Keep Track of Your Agency’s IT Vendors
Today, federal agencies rely upon hundreds, if not thousands, of vendors to provide components of their technology infrastructure. Agencies use billions of lines of code to power everything from routers, switches and firewalls to software that runs programs for jobs as varied as tax calculations and environmental modeling.
Cybersecurity teams seeking to secure their supply chains must first build and maintain an inventory of all the moving parts that make up their technology ecosystems. Knowing all the details about what’s in place is critical to nipping supply chain attacks in the bud.
In the aftermath of the SolarWinds breach, cybersecurity teams quickly searched for vulnerable deployments within their scope of control. This was a relatively easy task, because the company’s products are typically large-scale purchases made by networking teams.
History tells us that not all attacks will be this easy to analyze. The Heartbleed vulnerability of 2014 in the OpenSSL cryptographic library was particularly difficult to track down. Most OpenSSL users don’t know that they rely on the package; the open-source library is bundled into many other software packages that require secure communications.
Tracking these second-order dependencies is a crucial component in building a supplier inventory. Agencies need to know not only what suppliers they use directly, but also what suppliers their vendors rely upon.
Stay on Alert for Emerging Security Threats
In the world of cybersecurity, information is power. New vulnerabilities and exploits spread rapidly, and agencies that respond quickly to security alerts decrease the likelihood of compromise.
For this reason, agency cybersecurity teams should develop formal processes for both remaining in close contact with vendors and monitoring vendor security bulletins. Vendors may not be able to contact agencies every time there is a critical outbreak — especially one they may be dealing with themselves — but security bulletins arrive automatically.
Agencies can subscribe to a vendor’s security mailing list using an email address that automatically opens a ticket in the team’s incident tracking system. When new vulnerabilities arise, the arrival of the bulletin will trigger a ticket that someone on the team must address, creating both accountability and a paper trail.
In addition to using these formal support mechanisms, it’s also a good idea for agencies to develop personal relationships with the vendors that they rely upon the most. That helps put an agency at the top of a vendor’s call list when a crisis occurs.
Follow Cybersecurity Incident Response Plans
No matter how well teams prepare, the next supply chain attack is virtually inevitable. In addition to putting controls in place to protect against that attack, teams should also develop comprehensive response plans that help their agency maintain operations while they recover from the next attack.
Fortunately, federal agencies already have cybersecurity incident response plans in place, and these plans should serve them well in the event of another supply chain cybersecurity incident.
These plans should follow the four-step process detailed by the National Institute of Standards and Technology in its Computer Security Incident Handling Guide: Prepare for future response efforts; detect potential incidents and perform initial analysis; contain the damage, eradicate the effects and recover operations; and conduct after-action sessions and other post-incident activities to see how the process can be improved.
Agencies should also coordinate with other federal incident response teams during a potential supply chain attack. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency leads cybersecurity incident response efforts across the federal government and plays a crucial role in facilitating these connections.
Supply chain security incidents pose a significant risk to agency information and systems because they infiltrate agencies through highly trusted mechanisms.
Agency cybersecurity teams should put policies and practices in place now to reduce their exposure to these incidents and improve their ability to respond to future supply chain attacks.