Yuriy Bulygin, the CEO and co-founder of Eclypsium, has highlighted the growing security threat that vulnerabilities within the hardware and software infrastructure supply chain pose to organizations worldwide. Even with proper precautions in place, a critical vulnerability in a trusted supplier’s infrastructure can provide attackers with an entry point to wreak havoc on a network. In response to this threat, security teams must take practical steps to ensure the integrity of their digital supply chain.
Six steps are outlined to help mitigate supply chain risks. Firstly, organizations should start by creating a bill of materials (BoM) for hardware, software, and firmware to have a comprehensive inventory of all underlying artifacts. Never trusting but always verifying the authenticity and integrity of critical hardware and software is crucial. Assessing and establishing vendor risk benchmarks, demanding proof of security measures, being proactive in monitoring for threats, and allocating budget to supply chain protection are also essential steps in mitigating risks.
The importance of prioritizing response to threats that can cause significant damage, such as infrastructure-based attacks that can disrupt critical equipment, is emphasized. Recent zero-day attacks on leading device manufacturers and disclosed vulnerabilities in organizations like Ivanti, Citrix, Juniper, and Fortinet highlight the urgency for addressing supply chain vulnerabilities. Security leaders must ensure that infrastructure-based attacks are prevented to safeguard against the potential bricking of equipment across the supply chain.
Security teams are advised to engage with vendors with a strong track record of minimal vulnerabilities and product security protocols, adopt agile internal processes, and select vendors and products based on security performance and commitment. Vendors should be required to provide evidence and artifacts to verify the integrity of their products, attest to the security of their upstream suppliers, and integrate third-party components securely. Proactive measures, such as monitoring for changes in component integrity, detecting threats, and allocating budget to supply chain protection, are crucial for safeguarding against supply chain attacks.
Despite the potential severity of supply chain vulnerabilities, a survey found that only 4.5% of IT security budgets are allocated to addressing these threats. The importance of investing more heavily in supply chain protection is emphasized, especially as 2024 is expected to see device manufacturers disclosing critical vulnerabilities in their products. Ensuring trust in complex and interconnected supply chains is essential for business continuity and national security. The availability of tools and technology to provide assurance in supply chain security highlights the need for businesses to take proactive steps in addressing these vulnerabilities.
