Try this strategy to verify supplier cybersecurity claims

When it comes to managing the cybersecurity of your agency’s software supply chain, the current mode of trust must morph into trust but have the capacity to verify.

According to Kelly White, the founder and CEO of Risk Recon, a Mastercard company, you can do that now. White said it’s a matter of discerning the cybersecurity hygiene of companies you do business with that will yield clues to whether they’re susceptible to ransomware attacks. Ransomware via phishing attacks has become a top tactic for adversaries seeking to get their hands on private data.

White distinguished between ransomware attack and what he called destructive ransomware attacks. The latter constitute a recent phenomenon, starting around 2016. He defined destructive as “criminals detonating malicious software inside of organizations and encrypting the systems and thus rendering the organization then unable to those systems and their operations.”

Risk Recon recently completed an analysis of 1,000 destructive ransomware attacks, in which mission critical systems were rendered inoperable.

“These are the things that take an organization down to its knees,” White said, “so they’re particularly impactful and backed up by a very deep compromise.”

Risk Recon analysts established “that companies that have very poor cybersecurity hygiene, have a 50 times higher frequency of ransomware events than those that have very good cybersecurity hygiene,” White said. He added that by virtue of continuously monitoring the cybersecurity practices of some five millions companies worldwide, Risk Recon has a pretty solid idea of what makes for “good” and “poor” hygiene.

Perhaps not surprisingly, the research showed three main vectors for launching 85 percent of ransomware attacks – clues to where organizations should put greater emphasis. Unpatched, publicly facing web applications top the list. After that come unsecured network services, such as unhardened remote desktop protocols. And third, phishing emails sent to the organizations.

White noted that Risk Recon uses passive and open source intelligence techniques. This means bad actors can use the same techniques to figure out which organizations are soft targets.

“When you’re doing business on the internet, you can’t help but reveal your cybersecurity state,” White said, “and the robustness of that cybersecurity.”

One finding from the Risk Recon study showed just how important at basic practice like patching actually helps.

The study pinpointed the subset of software vulnerabilities that rated critical or high severity, things that are often remotely exploited for system compromise. It found, White said, “that ransomware victims, on the day of compromise or on the day of detonation, have an 11 times higher rate of critical software patching issues in their internet facing systems, in comparison with the larger population.”

The corollary: “If you’re doing those things and investing in those activities, you’re going to get better risk outcomes,” White said. Cybersecurity staffs can cite data in making the cases for investment in basic measures for their own agencies.

Plus, they’ll have objective evidence about suppliers to reinforce suppliers’ attestations of cyber measures, or where they fall short. Doing business with companies that have good cybersecurity hygiene is must, White said, “if you want to get better risk outcomes, lower rates of destructive ransomware events that take your supplier offline and impact your operations.”

Use of open source intelligence won’t replace supplier attestation, White said, “but leveraging open source intelligence can help you understand how the processes and technology that an organization invests in are manifest in the systems,” he said. “Those systems that are facing the internet are pieces of evidence about the quality of their cybersecurity.”

Comments are closed.