Categories
Security

Why securing credentials is more important than ever

Passwords. They’re the bane of our existence—whether you work in IT, IS or just have trouble remembering them all. Passwords may have originated as a security measure, but now, at least alone, they’re a liability. Why? Unintentional user negligence and intentional cybercriminal enterprise have rendered the username/password combo, otherwise known as credentials, practically moot.

Thanks to countless years of desks left unattended and phishing scams coercing users into entering their personal information, millions of credentials are readily available to be stolen, sold, and/or leaked online. That’s why credentials—or more importantly, the security measures we use to verify identity and grant access—need protecting now more than ever.

Unfortunately, many businesses continue to rely on outdated credential security models that leave their networks exposed—a situation only exacerbated by remote work.

Securing credentials for the 2022 threat landscape

Once upon a time, before the pandemic ushered in the era of Zoom fatigue and cloud-based-everything, access to the corporate network could be protected by a level of security provided by the four walls of the workplace. Traditional on-premises security inferred onto employees an automatic level of trust. Swipe a badge, gain entry. From there, identity could be verified by simply recognizing a familiar face at work.

This trusted access extended to all systems and networks, empowering organizations to follow the “trust, but verify” model, in which users were given full access to the corporate network once their login credentials—typically just a username and password—were substantiated.

As cybercrime tactics advanced, however, this approach was like handing threat actors the keys to the proverbial castle: If criminals had just one employee’s credentials, they could gain access to the entire corporate network, including sensitive data like financials or employee records.

In fact, cybercriminals have developed a wide range of sophisticated (and some unsophisticated) methods for targeting credentials, ranging from key loggers and credential-harvesting malware to spear phishing and business email compromise. Before the pandemic brought about the mass migration to remote work, organizations were already in need of revamping their credential security to better adapt to modern-day threats.

Remote work further compromises credential security
Enter: the sudden, intense shift of organizations’ entire workforces to the WFH model. It’s no secret that, while beneficial in many ways for businesses and their employees, remote work has dramatically expanded an organization’s threat surface. The sheer number of new, potentially vulnerable access points introduced by remote employees alone—including personal devices, home networks and IoT—would be enough to instigate the type of credential policy change advocated here.

Many work-from-home (WFH) devices and networks are under-secured, with minimal or no identity verification required. A single remote employee might introduce a handful or more of new vulnerabilities: Using a personal laptop without entering credentials. Connecting to the corporate network from a home network that isn’t password-secured. Using a home assistant and smart refrigerator with their default credentials settings still in place.

Add to that a remote workforce that may not be up-to-date on the latest WFH best practices, and you have the perfect recipe for a breach.

Cyber criminals are, unfortunately, well aware that remote work has weakened businesses’ security postures. A steep rise in cybercrime has paralleled the adoption of remote work—especially cybercrime targeting credentials. With compromised credentials cited as the most common cause of security incident, it’s clear that organizations should re-imagine how they protect credentials and prove identity when providing access to their remote employees.

Best practices for credential security today
With cybercriminal tactics for targeting credentials becoming more sophisticated, with users (both on-premises and remote) in need of more acute security awareness, and with WFH environments contributing to a burgeoning collection of new vulnerable access points, it’s time for organizations to follow more contemporary principles of credential security.

Want to get started? The following tools and policies help improve both credential and overall security:

Password hygiene:  Password hygiene remains a problem for most people—two-thirds of users reuse their passwords across multiple accounts; 59 percent use their birthday in their password; 43 percent have shared their password with someone—so it’s no surprise that login credentials alone provide little security.

With criminals increasingly credential stuffing, aka using stolen credentials to access other peoples’ accounts and services, preventing password reuse and requiring stronger, more frequently-updated passwords is a first step in the right direction.

  • Set maximum password age limits to ensure passwords are changed, as well as minimum age limits so they can’t be quickly changed back.
  • Require passwords meet complexity requirements, like containing at least one uppercase and lowercase letter, a number, and a special character.
  • Set minimum password lengths and encourage employees to create long passphrases unrelated to their personal information—so no birthdays, street numbers, names, etc.
  • Use Enforce Password History policies that store old passwords and restrict repetition.

Multifactor authentication (MFA): There are 8.4 billion or more passwords stolen from data breaches that have been leaked online— in a single hacker forum. With criminal access to so many credentials, requiring a second or third layer of identification through MFA helps thwart many attempted cyberattacks. MFA calls for at least two modes of identification, including:

  • Something the user knows, such as a password, PIN number, or answers to personal security questions
  • Something the user has, such as a security token, USB device, smartphone, or other physical object
  • Something the user is, a unique physical characteristic, like fingerprints, voice recognition, facial recognition, or retina scanning

Single sign-on (SSO): Besides credential theft, password fatigue is also a key contributor to security breaches. When users are prompted to change passwords frequently, they often make too-simple alterations, such as swapping one special character for another or capitalizing a different letter of an existing password. In addition, having to remember different passwords for dozens of accounts encourages reuse.

Using SSO authentication—i.e., allowing one set of login credentials to access multiple systems—can mitigate risk by reducing both password fatigue and credential theft. When implemented securely (in combination with MFA), SSO benefits include:

  • Reducing password fatigue by eliminating password re-entry.
  • Minimizing risk of accessing third-party sites because passwords are no longer stored externally.
  • Decreasing the likelihood that users will store passwords insecurely (e.g., by writing them down on post-its).

Businesses looking to further improve credential security should consider adopting the latest thinking in best practices. The prevailing philosophies are:

Least-privileged access: One of the most menacing aspects of credential compromise is that cybercriminals can gain access to your entire network with only a low-level user login. Following a principle of “least-privileged access” helps limit damage that might be done by a hacker or malicious insider with unauthorized access.

Least-privileged access involves restricting users’ access rights to only the data and systems they need to perform specific tasks. Least privileged access can also be used with segregation of duties policies to limit users’ access to specific functions.

Zero trust: Traditional perimeter-based security is no longer enough to protect against modern-day risks to corporate credentials, thanks to cybercriminal innovation in credential-stealing methods and the difficulty organizations now face in verifying the identity of their remote workers.

Employees themselves will always be a security risk—albeit one mitigated by successful security education programs—but now their working environments are unsecured and unmanaged by IT. Even least-privileged access could allow bad actors to gain a foothold into the corporate network. Zero trust offers an even more secure approach.

Zero trust follows a “never trust, always verify” philosophy, where every user and device must be continuously validated before receiving access, and access is only granted upon request. Instead of authorizing broad access to a collection of network resources, zero trust grants access to specific resources on an as-needed basis. Users and devices are never trusted by default, even if they had been connected to company resources before.

Implementing this many layers of credential security may take a great deal of time and money—or it might not be possible for many small businesses or start-ups right now. That’s okay—any small improvement in credential security makes a difference. But understanding the threat landscape and the tools, policies, and philosophies that are best recommended helps organizations develop a credential security model to strive for.

To learn more about password hygiene: https://blog.malwarebytes.com/cybercrime/2019/03/hackers-gonna-hack-anymore-not-keep-reusing-passwords/

For a deeper dive on zero trust: https://blog.malwarebytes.com/explained/2020/01/explained-the-strengths-and-weaknesses-of-the-zero-trust-model/

For more information on best WFH practices: https://blog.malwarebytes.com/how-tos-2/2020/03/security-tips-for-working-from-home-wfh/

Categories
Security

Combat fear fatigue with these security tips

Nearly two years ago, companies around the globe scrambled to support entire workforces strong-armed into remote work practically overnight. For far too many, security was an afterthought — until it was too late. Now, as remote work transforms from novelty to the new normal, organizations must double-down on security efforts. But what if those efforts alienate employees and increase stress instead of alleviating it?

While many employees have expressed a desire to be more secure, as our recent Still Enduring From Home report found, fear fatigue has set in after years of constant concern and change. And that is a vulnerability likely keeping IT and security leaders awake at night.

Why can increasing security cause increased stress and fear fatigue?

How to fight fear fatigue while keeping remote workers secure 

Hybrid and remote work are on their way to becoming permanent fixtures. Yet the digital infrastructure so hastily thrown up two years ago to support the remote workforce now needs a serious security overhaul.

Multiple new access points — many of them weak on or lacking cybersecurity protections altogether — have introduced additional vulnerabilities to an already-taxed system. Users connecting from unsecured home networks, personal computers and mobile phones using shadow IT, haphazard physical environments exposing proprietary data, and unchecked identity and access management policies have left organizations at increased risk of compromise.

As such, it’s time for businesses to sharpen security processes, beef up technical protections, and, most importantly, roll out new forms and frequencies of security training. Security awareness has never been more important.

In fact, many organizations have already taken steps to reduce risk and plug security vulnerabilities introduced by remote work. In Malwarebytes’ recent report, Still Enduring From Home, researchers surveyed 200 IT decision makers to see how organizations fared with remote security measures over an 18-month period.

The results paint an optimistic picture: 74 percent of IT teams have implemented new tools, such as antivirus software, password managers, virtual private networks (VPNs), and two-factor authentication (2FA); 71 percent have introduced new forms of training; and 48 percent have updated their crisis management protocols. Overall, 56 percent of respondents said their organizations have become slightly or significantly more secure since they began working from home.

That’s good news, right? Organizations making moves to boost security is cause for celebration, to be sure. However, the outlook is murkier when examining how employees feel about this increased security. According to the report, they’re fairly well-invested: 83 percent care to some degree about security practices, with 51 percent caring deeply.

However, caring doesn’t always translate to awareness, nor does awareness always result in action. While 62 percent of respondents said their employees are either “very” or “acutely” aware of security best practices, nearly 40 percent range from “aware but not a priority” to “oblivious and risky.”

And while employees care about getting security right, many are also suffering from “fear fatigue.” Nearly 80 percent of the Still Enduring From Home respondents reported some level of fear fatigue or jadedness in their organization. Adrenaline-fueled anxiety and adaptation have left them feeling jaded or overwhelmed, making them vulnerable to simple security mistakes.

Fear fatigue (otherwise known as security fatigue) inspires complacency, and complacency leads to risky cybersecurity behavior, like opening an email attachment without properly scrutinizing the sender or neglecting to turn on a VPN while using public WiFi. Scammers are primed and ready to take advantage of this reduced focus. In fact, organizations should consider “human-proofing” an essential layer of their cybersecurity approach.

According to the Verizon 2021 Data Breach Investigations Report, 85 percent of breaches are caused by people. Employees are an organization’s biggest asset, but they also break the rules and make mistakes — sometimes, costly ones. Mistakes can happen due to distractions (57 percent), stress (52 percent), and general fatigue (44 percent), and employees need protecting, supporting, and keeping safe.

Now, there’s a need to keep remote employees appraised of the increased cyberthreats they face and informed about how to deal with them. This requires an increase in training frequency, and confirmation employees are absorbing that training. However, alarmingly, 27 percent of IT leaders said their employees seem “particularly overwhelmed” by threats and jaded by security procedures.

That’s why organizations need to tread a fine line between equipping their employees and overwhelming them. They must learn to balance cybersecurity education while avoiding fear fatigue.

Easier said than done, I know.

To implement an effective fear fatigue mitigation program, it’s important to first address the generalized stress brought on by nearly two years of living in a deadly pandemic.   

  • Collaborate with employees to figure out strategies, including developing strong social networks and regularly practicing healthy routines.
  • Offer employees mental health days separate from sick or personal days.
  • Provide access to counselors and other mood-boosting activities, such as virtual meditation or yoga classes.

Or take the advice of Tanya Barlow, an IT leader at PROCON, Inc.: “The best approach is to continually practice radical empathy — for others in the workplace and for yourself. You have to be willing to forgive and be flexible. You can’t be too hard on yourself, as we are all still collectively healing. In moments of extreme exhaustion, I think it’s important to take time to reflect and practice mindfulness. Remind yourself of things you’re still grateful for and let go of outdated mindsets, routines, and things that don’t truly matter.”

Organizations must also design cybersecurity programs that take the burden off of employees and counter inadvertent actions that put networks, devices, and data at risk. This can be done in two ways: through security tools designed to protect against human error, and/or more engaging training content and mediums for delivering that training. Organizations should:   

  • Leverage technology to automatically block site visits from users clicking potentially malicious links or to detect and bin spear phishing attempts before the targeted employee sees them.
  • Reinforce security measures often and in a fun way. Phish your own employees. Gamify security trainings.
  • Consider delivering training using different modes of learning, from audio-visual (videos) to kinesthetic (scenario planning).

Employees can feel fatigue from over-communicating, too, so balancing the right amount of communication is key. Remember: There’s no one-size-fits-all approach to managing people, so iterate and check in on employee fatigue regularly. Once you know how to provide folks with the right guardrails, they won’t be so afraid of driving off the road. 

Categories
Security

How to protect against Labor Day ransomware attacks

On the last major American holiday, the fourth of July, IT solutions developer Kaseya announced it had become the victim of a ransomware attack — an attack that cascaded down the software supply chain, impacting more than 1,500 businesses. 

Kaseya aren’t the first and certainly won’t be the last victim of a cyberattack over the holidays. In fact, cybercriminals love to pounce when IT and security teams are out of the office for an extended time, or when employees let their guards down because they’re about to go on vacation. 

That’s why it’s important to stay alert before and during the three-day Labor Day weekend.

Weak IoT security should concern consumers, businesses as adoption increases

Labor Day weekend is nearly here, and I bet many employees’ thoughts have already turned to mini getaways, lazy afternoon binge-fests, or that one last barbeque before the weather turns crisp. Cybercriminals are banking on it, in fact, because the best time to attack is the absolute least convenient time for IT and security teams: weekends and holidays.

In fact, there’s a precedent for weekend and holiday ransomware attacks going back at least to December 2018, when cybercriminals leveled Tribune Publishing and other businesses with Ryuk ransomware on Christmas Eve. However, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint statement on August 31 warning that they have observed an increase in “highly impactful ransomware attacks” occurring over holidays and weekends in the United States over the last several months.

In the last three months alone, three massive ransomware attacks have taken place on US critical infrastructure on or leading up to holiday weekends. Just before Mother’s Day in May, cybercriminals dropped DarkSide ransomware on Colonial Pipeline, one of the nation’s biggest suppliers of fuel. After DarkSide actors gained access to the Colonia Pipeline network, they encrypted and exfiltrated the company’s data before threatening to publish it, attempting to extort them into paying the ransom. The attack resulted in a week-long suspension of operations, which led to panic-buying, price hikes, and crazy lines at gas stations up and down the east coast.

That same month, JBS, the world’s largest producer of beef and pork, was hit over Memorial Day weekend with Sodinokibi/REvil ransomware. The attack affected all US and Australian meat production plants, causing a complete halt in operations. And of course, IT solutions provider Kaseya suffered its breach and subsequent ransomware attack during the Fourth of July holiday weekend. Threat actors gained access to Kaseya’s remote monitoring and management tool, through which they deployed malicious updates to hundreds of organizations — including multiple managed service providers (MSPs) and their customers.

Ransomware has been on a meteoric rise — so much so that John Oliver devoted an entire segment of his HBO show “Last Week Tonight” to the subject last month. While Oliver blamed ransomware-as-a-service (RaaS), the popularity of cryptocurrency, and countries providing safe havens to cybercriminals as the reasons behind ransomware’s ascension, likely the answer is even more simple. Cybercriminals are opportunistic, and ransomware can easily defeat organizations when they don’t have the proper protection in place. Add to that the fact that IT is usually short-staffed over the holidays, and you have the recipe for disaster.

To avoid the fate of Colonial Pipeline, JBS, and Kaseya, take the following actions before and during Labor Day weekend:

  • Run a deep scan on all endpoints, servers, and any other connected systems to ensure there are no threats waiting to pounce when the lights go off.
  • Make an offline backup of your organization’s most critical data.
  • Run any necessary OS or software updates on endpoints to be sure that known vulnerabilities will not be exploited.
  • Employ stricter access requirements for sensitive data, such as multi-factor authentication (MFA).
  • Shut down all non-essential systems and endpoints on Friday evening.
  • Ensure there is always someone watching the network during the holiday, and make sure they are equipped to handle a sudden attack situation.

For more ways to stay safe from ransomware over the holiday weekend, check out this blog from Malwarebytes Labs: https://blog.malwarebytes.com/101/how-tos/2021/08/how-to-stay-secure-from-ransomware-attacks-this-labor-day-weekend/

For the joint statement by the FBI and CISA on increasing ransomware attacks over the holidays: https://us-cert.cisa.gov/sites/default/files/publications/AA21-243A-Ransomware_Awareness_for_Holidays_and_Weekends.pdf

And to watch the John Oliver episode on ransomware: https://youtube.com/watch?v=WqD-ATqw3js

Categories
Security

Kaseya ransomware strike reveals a disturbing new trend in cyberattacks

Over the same weekend America celebrated its independence, Kaseya, an IT solutions developer for managed service providers (MSPs) and enterprise clients, announced it had become the victim of a cyberattack. But this wasn’t your garden variety ransomware assault. Those days appear to be behind us now.

Once again striking the now-endangered supply chain, cybercriminals leveraged a vulnerability in Kaseya’s VSA software against multiple MSPs and their hundreds of small business customers. Where SolarWinds had only recently gained infamy as the country’s largest supply chain attack, Kaseya is eerily reminiscent—and likely not to be the last.

Kaseya ransomware attack: The new normal

On July 2, MSP solutions provider Kaseya started receiving reports of “suspicious things happening” with its VSA software program, a remote-monitoring and management tool for networks and endpoints. Within an hour, the company had shut down its VSA service.

Kaseya CEO Fred Voccola said that less than 0.1 percent of its roughly 40,000 clients were affected by the breach. However, as a provider of technology to MSPs, which in turn provide services to other companies, Kaseya is at the center of a wider software supply chain. Current estimates are that about 1,500 businesses were impacted downstream.

So how did cybercriminals pull off their attack within an attack? This was no ordinary, broad ransomware campaign sweeping up any enterprise fish it might catch in its net. The attack on VSA customers was delivered through an automatic, malicious update of the platform, which pushed the REvil ransomware variant, also known as Sodinokibi.

In order to access the VSA platform and the MSPs using it, cybercriminals first had to breach Kaseya itself. They did so by exploiting a known vulnerability in Kaseya software that the company was actively working to correct. Kaseya had thankfully already rolled out patches to its SaaS VSA clients. But before on-premise customers could receive their fix, threat actors made their move.

During the attack, cybercriminals shut off administrative access to VSA and disabled several protections within Microsoft Defender. If clients didn’t take their VSA servers offline, they were served the malicious update. And if they didn’t have another security vendor layered on top of Defender, they were treated with a ransom note and all of their files were encrypted. Customers of Malwarebytes were shielded from this attack — and, with features such as tamper protection and uninstall protection enabled, any future such attacks.

On July 4, the criminals behind REvil staked claim to the attack and demanded $70 million from Kaseya in return for a universal key, later amended to $50 million. They asserted that more than a million systems were impacted, yet their key could restore all in less than an hour — both controversial and dubious allegations, at best. Still, there’s no doubt they pulled off one of the largest ransomware attacks in history.

In fact, you know you’ve “made it” as a cybercriminal when your attack is used as bait for other phishing scams. In the wake of Kaseya, Malwarebytes researchers discovered opportunistic carrion fish had launched a malspam campaign to exploit companies eagerly awaiting the VSA patch so they could bring the platform back online. The email contained both a malicious link and attachments that dropped the Cobalt Strike RAT.

By July 12, Kaseya had released its patches, disclosed its vulnerabilities, and brought the majority of its VSA servers back online. However, the company remained mum on whether or not it would pay the ransom. The REvil affiliates behind the attack could go around Kaseya to negotiate with each of the 1,500 businesses affected. However, threat actors may be wary of creating thousands of “paper trails” on the Bitcoin blockchain now that law enforcement have trained their eye on cryptocurrency as a means of attribution.

Unfortunately, these more aggressive efforts by authorities don’t appear to be slowing or scaling down cyberattacks — at least, not yet. Assaults against organizations have increased steadily in frequency, volume, and sophistication over the last five years — from exploiting vulnerabilities to breach a single enterprise to using such vulnerabilities to gain administrative access to software used by tens of thousands of companies and their millions of customers.

These cascading attacks on supply chain software like SolarWinds and Kaseya are two data points in a greater, more worrying trend: Organizations are increasingly dependent on Internet-connected remote administration tools, and those tools are rife with flaws. Threat actors are aware of both, and we can expect them to continue to target and exploit those flaws, all while creating chaos in the supply chain, disrupting operations, and raking in the Bitcoin.

Security administrators can no longer look away from a problem that impacts the very tools they rely on to do their jobs. They must identify and ensure all known vulnerabilities for software products used in their organization are patched as soon as possible, and vet new software with an eagle eye. Consistent testing, communicating with employees and customers, and updating IT tools and servers — as well as implementing multiple layers of security — is the type of vigilance required to stave off massive breaches. And even then, it’s no failsafe unless the rest of the security community steps up to meet the challenge of cascading cyberattacks.

We need more security researchers and security-conscious developers to devote time and effort to combatting today’s vulnerabilities and preventing future, similarly-flawed products from entering the market. Software engineers must take greater care with borrowing outdated code from online repositories without testing for errors, such as weak encryption or default passwords. Vendors should also invite third-party reviewers to analyze source code created in-house before providing clients with a software bill of materials itemizing components and vulnerabilities.

The cooperation doesn’t stop there. Countries should better incentivize independent security research so analysts aren’t afraid to report their findings. Bug bounty programs are well and fine, but often their payments aren’t substantial enough to subvert dealings on the gray or black market. This $10 million reward offered by the US government for information leading to the identification or location of a nation-state threat actor is a healthy start, though.

What’s clear is that individuals — and even well-stacked IT departments — can no longer be solely responsible for their own cyber protection. To truly combat these increasingly sophisticated cascading attacks in the future, it will require an institutional shift in thinking that brings the top security minds together in lockstep.

We’ll need international cooperation and aggressive action from government and law enforcement. 360-degree security up and down the supply chain, branching out to fourth- and fifth-tier parties. Smart and secure development of Internet-connected software, as well as layers of security to stop breakthrough breaches. And a collective awareness by all that cybercrime has evolved and we can no longer turn the other cheek.

To learn more about the technical details of the Kaseya attack, check out this blog from Malwarebytes Labs: https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/

Categories
Security

Shore up supply chain security (now say that 5x fast)

Supply chain security was once a backburner issue, if an issue at all. But for the last 15 months, the security industry has had to face the music on supply chain risk—and it’s not going away soon.

From extended shipping delays to empty store shelves, we’ve collectively experienced firsthand what happens when the supply chain breaks down (panic, at best). As more and more industries digitize, having a strong cybersecurity posture becomes a pivotal link in that chain.

How to protect against supply chain security risk

Supply chains have been pelted over the last 15 months with an ongoing barrage of volatility. The COVID-19 pandemic dramatically shifted demand while pushing employees out of traditional offices and into their homes. Growing trade conflicts rendered supply chain hardware and software at risk of weaponization. And significant changes in industrial regulation heaped expensive penalties and restrictions on already-stressed businesses.

In other words, conditions were ripe for cybercriminals to wreak havoc. While consumers and organizations worried about disruptions to actual supplies, security teams around the world—including those at SolarWinds—missed the big red flag of data access risk by adversaries all-too-happy to compromise sub-tier suppliers to get to the big game. Meanwhile, for organizations dependent on suppliers (all of them), the hurricane of uncertain market forces and economic turmoil was strengthened by an increasing number of sophisticated cyberattacks.

That’s likely why cybercrime was at an all-time high in 2020, bolstered by confusion and fear brought on by the pandemic. This year, high-profile ransomware attacks on vital infrastructure, such as the Colonial Pipeline and JBS breaches, continue to underscore the need to confront supply chain security challenges with unique solutions. Only by combining the resources and brainpower of security professionals with other strategic thinkers across disciplines, in private and public sectors, can we properly address supply chain security.

Public sector: laws, law, and order

Luckily, that sort of collaboration has already begun. The public sector stepped up to the cyber plate, with action happening in the state legislature up to the executive branch. On the law enforcement side, crackdowns on malware families and ransomware gangs have ticked up in 2021, with Emotet finally defeated in a multi-country, multi-agency effort, and Clop ransomware taken down by investigators from Ukraine and South Korea.

While the US government has historically lagged on technology regulation, the pace has quickened recently with several new laws and an executive order introduced to improve cybersecurity infrastructure and data privacy, as well as bring together disparate groups for better security alignment—particularly for those devices and software used in supply chains.

On May 12, President Joe Biden signed an Executive Order (EO) with sweeping proposals to upgrade federal cybersecurity, including massive changes to its procurement processes, such as requiring that suppliers provide a Software Bill of Materials (SBoM) to help organizations manage risk and learn which vulnerabilities exist in the products they use.

In addition, the EO includes a set of criteria to evaluate the security practices of developers and suppliers, and it proposes a labeling system to identify vendors that have gone above and beyond the baseline, essentially codifying resilience as a competitive edge.

The IoT Cybersecurity Improvement Act, meanwhile, aims to tighten up standards for IoT devices owned or operated by the federal government. The bill directs the National Institute of Standards and Technology (NIST) to draft and publish IoT standards with a focus on secure development, identity management, patching, and configuration. After NIST publishes its guidelines, contractors and vendors must follow up by publishing coordinated vulnerabilities disclosure policies.

Then there are the many data privacy bills that have been introduced in the less than five years since the California Consumer Privacy Act (CCPA) blazed the way in the US. Data privacy and asset management are two areas of upmost importance for supply chain security, and they happen to be central to much of the recent regulatory action happening in Congress.

A major risk factor for sharing data across technology platforms with suppliers is the unknown degree to which that data is secure and private—especially at the sub-tier level.
Since the CCPA was introduced in 2018, 29 other states have proposed data privacy bills mostly centered on consumer rights.

A federal data privacy law introduced in March 2021 would, if passed, provide businesses with a consistent, comprehensive national data privacy infrastructure. In preparation for these data privacy laws, organizations should begin a dialogue with their data teams to assess risk and ensure compliance.

Public sector: regulations and sanctions

If one of the greatest risks on the digital supply chain is unfettered data access, what happens when you share data with international entities known to use information technology to surveil, repress, and manipulate foreign and domestic groups? Over the last two years, the US government has sought to come down on suppliers from countries with authoritarian digital policies.

Recent regulations and sanctions by the Departments of Defense, Treasury, and Commerce on industrial suppliers (primarily in China) therefore help to reduce digital supply chain risk, as well as physical. According to Andrea Little Limbago, PhD, Vice President of Research and Analysis at Intero in her RSA presentation “Supply Chain Resilience in a Time of Techtonic Geopolitical Change,” the US is increasingly employing industrial policy as a tool of economic statescraft.

In 2019, the Department of Defense levied prohibitions on five Chinese companies and their affiliates. That same year, the Department of Treasury doled out financial penalties exceeding $1 billion.

Between 2019–2020, the Department of Commerce added over 350 Chinese-based companies to a list of those not allowed in the supply chain for such violations as possible connection to weapons of mass destruction and human rights concerns. In 2021, expect more to be added from other countries, such as Russia and Saudi Arabia.

Between all the new laws regulating procurement process, data privacy, access management, and even secure development, organizations will have their hands full with domestic compliance alone. Add to that keeping an eye on economic sanctions levied against international suppliers, and it’s looking to be another insane year for enterprise cybersecurity.

However, it’s important to keep in mind that the standards put forth by these bills and regulations often represent a minimum security requirement for organizations. Lowest common denominator won’t cut it against the combined forces weaking organizations’ supply chain security. That’s why IT and security professionals must apply due diligence to protect against supply chain risks. A few recommended steps:

  • Ensure that your partners and suppliers are also secure by auditing existing suppliers for risk and evaluating new suppliers’ security during the acquisition process.
  • Prioritize asset management by tracking all data stored, segmenting networks, and restricting access to the most sensitive data.
  • Catalogue the software products used at your organization and document their components (and vulnerabilities) in SBoMs.
  • Share SBoMs or other attestations using a standardized set of repositories and channels called a Digital Bill of Materials (DBoM).
  • Conduct scenario planning with tabletop war games or an internal think tank. Don’t forget to test both digital and physical worst-case scenarios.

For more information on supply chain security, read this article from CPO Magazine: https://www.cpomagazine.com/cyber-security/recent-cyber-attacks-signal-alarm-for-better-supply-chain-security/

To learn how the US government plans to crack down on ransomware attacks on the supply chain and other vital infrastructure, check out this article on Malwarebytes Labs: https://blog.malwarebytes.com/malwarebytes-news/2021/06/ransomware-to-be-investigated-like-terrorism/

A TLDR version of President Biden’s Executive Order on Improving the Nation’s Cybersecurity: https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/