In Case of Crisis: Third-Party Risk Across Three Dimensions

In 2020, the SolarWinds exploit ignited concerns about third-party risks, and in 2021, the Kaseya hack and Log4J vulnerability fanned those flames. Third-party risks ripple through the supply chain, affecting vendors, their partners and their customers. These risks have become so pervasive that the Biden administration is introducing new requirements for enhanced transparency. In the case of a crisis involving third-party software vulnerabilities, visibility and transparency are key – and that requires preparing ahead of time.

Vulnerabilities and exploits are the bread and butter of cybersecurity research. Researchers work diligently to discover vulnerabilities, ideally so that they can be patched before attacks exploit them. Yet, according to White Hat, it takes an average of 205 days to fix critical cybersecurity vulnerabilities, while HP research reports that attackers begin exploiting these vulnerabilities within days. For any given vulnerability, an organization may be vulnerable to attack for at least six months – assuming they have visibility into the vulnerability in the first place.

You Don’t Know What You Don’t Know

The SolarWinds breach is the worst-case example of third-party risk, underscoring the importance of visibility. SolarWinds was breached in early 2020, and attackers compromised its IT monitoring software, Orion, with a Trojanized update. Subsequently, SolarWinds pushed this update to as many as 18,000 customers with a back door that was so hard to detect that security experts suspect the full extent of this attack will never be known. In fact, the breach remained undetected until December 2020, when FireEye research revealed that SolarWinds had fallen victim to a cyber-attack.

The attack impacted many Fortune 500 companies, including Microsoft, Cisco, and Intel, and multiple agencies within the United States government, such as the Department of Homeland Security and the Office of Personnel and Management. The long-term consequences of this attack will continue to be felt for years to come because the nature of SolarWinds IT monitoring software means that the attackers could have easily mapped out the IT systems of some of the biggest companies and most important government agencies.

The attack was so significant that it spurred a response from the Biden administration, which sanctioned Russia for its involvement (Microsoft has attributed the attack to the Russian hacking group Nobelium). The Biden administration also announced an executive order, which introduced new requirements for software vendors to provide a software bill of materials sold (SBOM) as part of its federal procurement process – an SBOM is essentially a list of software components so that organizations can obtain more visibility into third party risks in their software supply chain. Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *