In a recent Fireside Chat presented by Shared Assessments Committees’ Leadership on “Current and Evolving Cyber & Supply Chain Risks,” conversation topics included Conti, CISA, the geopolitics of SWIFT payments, chip shortages, and how the war in Ukraine might influence China’s actions toward Taiwan.
Cyber & Supply Chain Geopolitical Landscape
Tom Garrubba, VP Shared Assessments, led the discussion featuring Daniel Cuthbert, Global Head of Cyber Security Research, Banco Santander and Rocco Grillo, Managing Director – Global Cyber Risk & Incident Response Investigation, Alvarez & Marsal. The topic was the current Cyber & Supply Chain geo landscape, post-invasion and beyond, and the war in Ukraine loomed large, directly and indirectly. Early in the discussion Garrubba asked whether global supply chain woes might be worsened by organizations using services and products from Ukraine, knowingly or unknowingly.
Grillo acknowledged the impacts to supply chains won’t be positive, but companies with mature contingency planning programs will likely fare better. If SolarWinds alerted everyone to the risk of third party software, the situation in Ukraine is another, albeit more tragic, reminder of why such planning is needed, even essential, and won’t be the last.
Cuthbert said, ”One of the biggest problems we still have in this industry is that nobody understands what their supply chain is,” referring to big open source projects that run within many of them. He cited “Made in Ukraine,” on Github, a collection of source projects built in or receiving significant contributions from Ukraine, as a valuable resource for identifying “legs,” or “bits” that could be compromised or subverted. Cuthbert’s concern isn’t necessarily malicious developers, but how companies that depend on open source libraries can position themselves defensively against sudden negative impacts. “I’m hoping that a lot of people are now [asking], ‘What have we got? Where is it based? How do we check that it’s actually good?’”
Shields Up: Software Bill of Materials
Asked about how to support a “shields up” level of preparedness, Cuthbert would like to see more companies use a software bill of materials: “SBOM needs to become a thing now,” and organizations need to focus on “the most boring topic in the world: logging.” Specifically, looking for patterns and anomalies, normalizing reporting cycles, and developing consistent reporting on specific areas such as failed logins, impossible travel activity (ITA), VPNs, and build up from there.
The pandemic brought new challenges to the forefront for many organizations, as workers moved from the office to the home. Now a hybrid approach is evolving, which is WFA (work from anywhere). Grillo notes that as more companies embrace these innovations, “The piece we continue hearing more and more about is perimeter security, the need to get on top of the endpoints, and endpoint detection.” Still, cyber hygiene and the fundamentals of resilience, testing and contingency planning, remain a foundation for securing critical assets. He added that companies with mature risk programs, or those actively taking it to the next level, are increasingly using threat hunting, also known as compromise assessments. None of these guarantees 100% effectiveness, “but it’s one more piece that gets you closer to cyber resilience.”
Resources For Managing Supply Chain Risk
Cuthbert called out CISA’s Known Exploited Vulnerabilities Catalog as a great resource. Reviewing the list, which currently has more than 500 entries, left him convinced that companies need to be harder on vendors and expect more from them. Until they do, hackers like Conti will continue to buy the same equipment and programs to exploit their weaknesses, some of which, as Cuthbert pointed out, have existed for decades. He believes IT departments should be asking vendors about their security partners, demanding to see their SaaS controls, and for confirmation of how standards and requirements will be met. Insist on getting what you’re paying for.
After discussing the challenges to achieving this, Garrubba asked about how the industry-wide shortage of talent, inadequate funding, and lack of process development and adherence are contributing to the growth of cyber-attacks and their level of sophistication. Grillo and Cuthbert agreed that stubborn resistance to change in IT departments contributes to the problem and that resistance can also be present in other departments, including the C Suite. Grillo encourages the C Suite to be involved in the process, not just the exercise, of making their company resilient and protecting its critical assets.
No matter how big a company’s budget for risk management is, risk will remain. When Grillo asks leaders if they have enough talent or budget to handle risk, no one raises an affirmative hand. That’s why talent and “the tone at the top” still play an important role in implementing a successful risk management strategy.