backdrop

Cyber Sierra Roundtable: Cybersecurity Risk in Supply Chains

Supply chain risk in the world of information security gains notoriety with every new breach. 2020’s SolarWinds breach is a never-ending saga, with news of impacted entities continuing to come up. Vulnerabilities in open source are another headache, with log4j dominating headlines.

 

How does the information security team prepare for such unknowns, with only one certainty in mind, that such unknowns exist and can come up suddenly on any given day?

A team of experts convened during the Singapore Fintech Festival 2022 to discuss supply chain risk from a cybersecurity perspective. This meeting was facilitated by Cyber Sierra in Singapore. Please find below a summary of questions, panelists, and discussion points.

slider
  1. What are some impacts of third-party vendor risks? How do you manage such risks?
  2. Have you experienced first-hand such supply chain attacks? Can you share your learnings and experiences?
  3. Do you classify vendors by their potential severity of risks?
  4. Are you able to isolate or ring fence a problematic system or solution (from a vendor) from the rest of your systems?
  5. How can companies guard against misleading declarations from vendors?
  6. Is there a role for regulators to play in terms of enforcing certain best practices in containing supply chain risk?
  7. What is your opinion of a mandatory cyber insurance policy?

Panelists (Reference)

Guarding against third-party risks amid an evolving cyber security landscape

Getting cybersecurity right can be extraordinarily complex given the constantly evolving landscape of new threat vectors and security vulnerabilities. In many cases, the weak link is human, and even senior executives have found themselves tricked through social engineering, noted Stephen Barnham, a senior technology leader in the Banking and Financials Service Industry (BFSI).

Speaking at a recent roundtable discussion organised by Cyber Sierra with IT and cybersecurity practitioners, he shared an anecdote of how a General Manager was tricked by someone purporting to be the CEO to transfer tens of thousands of dollars for a non-existent company initiative.

While the natural propensity might be to dismiss or ignore potential cybersecurity weaknesses as something that will not happen to us, Barnham urged businesses to establish a culture of awareness around cybersecurity and to make it everyone’s responsibility.

The risks from without 

As the world becomes more interlinked and businesses digitalise, one growing risk would undoubtedly be from third-party organisations. At the root of this are digital systems that are increasingly integrated, including with external vendors and partners. When ignored, this can lead to a variety of cybersecurity breaches including bad actors gaining entry through them or supply chain attacks. Silvia Thom, who was formally the CTO at Zalora, shares that vendor security is a common problem.

“You send out a security questionnaire [to the third party] and you get back the answers. There’s that pressure to get the contract from the other side. And, you know, if it’s a two, three-year-old vendor, how much security could they have built up?” said Silvia.

But is third-party risk management crucial? Pramodh Rai, co-founder and CEO of Cyber Sierra thinks so. He pointed to the prevalent use of automated hacking tools by threat actors, citing the example of how some Internet-accessible databases were hacked within minutes of going live. 

“Somebody somewhere has written a script that is looking for common vulnerabilities. That’s why it’s important to validate your cybersecurity posture first – because the other side is automating the process of hacking,” said Rai.

Security or speed? Choose one 

But why are so few organisations paying attention to third-party risk management? According to Anagat Pareek, ex-CISO of PayTm, third-party risk management is at the bottom of priorities at most organisations mainly due to a lack of time.

“There were instances where we had to turn [vendors] away because of the lengthy onboarding time. By the time we go through the laborious security checks, it would take too much time out of the project runway. In the absence of a [better solution], it can get to the point that we miss a business opportunity,” said Barnham of the time crunch when addressing third-party risk.

But keeping everything in-house is often not the solution either. Barnham explained: “You are in a world where you want to give your developers access to open source. You want them to go to publicly available code repositories. You are contracting external developers and have a hybrid team of developers.”

For many, the result is a compromise where security is reduced to a security checklist.

“We give out access to our systems to vendors. We check the compliance of these vendors by sending them security questionnaires with checklists. If they tick ‘no’, they don’t get the contract. So, everything is ‘yes’, of course. But how do you know that each one of them is compliant?” asked Pareek.

“How are they controlling access to data? Is their data encrypted at rest and in motion? Are they PCI-compliant? We rely a lot on paperwork to answer these questions, but really, nobody has the wherewithal to go out and look at 100 vendors. It’s impossible. We need a better solution.”

A better way with Cyber Sierra

There is where Cyber Sierra can make a difference, says Pareek. “Cyber Sierra can be deployed to scan the network and upload the report. Many vendors may not know what a security vulnerability is, or what a network scan is. And they don’t want to buy another commercial solution – they are trying to build a business after all. Cyber Sierra will also help them become more secure and give the clients they work with the confidence that they’re dealing with a secure organisation. I think it’s a win-win situation.”

Edwin Tan, Head of Information Security at Julius Baer concurred: “Cyber Sierra can provide efficient due diligence of a vendor setup based on measurable criteria. This allows us to take quick proactive action in working with the vendor to address the key concerns before engaging them.”

“My environment has become so much more complicated over the last 10 years; my attack surface has become significantly broader. This is where all my attention is going. If there is a solution that enables me to connect to third parties yet gives me peace of mind about who I’m connecting to, by verifying that they are compliant to whatever standards we want to hold them to. This would help me to use my time far more efficiently,” said Barnham.

Verify and insure 

Another benefit of automated checks lies in their ability to verify that a security declaration is indeed true. Barnham added: “When you have that automated tooling and knowledge that there is that automated tooling, it will disincentivise individuals from lying about their preparedness and compliance. Because now they know they are going to get caught. This allows you to get out of that vicious cycle of pointless checklists, and instead becomes a proactive collaboration.”

“Once people in the ecosystem know that you have this capability, they will not want to turn up at your doorstep, making false declarations,” Rai agreed.

And what role can cyber insurance play? Participants at the roundtable are uncertain if it should be mandatory but agreed that it can give companies a choice to mitigate risk, assuming the premium is affordable

Cyber Attacks

More articles like this

Find out how we can assist you in completing your compliance journey.

backdrop

Cloud Security

Today, we all use cloud services in our individual capacity or at work. Companies typically use cloud service providers like Amazon Web Services, Microsoft Azure, and Google Cloud to host their cloud computing services.

A lot of sensitive details, ranging from our personal data, emails, customer data, etc. are stored on servers beyond our immediate vicinity.
slider

Cloud security is aimed at protecting data, applications, tools, and environments in the cloud through services, policies, technology, and security controls.
Cloud services providers and the customers of these providers have a shared responsibility when it comes to cloud security. Cloud services providers are generally responsible for the security of the platform, infrastructure, and applications while the customers are responsible for the security of endpoints, user and network security, applications developed on the cloud platform, and data.
A few common threats faced by companies using cloud services include:

Hijacking of account:
There are a lot of weak passwords utilized by employees which makes it easy for anyone to breach employee accounts on the cloud. Sometimes, cloud-based deployments are outside a customer’s network and accessible by anyone on the internet. Weakly configured security can enable an attacker to gain access without the organization’s knowledge

Denial of service attacks:
A successful denial of service (DoS) attack on cloud infrastructure can affect multiple companies. A DoS attack is done by flooding a target with traffic higher than the manageable level of traffic. This causes the target to shut down.

Data loss:
Loss of account access and breaches can lead to the loss of important data stored in the cloud such as personal information, activity logs, and system backups.

Protection against these threats includes:

Education on cyber hygiene
Human errors account for a significant portion of breaches and losing access to an account on the cloud can cause major breaches. Being educated on best security practices reduces this risk by a huge margin.

Maintaining data protection policies
Having data protection policies classifies different types of data based on how sensitive they are. These policies can ensure that highly sensitive data is not stored on the cloud where the risk of breaches is high

Subscribing to a reputable cloud security solution
Cloud security providers constantly update their solutions based on the latest threats and subscribing to a cloud security solution would ensure all-around protection of cloud services.

Cyber Attacks

More articles like this

Find out how we can assist you in completing your compliance journey.

backdrop

Ransomware

Ransomware is defined as a type of malicious software designed by threat actors to block access to a computer system until a sum of money is paid.

Threat actors include individual hackers, hacker organizations, government entities, and terrorist organizations.Over the last few years, ransomware has become a major cybersecurity threat to companies and people alike.
slider

According to SonicWall, there were around ~600 million ransomware attacks in 2021! One of the prominent cases of ransomware was the attack on Colonial Pipeline in Texas, US which led to a severe crunch in gasoline supply in 18 states in the US.

Given the rapid rise of ransomware, here’s a short explainer of how it works:

  • The threat actor infiltrates network security and looks for systems that are vulnerable or directly exposed to the public internet.
  • Subsequently, the vulnerabilities and the protection level of the system are analyzed to see what type of code would stay undetected and breach the system.
  • Malicious software is installed on the system which stays dormant for a period of time until it gets executed.
  • Upon execution, the malicious software encrypts a large number of files in the system. The owner of the system would not be able to access the files without decrypting the files.
  • Malicious software displays a message on the system stating the ransom required to release the files. The ransom is usually paid in cryptocurrency.
  • The owner of the system pays the ransom to the threat actor and the threat actor sends a decrypting tool to access the files again.

How to Protect Yourself from Ransomware:

Install the latest software and firmware updates
Installing the latest software and firmware updates ensures that there are minimal vulnerabilities and better detection of malicious software.

Back up important data online:
Backing up your data regularly will allow you to revert back to a safe version of the a system without malicious code. However, the limitation of this is that you would not know when the malicious software was installed as it could have stayed dormant for days or months before being executed.

Use modern security solutions that are updated regularly:
Using the latest security solutions vastly increases the likelihood of detecting malicious software which can be blocked from being installed on the system.

In the event you are a ransomware victim, here are a few options to explore:
1. Isolate the affected system and consult experts on the next step
2. Secure existing backups of data and software
3. Change all your passwords linked to that system

What is Ransomware and How Can I Protect Myself against it?
As the name implies, ransomware actually refers to malicious software that is designed to block access to a computer system until the ransom is paid. In a typical ransomware scenario, the attacker demands a form of payment before releasing access to critical software containing valuable information and managing important processes.

Common ransomware attacks include:

  • Sending a phishing email with an attachment and taking over the victim’s computer and demanding a ransom to restore access
  • Exploit security gaps to infect computers without the need to trick users
  • The attacker threatens to publicize the user’s sensitive data unless a ransom is paid

What should you do?
1. Keep your operating system patched and updated
2. Install antivirus software
3. Be very careful about admin privileges and limit that strictly
4. Back up your files
5. Invest in cyber insurance

Cyber Attacks

More articles like this

Find out how we can assist you in completing your compliance journey.

backdrop

Common Cyber Security Attacks

Cybersecurity attacks happen in a variety of ways. Most of these happen through systems that you use regularly.

These include SQL Injection, MITM, and DDoS. We will cover these attack vectors in the below sections:
slider
  1. Ensure your company has a policy for Third Party Risk Management (TPRM) with clearly defined controls that apply to TPRs.
  2. Maintain a central repository for TPRs and analyze the cybersecurity risks they pose and subsequently, apply appropriate controls to each party, with reference to TPRM or best practices you are familiar with.
  3. Third parties are not just ‘vendors’. Any supplier, IT service provider, associate, affiliate, or consultant is also part of the same set of third-party relationships. Controls in your organization’s information security policies should apply to all.
  4. Apply controls across the relationship. The importance of cybersecurity controls is normally overlooked, especially during and in the terminal phases of the relationship.
  5. Require your third parties to inform you of their security practices and in particular, any breaches, especially in relation to data concerning your customers or organization.

When cyber attacks occur in your supply chain of TPRs and if the data compromised concerns your business or its customers, your organization is likely to suffer impact too and may even be held liable.

As a result, watch out for the parties you are interacting with within the course of business and be mindful of cyber risk in this sphere.

Cyber Attacks

More articles like this

Find out how we can assist you in completing your compliance journey.

    toaster icon

    Thank you for reaching out to us!

    We will get back to you soon.