In Case of Crisis: Third-Party Risk Across Three Dimensions

In 2020, the SolarWinds exploit ignited concerns about third-party risks, and in 2021, the Kaseya hack and Log4J vulnerability fanned those flames. Third-party risks ripple through the supply chain, affecting vendors, their partners and their customers. These risks have become so pervasive that the Biden administration is introducing new requirements for enhanced transparency. In the case of a crisis involving third-party software vulnerabilities, visibility and transparency are key – and that requires preparing ahead of time.

Vulnerabilities and exploits are the bread and butter of cybersecurity research. Researchers work diligently to discover vulnerabilities, ideally so that they can be patched before attacks exploit them. Yet, according to White Hat, it takes an average of 205 days to fix critical cybersecurity vulnerabilities, while HP research reports that attackers begin exploiting these vulnerabilities within days. For any given vulnerability, an organization may be vulnerable to attack for at least six months – assuming they have visibility into the vulnerability in the first place.

You Don’t Know What You Don’t Know

The SolarWinds breach is the worst-case example of third-party risk, underscoring the importance of visibility. SolarWinds was breached in early 2020, and attackers compromised its IT monitoring software, Orion, with a Trojanized update. Subsequently, SolarWinds pushed this update to as many as 18,000 customers with a back door that was so hard to detect that security experts suspect the full extent of this attack will never be known. In fact, the breach remained undetected until December 2020, when FireEye research revealed that SolarWinds had fallen victim to a cyber-attack.

The attack impacted many Fortune 500 companies, including Microsoft, Cisco and Intel, and multiple agencies within the United States government, such as the Department of Homeland Security and the Office of Personnel and Management. The long-term consequences of this attack will continue to be felt for years to come because the nature of SolarWinds IT monitoring software means that the attackers could have easily mapped out the IT systems of some of the biggest companies and most important government agencies.

The attack was so significant that it spurred a response from the Biden administration, which sanctioned Russia for its involvement (Microsoft has attributed the attack to the Russian hacking group Nobelium). The Biden administration also announced an executive order, which introduced new requirements for software vendors to provide a software bill of materials sold (SBOM) as part of its federal procurement process – an SBOM is essentially a list of software components so that organizations can obtain more visibility into third party risks in their software supply chain.

Stuck in the Middle

Beyond SolarWinds, there are many vulnerabilities discovered and disclosed that make it clear that many organizations are unaware of the downstream impact of third-party risks. So how can your organization prepare for these ominous challenges?

Communication gaps can be devastating in the face of rising threats and slow patch response times. When a new vulnerability is discovered in a software stack embedded into a device, multiple stakeholders need visibility into the vulnerability and need to communicate that to partners downstream. Unfortunately, many vendors would rather turn a blind eye than risk tarnishing their reputation without realizing that their inaction will be far worse for them in the long run.

Companies need their teams to see beyond traditional departmental divisions and adopt full operational views of scenarios as they unfold – real-time information and communication are essential to keep teams up to speed and moving forward.

In the case of a crisis, many executives are hindered by a slow flow of information and a lack of communication – without understanding the big picture, it is more difficult to make decisions quickly enough. This is where transparency and visibility transcend technology – it is about people and processes too.

No amount of preparation will fully safeguard against a crisis, nor will any technology or tool instantly eliminate a crisis. However, when you consider third-party risk, it’s not a matter of if you’ll be facing a crisis – it’s only a matter of when. Are you ready today? 

What’s Hot on Infosecurity Magazine?