From the course: The Cybersecurity Threat Landscape

Protect against supply chain attacks and third-party risks

From the course: The Cybersecurity Threat Landscape

Protect against supply chain attacks and third-party risks

- [Presenter] Most organizations rely on supply chains and grant access to third parties in order to provide their goods or services. But this supply chain reliance and third-party access can create a large attack surface that needs to be protected. Let's look at steps you can take to protect your organization against these supply chain and third-party risks. The best way to address third-party risks is to build a formal third-party risk management program, or TPRM. I'll give you a quick overview of what a TPRM might look like. First, you'll create an inventory of all your organization's third-party suppliers and vendors. You'll need to work with subject matter experts from across your organization to get this done. Second, determine which of these suppliers and vendors are critical to your business. Next, identify all third parties who have access to your data or systems. Then, based on their business criticality and access, assign risk ratings to each of these third parties. And finally, use these risk ratings to prioritize identifying alternatives to your critical suppliers and implementing third-party security controls. Here are some security controls that can help protect against risks associated with third-party access. Follow the least privilege principle to only grant third parties the access they need to do their job. Require third parties to use multifactor authentication, or MFA, when accessing your systems. Monitor the activity of third parties when they access your systems with a secure information event management system, or SIEM, or other monitoring solution. Ensure any third-party access is revoked immediately when no longer needed. And take steps to verify that third parties have strong security controls in place, like reviewing their security certification documentation or requiring them to complete security questionnaires. Also, work with your legal team to require strong security controls in your contracts with third parties who have access to your data. As you can see, building a TPRM can take a lot of effort, and many organizations choose to outsource some or all of this work. But no matter how you tackle it, a good TPRM is the best way to manage and reduce many supply chain and third-party risks. When it comes to your software supply chain, here are some steps you can take to reduce the risk of vulnerable or malicious open-source software being included in your organization's code. First, you should conduct software code inventories or audits. Work with your developers to create a software bill of materials, or SBOM. This is a formal record that contains the supply chain relationships of the components used to build your organization's software. SBOMs are like the list of ingredients on a food package, and they can identify where open-source software is used in your organization's code. You can find more information about SBOMs, including how to generate them, on the National Telecommunications and Information Administration website at ntia.gov/sbom. There are also application security companies that can analyze your developers' code to generate SBOMs for you. Next, review the results of the SBOMs with your developers, focusing on the open-source software. Confirm with them that all open-source software components are still needed and have been updated as much as possible. And finally, consider implementing a secure development standard that restricts the use of open-source software that hasn't been updated in years. Supply chain and third-party risks can be challenging to manage. Take what you've learned in this video to start implementing the controls that will help reduce these risks.

Contents