’s quite a stretch from “comprehensive.” Worst of all, often, you cannot validate some of the answers, you simply have to believe what was claimed.

Another approach is to outsource risk evaluation to a third party in a form of technical vulnerability scans or compliance-like reports like SOC2. SOC2 report quality is largely dependent on the auditor’s professionalism and wiliness to present independent and honest opinions. We know that auditors are supposed to do so, but we also know about the role of Arthur Andersen in the Enron and WorldCom scandals. Of course, I am not saying every auditor is dishonest, however, bear in mind, that unless you are not paying for the audit, you are the customer. Also, experience tells me that the quality of reports done by larger auditors is often worse than those of smaller companies specializing in cybersecurity and cyber risk management.

Are third-party scans the solution?

Third-party security scans are slightly better, but not by much. Again, from my experience, they are vulnerable to what’s called the “Streetlight effect” – they are looking for what is easy to find and not for what matters. For example, TLS misconfigurations for public servers are easily testable: as a result, such reports are often filled in with warnings about how dangerous it is to have 3DES cipher enabled on a Web site. While 3DES is a legacy algorithm, there are no practical attacks on the algorithm itself and the SWEET32 is not really a threat for a typical Web site. At the same time, such third-party scans are completely blind to having a 20-year-old, not updated Linux box on the internal network and could be compromised with an off-the-shelf exploit by a script kiddie. They are blind to SQL injections or other kinds of attacks in custom Web applications, which is relatively easy to find with a semi-manual analysis, but not easy to scan for.

As a result, a company may focus on looking good on those scan reports instead of the underlying security issues. In a way, this is similar to a “compliance-driven security” phenomenon, where organizations are so focused on filling in the checkboxes, they miss the real security issues. An example would be Target’s data breach: Target was PCI DSS certified, yet cybercriminals managed to hijack its payment terminals at some 1800 stores and steal at least 40 million credit cards. I believe we will see companies with excellent third-party ratings successfully hacked.

So, are we doomed? How can you reliably validate the security of your supply chain?

Here are a few things to look at. There’s no guarantee, but they give me and my team more confidence than anything else.

Before you even start evaluating your vendor for security, consider the impact of their compromise on your company. You might not have the capacity to do a full risk assessment, but at least consider a worst-case scenario. What impact will there be, if the vendor’s systems were encrypted in a ransomware attack? How will you be affected if their source code was compromised and a Trojan horse was planted in their software? What will happen, if the vendor’s databases were compromised, data stolen, and/or sold? The answers will be different for a cloud provider where only your encrypted backups are stored versus a company you outsource your ERP or HR system to. Estimate your risk based on what this particular vendor does for you. Consider specific scenarios that are relevant to your relationships and work on them.

Next, you turn to the vendor. The first thing to look for is whether the company has dedicated and competent people focused on security. Do they have a security manager or maybe even a CISO? Not every company needs a CISO, small and medium businesses often don’t have an appointed CISO, and that’s fine. A CISO could be outsourced, that sometimes is fine, too. The important thing is, someone is responsible for the security and can respond to your questions if needed. Just don’t bother them with filling in questionnaires.

Now, when you know your risks and who is responsible for eliminating them on the vendors’ side, ask them, how are they doing it. This could be an email or a 30-minute meeting with a pre-arranged list of adjusted questions, or both. What works for me is email, followed by any clarifications over a call, but it all depends on you and your vendor’s working style, time zones, level of relationship, and risk.

By this point, you should have a basic risk assessment and risk mitigation plan. Now, you need to validate it.

Request for evidence of what’s being claimed. I find pentest reports useful, not even because of their content, but sometimes due to the very fact that the company does them. Watch for the pentest scope and ideally request a report for two consecutive tests to verify that the company is acting on the findings.

If they are your software supplier, ask for an independent source code review. Those are expensive and not every company can afford them, but if they do, it’s a good sign. Also, not every company is willing to share the full report for various reasons, often citing NDA due to the source code snippets included in the report. A lot of legal formalities could be involved, so sometimes an executive summary might be enough. Again, consider your level of exposure and the risks you are taking. Another important sign for a software supplier or a cloud provider is if they are running a bug bounty program. Bug bounty programs are great because they can act as an external validation of the software quality. However, equally important is how fast the company is able to fix the findings. Prioritization, say, based on CVSS score or other established methodology is a sign of a mature vulnerability management process. Public bug bounty programs are a sign of the company’s confidence in their ability to properly handle the reports, but private bug bounty programs have their advantages too, and they are perfectly acceptable especially at the early stages.

Will scanning help?

For cloud providers, it may make sense to scan their networks but first, taking a few things into account: chances are you will not find anything Shodan (a search engine for internet-connected devices) did not find already, so maybe a Shodan search will suffice. Alternatively, you can ask them for a report of their own scans.

Scanning is not hard, setting context is harder. Also, the very existence of the report is an indication they are managing their attack surface. Yet, if you are still willing to scan yourself, obtain a permit from them, and ask them to segregate customer addresses from their own, otherwise you will be scanning something irrelevant.

For non-cloud companies, it could be impractical to scan, because much of their applications will already not be on their networks, but in the networks of the aforementioned cloud, SaaS, and PaaS providers. However, what is useful for almost any kind of company is to request their patching reports: again, the very existence of such a report is a sign they are managing vulnerabilities and have software in place to look at it. Willingness to provide such a report shows their confidence in their patching practices. Ideally, the report should be produced by an independent entity, but this is hard to obtain in real-life situations.

There, now you have your risks identified in relation to this particular vendor, you understand the treatment of those risks and you have evidence that the necessary actions are actually taking place, you will be able to take a picture of the situation and will know how to proceed from there.

Conclusion

How often should you repeat such an exercise? The common approach is to do this annually. However, it can depend on the risk and potential impact. For a low-impact vendor, you may do it less often, and for one, you depend on significantly, you may need to develop a permanent evaluation process. The tricky question here is if the vendor will be willing to invest their time in this. Does the cash flow justify their involvement? You may discover that your leverage against large SaaS and IaaS providers is literally none so likely they will have a “take it or leave it” attitude. Luckily, these vendors can invest more in securing their networks and systems, and overall, they are not necessarily the weakest link.

A few takeaways:

• Adjust your approach to risk you are exposed to by using a particular vendor. Most have little potential impact, focus on those that do.
• Outsourcing risk evaluation to a third party may not work. They don’t know your risks and really important vulnerabilities are hard to uncover in an automated fashion.
• Aim for consistency and watch for risk that changes over time — this is a marathon, not a sprint.

About the Author

Kevin Reed is the CISO at Acronis, a top global cyber-protection company. Reed has over 20 years of in cybersecurity and has supervised the security strategies of leading world banks, the 10 billion NASDAQ traded search engine, and more.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post Supply Chain Security – A CISO Point of View appeared first on CISO MAG | Cyber Security Magazine.

By Ryan Heidorn, Co-Founder and Managing Partner at Steel Root

The DoD released CMMC version 1.0 on January 31, 2020 in response to wide-scale compromise and exfiltration of defense information stored on contractor information systems. The security requirements in CMMC should sound familiar to companies in the defense industrial base – the requirement to protect the confidentiality of controlled unclassified information (CUI) has been in DoD contracts since 2017.

CMMC has five maturity levels which include (and add to) the 110 security requirements in NIST SP 800-171 already required under DFARS 252.204-7012. This is not a box-checking exercise: CMMC certification requires a third-party audit that measures the maturity of a company’s cybersecurity capabilities. Starting in Fall 2020, the DoD will begin a phased roll-out that will require companies to achieve CMMC certification in order to win new contracts.

A Huge Project for Small Businesses

How does a DoD contractor begin the process of assessing and implementing the practices and plans required to satisfy CMMC requirements? Large prime contractors are likely to have mature cybersecurity practices and the resources to prepare for CMMC without needing outside assistance.

But, according to the RAND Corporation’s 2020 report on Defense Industrial Base (DIB) cybersecurity, “it is estimated that 99% of the DIB is small business.” RAND defines small as less than $100 million in revenue with an average of just 11 FTE employees. Many of these businesses rely on Managed Service Providers (MSPs) to provide IT and cybersecurity services.

The RAND Report continues to say that “unclassified networks of small defense industrial base firms are at higher risk” than their larger peers. Specifically, these small DIB firms are more likely to be deficient in several key areas, including “user authentication, network defenses, vulnerability scanning, software patching, and security information and event management (SIEM), or cyberattack response.”

How should these companies, who may not be equipped to address their cybersecurity risks and requirements, prepare for CMMC? In a 2019 survey, the SANS Institute found that one-third of small business respondents are already outsourcing cybersecurity. For many companies in the DIB, working with a third-party services provider like an MSP is likely the most cost- and time-effective way to establish and manage cybersecurity capabilities.

With that as a backdrop, below are five questions to ask when selecting an MSP for CMMC:

1. Is the MSP prepared to meet CMMC requirements themselves?

Here’s a great starter question in your quest for a qualified MSP partner: Can the MSP achieve the CMMC certification level required to protect the networks and systems they manage for their DIB customers?

According to Wayne Boline, Board Director at the CMMC Accreditation Body, “Follow the data. The CMMC requirements will follow the flow of CUI – if you’re a small company that wins a contract requiring any level of CMMC certification and you use an MSP that hosts, processes, or can access CUI on your systems, the MSP will absolutely have to meet CMMC requirements to protect this data.”

Furthermore, will the MSP accept a DFARS 252.204-7012 flowdown? If the MSP is willing to accept a contractual obligation to the same safeguarding and reporting requirements for protecting CUI as the defense contractors they support, it’s a good indicator of the MSP’s readiness to support customer requirements under CMMC as well.

Another reason to expect the highest level of cybersecurity from your MSP partner: MSPs themselves are increasingly becoming a target of ransomware operations and other cybercrime activities. According to the Perch 2020 MSP Threat Report, “Last year [2019] saw threat actor groups shifting from enterprises to focus on Managed Service Providers…the world’s most sophisticated criminal groups are focusing their tradecraft and custom malware directly on MSPs.”

2. Does the MSP have the necessary experience and capabilities?

Ask how many of the MSP’s other customers are subject to DFARS, ITAR, or similar requirements today – and it’s always a good idea to request and check references. Determine whether the MSP has the consulting experience and compliance expertise required to lead your CMMC readiness efforts, or if they are simply looking to sell you a “stack” of software/services. If the MSP is not equipped to guide your full CMMC implementation (and, today, few are), who are the other partners they would leverage to help you prepare for audit and certification?

3. Where will the MSP be when it’s time for the audit and certification?

How confident is the MSP in the cybersecurity practices and processes they will implement and manage on your behalf? Be sure to work with an MSP that will stand by their work, and stand by you, providing audit support when it’s time to get certified.

4. Does the MSP employ U.S. Persons?

For companies holding ITAR and EAR data, export control regulations require that the anyone with access to such data be a U.S. Person. This could include the MSP’s employees, contractors, and cloud service providers. If the MSP employs non-U.S. Persons, find out how they are managing access to your network to prevent export control violations.

5. Do systems used to access and manage a customer’s environment conform to DFARS and CMMC requirements?

Ask plenty of technical questions about the MSP’s own systems and practices – particularly as to whether they conform to DFARS requirements. For example, if the MSP uses a cloud-hosted or SaaS products to manage your network, they should meet the FedRAMP Moderate baseline.

We’ll provide other technical questions you can use to vet an MSP’s cybersecurity maturity and CMMC readiness in a future article. But while we wait for further guidance from the DoD and the CMMC Accreditation Body, these five questions are a great place for a DoD contractor in need of assistance to confidently begin the search for a partner who can guide their journey to CMMC certification.

About the Author

Ryan Heidorn is a Co-Founder and Managing Partner at Steel Root, a cybersecurity services firm that specializes in compliance. Ryan teaches cybersecurity at Endicott College and serves on the Board of the National Defense Industrial Association (NDIA) New England chapter.

Disclaimer

CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.

The post Your Road to CMMC can Begin by Putting the Right MSP Partner Behind the Wheel appeared first on CISO MAG | Cyber Security Magazine.