Welcome to this edition of the Cybersecurity Leaders' Newsletter. This month, we focus on finding...
Understanding Your Digital Supply Chain Risk
Bottom Line Up Front:
Understanding your digital supply chain risk is becoming one of the significant challenges many businesses face today, especially with the move to the cloud and globalization of the computing behind those services. Recommendations on addressing the additional detailing of the supply chain, which might be part of any significant applications
- Ensure that COTS/Third Party Suppliers/SaaS are documented on the security context diagram, threat model, CMDB, and any other sources of record, as well as potential platforms which might support them as part of their digital supply chain
- Ensuring that these dependencies are captured will help to identify supply chain risks better, threat model potential mitigations for them, as well as a myriad of other detection and response activities
Overview of Supply Chain Risk
An organization’s understanding of the supply chain risk of any given system can vary based on the number of integrators or suppliers a company might use to generate its revenue through the production of software or delivery of services. In addition to understanding those integrators or suppliers, understanding the external factors which might affect them and, in turn, affect the producer.
An organization’s ability to identify, detect and respond to those environmental threats/influences to the supply chain becomes a critical factor in maintaining the integrity of software and services. An organization’s Third Party Management (TPM) program helps monitor its Third Parties. This program also helps with the lifecycle management of suppliers while servicing the Organization.
Due to the complexity of an organization’s supply chain, there might be multiple layers of suppliers or intermediaries downstream of the organization. As the layers of downstream suppliers increase, Organization’s ability to have visibility into those suppliers decreases. The figure below from NIST SP 800–161r1 demonstrates the decreased invisibility as the layers of the supply chain increase.
This paper will focus on the digital supply chain risks which affect Organizations.
Potential Gaps in Organization Digital Supply Chain
Organizations use a layered approach of controls and processes that manage their digital supply chain; this first section will focus on the internal management of the production of applications and services.
Gaps in Cyber Architecture Requirements
Organizations might not document or track 3rd Parties/Supplier Chain infrastructure as part of its supply chain in its Change Management Database (CMDB), and it is not a requirement for it to be completed.
Impact (So What?):
This means that the Organization might not be able to proactively respond to significant vulnerabilities in our supply chain, which have been integrated or used to build the organization’s products. (e.g., Log4J)
We can understand the technologies used to support solutions by our critical suppliers and have them linked as an artifact in CMDB and TPM. This will provide the Organization with the ability to proactively understand the risk exposure from suppliers as demonstrated in the below figure.2
Gaps in Change Management Databases (CMDB)
Often; companies do not connect their suppliers or Third-party applications in CMDB are not linked/associated to the authoritative system of record for third party relationships (TPM) therefore understanding the digital supply chain risks caused by those third parties to the applications that they support.
Impact (So What?):
This has the potential to limit an organization’s ability to proactively respond to significant vulnerabilities in our supply chain, which have been integrated or used to build organization products on. (e.g., Solarwinds)
Require an understanding of the technologies used to support solutions by our critical suppliers and have them linked as an artifact in CMDB and TPM.
The diagram below demonstrates a software supply chain attack.3
Gaps in Software Supply Chain & Software Development Lifecycles
Currently, Organizations, have a potential lack of/limited visibility in some of the software libraries ingested from software providers, open source software, etc.
Example: Log4J — the Black Kite Research Team analyzed nearly 3,000 companies known to be affected or explicitly disclosed unaffected by the vulnerability and displayed in the figure below.4
Potential mitigations include:
One of the potential mitigations for increased visibility into the software libraries ingested from software providers, open source software, etc., is the Software Bill of Materials. With a software Bill of Materials (SBOM), you can respond quickly to the security, license, and operational risks of open-source use. This could also be potentially used to track the integration of COTS (Commercial Off the Shelf) Software into Organization Business Applications Groups.
Below is a life cycle diagram, a software lifecycle, and a bill of materials associated with it.5
5 The Software lifecycle with multiple stages where underlying code might change, and thus the SBOM would be updated to reflect the changes. https://www.ntia.gov/files/ntia/publications/ntia_sbom_formats_and_standards_whitepaper_-_version_20191025.pdf
The use of the software bill of materials concept can even be expanded to include firmware down at the hardware level. There has been an increase in organizations adopting SBOMs as part of their supply chain, as well as future regulator requirements from the federal government.
Industry Resources for SBOMs:
- CycloneDX SBOM examples
- NITA SBOM: Format and Tooling
- Jupiter One https://www.jupiterone.com/sbom
- Google Supply-Chain Levels for Software Artifacts (SLSA) framework
- NSA Securing the Software Supply Chain
- NSA Securing the Software Supply Chain
Gaps in Supply Chain Risk Management Process
Organization’s third-party applications which might in CMDB are not linked/associated to the authoritative system of record for third party relationships (TPM Central) (e.g., Solarwinds, VMware, Microsoft, etc.).
It is also recommended that there should be an integration implemented between CMDB and the TPM system of record to organize/document the relationship between business applications and third-party records/engagements. This will allow TPM and other downstream groups to consume this information from systems of record CMDB when needed.
Enterprise’s Supply Chain
Contemporary enterprises run complex information systems and networks to support their missions. These information systems and networks comprise ICT/OT products and components made available by suppliers, developers, and system integrators. Enterprises also acquire and deploy an array of products and services, including:
- Custom software for information systems built to be deployed within the enterprise, made available by developers;
- Operations, maintenance, and disposal support for information systems and networks within and outside of the enterprise’s boundaries, made available by system integrators or other ICT/OT-related service providers; and
- External services to support the enterprise’s operations that are positioned both inside and outside of the authorization boundaries, made available by external system service providers.