By now, you know how important patching your system is. However, what happens if you lag behind? Could that lack of urgency result in a supply chain security threat?
Organizations need to understand the risks of supply chain security vulnerabilities, and how they can affect even secure organizations. When vendor security is often beyond your control, you might feel a sort of helplessness about it.
Fortunately, companies can, and should, hold their supply chain accountable.
And so, let’s take a brief look at the latest patching news, and discover why supply chain security is so critical.
Brief Update Roundup
Microsoft has yet to issue patches for the actively exploited Microsoft Exchange vulnerabilities announced recently, although they have revised their mitigation guidance several times.
Microsoft’s updates released this week:
- Patch 84 flaws, 13 of which are classified as ‘Critical’
- Fix several zero-day bugs including
- An Azure cloud service vulnerability rated 10 of 10,
- A security flaw regarding TLS security certificate processing,
- A Windows Service elevation of privilege bug that provides system notifications when users log on or off
- Adds capabilities:
Other notable updates this week fix:
- iOS 16 mail crash attack,
- Open-source vm2 JavaScript sandbox “Sandbreak” vulnerability,
- Multiple critical vulnerabilities in the Aruba WAN management tool, EdgeConnect Orchestrator,
- Authentication bypass flaws in Fortinet’s on-premises management platforms FortiGate firewalls, FortiProxy web proxies and FortiSwitch Manager.
Supply Chain Security Vulnerability
Supply chain attacks can affect your business in three key ways: business disruption, direct IT breach, or indirect data breaches.
Ransomware remains a key disruptor of business operations, with 52% of global organizations reporting supply chain partners hit by ransomware. However, the FBI also issued several alerts regarding financial disruptions caused by social engineering attacks.
These occurred against healthcare third-party payment processors, and redirected over $4.6 million in payments.
Once attackers penetrate partner IT systems, attackers can strike your business partners with more credible phishing attacks, or even direct-access attacks. The famous 2014 Target breach occurred because attackers used Target’s HVAC vendor’s access to penetrate IT systems and steal the payment data for 40 million customers.
More recently, a RansomEXX attack against Bombardier Recreational Products entered Bombardier through a third-party service provider.
Hackers can also use their access to affect end customers directly, like when hackers compromised the Comm100 Live Chat SaaS application to distribute malware through the customer communication chat tool installed on corporate websites.
But, for some industries, supply chain security is even more critical and challenging than others.
Some Industries Face Extra Pressure
Healthcare can be especially vulnerable to indirect data breaches. And, a few recent high-profile third-party breaches will cost their supply chain partners dearly.
For instance:
- A Conifer Revenue Cycle Solutions hack exposed the patient information for six different hospital systems in Texas and Alabama.
- The Eye Care Leaders data breach exposed the patient data for more than two dozen healthcare organizations.
However, supply chain security problems can also be downstream from your company. Morgan Stanley discovered this the hard way, when their hard drive disposal vendor failed to wipe regulated customer personal information from old hard drives.
This breach of contract from their vendor resulted in a $35 million fine for Morgan Stanley.
We learn of some breaches because of the regulatory disclosure requirements. However, many third-party breaches are hidden by the victims, never reported, and remain a hidden vulnerability to you and others.
Closing Supply Chain Security Vulnerabilities
These supply chain security vulnerabilities generally stem from:
- Contract Violations
- Lack of Resilience
- IT Security Failures
Although these vulnerabilities cannot be eliminated, they can be controlled. For contracts, companies can require proof, or actively check, if the terms have been fulfilled.
Your business can also control resilience and IT security risks, by limiting exposure and by requiring proof of basic IT competence.
Organizations can limit exposure through network and data restrictions, which limit shared information and resources to strictly to what is required.
Proof of competence can be provided through:
- Auditing policies and procedures for: incident response, vulnerability management, and business continuity to prove the company has processes and technologies to minimize operational downtime and security threats
- Regular vulnerability reports: Quarterly scans for unpatched systems, misconfigurations, etc.
Reaching Out
It’s not always easy to handle supply chain security. After all, there’s only so much you can control.
However, there are definite steps you can take to give yourself the best chance at staying safe and limiting damages.
If you could use a hand reviewing your supply chain security, or just want someone to offer you a little guidance, we can help you achieve your goals. Ideal Integrations, along with our cybersecurity division Blue Bastion, has experience helping businesses just like yours.
Simply contact Ideal Integrations at 412-349-6680, or fill out the form below, and our IT and security experts can help you, or your supply chain partners, understand options for isolating systems, vulnerability scans, penetration tests and other options to limit supply chain vulnerability.