By Fernando Cardoso, Digital Security Specialist at Trend Micro
The security of a company depends not only on the organization itself, but also on the security of its IT supply chain (supply chain) and service providers, which represent potential weaknesses in the security of any organization.
Service providers and vendors have been used to compromise large organizations. The Target breach in the United States, for example, began with the bankruptcy of a supplier of heating, ventilation and air conditioning solutions. And this case is just the tip of the iceberg. Many supply chain vendors lack resources or staff dedicated to security: they may not have enough tools to identify whether they are falling victim to a targeted attack.
Those responsible for threats that would target parts of the IT supply chain use various gimmicks as part of their tactics, techniques and processes (TTP). These may include the compromise of source code, firmware, internal websites and portals, in addition to direct access to the network of trusted suppliers.
Some may say that vendor security is not part of a CSO (Chief Security Officer) responsibilities, considering that he already has to worry about the security of his own organization. While this may be true, vendor security has a direct impact on the organization's security.
Here are 4 basic guidelines:
1. Protect your own network
Does your organization already have enough defenses against targeted attacks? Are there sensors and an incident response team ready in case of possible attacks? Are there security solutions both at the terminals and at the entrance doors? Before an organization questions its suppliers' security breaches, they must be sure that their own house is in order.
2. Coordinate security policies
As much as possible, vendors and customers should have security policies built in. Inconsistent policies can create security holes in an organization, which can be used as a sideways move for an attacker (cracker) to successfully carry out an attack.
3. Binary code and firmware audit
Corrections and procedural updates should be reviewed to ensure that a proper audit is being performed before new software/hardware is deployed in the organization. Source code audits can find backdoors, unencrypted credentials and other potential vulnerabilities. Binary audits can check compromised files to ensure that only unaltered versions of the software are installed.
4. Coordinate security teams
Vendor and customer security features must work together to protect their overlapping networks. Sharing threat information and regular meetings can ensure that all potential threats are dealt with appropriately and as quickly as possible.
Companies need to focus on protecting what they consider most important – their business data and their market image – in a well-planned way. One aspect of data protection that can be overlooked is how others access your data. If an organization fails to consider this, then its data security can become its weakest link. A thorough assessment of security and privacy risks must consider the security of third-party IT providers.
In addition to the above, vendors must take steps to protect their own systems. There are products designed with the technology needed to help detect threats that arrive via email. Combined with web reputation and advanced sandboxes for inspecting file attachments, these tools are able to help detect various threats that try to invade an organization's network.
Service providers and vendors have been used to compromise large organizations. The Target breach in the United States, for example, began with the bankruptcy of a supplier of heating, ventilation and air conditioning solutions. And this case is just the tip of the iceberg. Many supply chain vendors lack resources or staff dedicated to security: they may not have enough tools to identify whether they are falling victim to a targeted attack.
Those responsible for threats that would target parts of the IT supply chain use various gimmicks as part of their tactics, techniques and processes (TTP). These may include the compromise of source code, firmware, internal websites and portals, in addition to direct access to the network of trusted suppliers.
Some may say that vendor security is not part of a CSO (Chief Security Officer) responsibilities, considering that he already has to worry about the security of his own organization. While this may be true, vendor security has a direct impact on the organization's security.
Here are 4 basic guidelines:
1. Protect your own network
Does your organization already have enough defenses against targeted attacks? Are there sensors and an incident response team ready in case of possible attacks? Are there security solutions both at the terminals and at the entrance doors? Before an organization questions its suppliers' security breaches, they must be sure that their own house is in order.
2. Coordinate security policies
As much as possible, vendors and customers should have security policies built in. Inconsistent policies can create security holes in an organization, which can be used as a sideways move for an attacker (cracker) to successfully carry out an attack.
3. Binary code and firmware audit
Corrections and procedural updates should be reviewed to ensure that a proper audit is being performed before new software/hardware is deployed in the organization. Source code audits can find backdoors, unencrypted credentials and other potential vulnerabilities. Binary audits can check compromised files to ensure that only unaltered versions of the software are installed.
4. Coordinate security teams
Vendor and customer security features must work together to protect their overlapping networks. Sharing threat information and regular meetings can ensure that all potential threats are dealt with appropriately and as quickly as possible.
Companies need to focus on protecting what they consider most important – their business data and their market image – in a well-planned way. One aspect of data protection that can be overlooked is how others access your data. If an organization fails to consider this, then its data security can become its weakest link. A thorough assessment of security and privacy risks must consider the security of third-party IT providers.
In addition to the above, vendors must take steps to protect their own systems. There are products designed with the technology needed to help detect threats that arrive via email. Combined with web reputation and advanced sandboxes for inspecting file attachments, these tools are able to help detect various threats that try to invade an organization's network.
EN 
PT 
