There’s a new spotlight in the cybersecurity world due to the recent SolarWinds/Orion compromise
. For those unfamiliar, SolarWinds, a provider of IT management software, recently fell victim to a cyber attack within its Orion platform. The hack itself is nothing new, but the impact and publicity are more significant than ever before. At the very base level, the hack approach is simple and divided into three parts:
- Hack a software provider that has lots of customers.
- Insert some malicious code inside the software provider's application.
- Let the software provider send out the malicious code in the next update to all of their customers.
The hacker piggybacks on the solution provider's trusted customer relationships to infiltrate many thousands of systems. This trick isn’t new either. Hackers have been doing this for decades. The hack's timeline and scale have changed with software automatic updates and global use of many applications.
This hack has spotlighted how organizations need to secure their supplier ecosystems, not just their own systems. It also highlights solution providers, including software-as-a-service (SaaS) providers, and how they secure their software development lifecycle (SSDLC) to prevent malicious code from being hidden in their software.
Secure Supplier Ecosystems
Businesses are more interconnected than ever before, and that connectedness is increasing at a blinding pace. Supplier and customer ecosystems connect with software, online services, and application programming interfaces (APIs). Data and other information are flowing back and forth in near real-time. Software updates and patches are happening automatically, and we’re trusting our ecosystem in more ways than ever before. For the most part, this is fantastic! Businesses run better, processes are automated, and things are happening faster.
The challenge is to put some checks and balances into the process to mitigate an ecosystem compromise risk. Most security frameworks, e.g., ISO 27002 and SOC2/SSAE 18, have controls to reduce these risks to your supplier ecosystem. The mitigation process starts with the supplier onboarding process, where part of the screening process includes a security questionnaire. You must confirm that your supplier has cybersecurity practices and systems in place to mitigate risks to your company.
Some of these questionnaires include almost 1000 cybersecurity and operations questions. A common source of relevant questions is the Standardized Information Gathering (SIG) questionnaire. Many suppliers, like Google
, publish their answers to the SIG and cybersecurity certifications online.
Answering the questionnaires is certainly onerous on suppliers and the purchaser since they have to evaluate the answers. There has been a trend for many suppliers to address this challenge by becoming cybersecurity certified (see Should Your Organization Get Certified in CyberSecurity?). The certification route can also simplify the customer's process, as they can rely on a third-party audit of the supplier.
Whether it is the questionnaire or the certifications, the questions or controls should include the SSDLC of the supplier organization.
Secure Software Development
One of the world's largest software developers is also the focus of most cybersecurity attacks. Love them or hate them, Microsoft has defended their applications very well. Microsoft's secure software development lifecycle is one of the most mature in the world. The good news is that they have published their best practices publicly so that other software development organizations can learn from their years of securing and defending their solutions. Their framework can be used as a reference to establish the critical SSDLC practices that can work for the organization - Microsoft Security Development Lifecycle Practices
. Following is a high-level summary:
- Provide training
- Define security requirements
- Define metric and compliance reporting
- Perform threat modeling
- Establish design requirements
- Define and use cryptography standards
- Manage the security risk of using third-party components
- Use approved tools
- Perform static analysis security testing (SAST)
- Perform dynamic analysis security testing (DAST)
- Perform penetration testing
- Establish a standard incident response process
Putting an SSDLC in place takes time and effort. The effort is worthwhile. I know of several companies that no longer exist; they didn’t survive the customer relations nightmare of their code getting hacked. Having a mature SSDLC benefits the entire business ecosystem.
Beyond the SSDLC
Suppliers should also have mature cybersecurity operations. That’s especially important for SaaS providers, as they are responsible for hosting their code and critical customer data. Make sure that secure communications are in place. Ensure that data is encrypted in transit and at rest.
The customer or user of the SaaS or software solution also has the responsibility to take advantage of the solution's security configuration options. Most importantly, make sure you configure strong authentication for the application, ideally using Single Sign-On (SSO) with multi-factor authentication (MFA). Know where your data and logs are stored. Ensure that your data and logs are being backed up and know where the backup is stored.
Every organization should know their business ecosystem and that they have cybersecurity practices in place that will mitigate risks to the organization. Annually refresh this knowledge and log the information in your asset register. Make your life easier by selecting business partners with cybersecurity certifications like SOC2, ISO 27001, CIS, or NIST.
If you’re looking for assistance in completing your supplier ecosystem's security assessment, please reach out to Data Perceptions
If you want to read more on the SolarWinds hack, here are a couple of links:
- Here's a simple explanation of the SolarWinds hack - Business Insider
- SolarWinds Hack Forces Reckoning With Supply-Chain Security - WSJ
“SCTC Perspective" is written by members of the Society of Communications Technology Consultants, an international organization of independent information and communications technology professionals serving clients in all business sectors and government worldwide.
Knowing the challenges many enterprises are facing during COVID-19, the SCTC is offering to qualified members of the Enterprise Connect user community a limited, pro bono consulting engagement, approximately 2 - 4 hours, including a small discovery, analysis, and a deliverable. This engagement will be strictly voluntary, with no requirement for the user/client to continue beyond this initial engagement. For more information or to apply, please visit us here.