The 2021 Report on the SolarWinds Cyber Espionage Attack and Institutions’ Response published by the New York State Department of Financial Services (“Report”) commences with a stark warning: “The next great financial crisis could come from a cyber attack.”
“The SolarWinds Attack is, to date, the most visible, widespread, and intrusive information technology (‘IT’) software supply chain attack – i.e., a cyber attack that corrupts IT software and uses that software as an attack vector. Supply chain attacks are dangerous because the malware is embedded inside a legitimate product, and because supply chain attacks can allow an attacker to access the networks of many organizations in a single stroke.”
I have also observed another stream of “supply chain” attacks on the rise, which instead of targeting software, target large (IT) consulting firms.
A clear pattern can be observed: the attack vectors are the consultants, who typically have access to the IT systems of their clients. Once the attacker is inside the clients’ systems, by way of lateral movements, privilege escalations occur and control of client systems is obtained. In this case, the attack vectors are not legitimate products, but legitimate consultants, permitting an attacker to access the networks of multiple organizations.
These kinds of attacks, performed on software or people, underly the importance of a robust third-party risk management approach.
The Report from the New York State Department of Financial Services referenced above confirms that the following five cybersecurity measures are critical practices:
1. Third-Party Risk Assessment and Management
Cyber and data security/protection due diligence activities should be carried out by organizations before engaging third-party service providers. Robust contractual provisions should be in place to:
(a) allow organizations to monitor the cybersecurity practices and the overall cyber hygiene of critical third-party service providers (e.g., though regular audits);
(b) have third-party service providers/vendors represent and warrant that they will keep a good cyber and data security/protection compliance posture throughout the entirety of the business relationship;
(c) mandate third-party service providers/vendors to promptly (a clear timeline should be agreed!) notify the organizations when cyber and data security/protection incident occurs and collaborate to manage the incident.
2. “ZeroTrust”and Multi-layered Security
In their risk assessment and risk management programs, organizations should assume that any software installation and any third-party service provider could be compromised and used as an attack vector. In this respect, the principle of least privilege (according to which users are given the minimum levels of access/permissions needed to perform their activities) is key. This is true from both the cybersecurity and the data protection perspectives (see the related principles of data minimization and proportionality). Last but not least, organizations should implement layered security on information/data (especially for sensitive data) so that if one layer is compromised, other controls can detect and/or prevent intrusions.
3. Timely and Regular Patch Deployment, Testing and Validation
Patch testing, validation processes, and deployment should be prioritized by organizations, including defined rollback procedures if a patch creates or exposes additional vulnerabilities.
4. Incident Response Plans
Organizations should have in place effective and tested incident response plans with detailed procedures, which need to be coordinated with the relevant business continuity plans. Incident response plans should include (at the very least) the following to address supply chain compromises or attacks:
- Procedures to isolate affected systems;
- Procedures to reset account credentials for users of all affected assets and users of assets controlled by compromised software;
- Procedures to rebuild from backups created before the compromise;
- Procedures to archive audit and system logs for forensic purposes; and
- Procedures to update response plans based on lessons learned.
A pre-condition for effective incident response plans is for an organization to know its environment. This includes taking stock of the assets that reside in the environment – including their versions and configurations – and enabling timely notifications when changes occur, in order to mitigate damage and assist with remediation in a timely manner.
I cannot stress enough the crucial importance of trainings. In general, in order to increase preparedness and awareness concerning the primary cyber and data security/protection threats, organizations should put in place effective training programmes for all staff members.
More specifically, when it comes to supply chain attacks, it is very important to dedicate special attention to the procurement department, so that the relevant functions are aware of the preventive controls and specific contractual stipulations before purchasing third-party services and/or products (see point 1 above). Furthermore, specific trainings dedicated to the incident response team are crucial to ensure prompt and effective incident responses in coordination with business continuity plans (see point 4 above).
These five critical practices fit within the fundamental concept of cyber and data security/protection by design. Adopting a by-design approach to security means integrating security best practices into the modus operandi of the organization on the organizational (in terms of building a culture of security awareness inside the organization), operational (in terms of operationalizing security best practices aiming at de facto back-to-back security along the whole value chain) and technical levels (also in terms of the design of products and services which should take security into account).
From a business perspective, such an approach will contribute to reducing long-term costs of data breaches and security incidents and help organizations to become more reliable and trustworthy with respect to consumers and business partners, hence enhancing their businesses. Moreover, cyber and data security/protection by design is not only an international standard and a legal compliance requirement, but also a fundamental prerequisite for the socially responsible behavior of organizations participating in the data-driven economy and society, representing a new fundamental element of organizations’ ESG frameworks as we move towards a sustainable and responsible future.