MANAGING CYBER RISK IN THE SUPPLY CHAIN How .trust simplifies the validation of trusted supply partners

Author: Gunter Ollmann, CTO

INTRODUCTION

In today’s highly competitive business world the speed at which an organisation can bring new products to market and the agility of its supply chain to produce or procure the core components of their offering are increasingly seen as definitions of success.

For most organisations Internet-based communications and online management technologies lie at the heart of their demanding and time-sensitive supply chains. Businesses that have forged trusted relationships with their suppliers are able to remotely interact with key purchasing, logistics, and control systems as if they were internal employees – simplifying processes, quickening responses, and reducing costs.

These complex and intricate relationships, while bringing great efficiencies to the supply chain, also expose businesses to a realm of new Internet-borne risks. Failure to adequately secure business communications, access credentials, web portals, and other critical Internet-accessible services, offers cyber criminals an easy route in to an organisation and anonymous access to core

business systems. The integrity of an organisation’s system is now dependent upon the security and integrity of their trusted suppliers and their supplier’s suppliers.

Verifying the robustness of a supplier’s systems to Internet threats and evaluating its adherence to industry best practices in Internet security has traditionally been a difficult and costly exercise. The new .trust domain service and associated community – with continual monitoring against the .trust technical policy – dramatically simplifies this task across the whole supply chain.

All Rights Reserved. © NCC Group 2015 NCC Group Whitepaper 2 All Rights Reserved. © NCC Group 2015 NCC Group Whitepaper 3

The intricate relationship between an organisation and its suppliers as they share information and access to business systems comes at a cost. In order to ensure the security and integrity of their suppliers, many organisations rely heavily upon a number of internal verification and audit processes that are expensive and resource intensive for both sides of the relationship.

Most large organisations have been forced to add rigorous validation steps to their supplier management process in an attempt to reduce the risk of cybercrime and online fraud by preventing attackers piggy-backing on the trusted relationship. These steps, while well intentioned, have done very little to reduce or even manage the exposure a business faces against known Internet attack vectors.

They are typically an annual exercise involving questionnaires and possibly audits. Heavy reliance is placed on the supplier’s own cyber risk skills and choice of service provider.

If we’ve learned anything over the last five years about mega breach disclosures, it is that trusted suppliers (both big and large) tend to present a softer target to an attacker and consequently an easier route to core business systems and the salable information held by the ultimate target of the attack.

The costs of managing the security of suppliers are often not transparent to an organisation. Typical supplier integrity checking processes include the following:

• Negotiation and agreement on supplier contracts that specifically call out minimum insurance and liability amounts – requiring copies of insurance documents to be received, reviewed, validated, and stored.

• Verification of internal governance and data management policies – requiring the suppliers to complete self-certified questionnaires and nominally supply copies of relevant policies for review and storage by the procuring organisation.

• Review and acceptance of industry-specific certification reports such as PCI and ISO27001 – requiring the supplier to invest in third-party assessment of minimum certification criteria, and the receiver to review, validate, and store copies of the certification.

• Annual penetration testing reports of web services – requiring third-party assessment and reporting, trust in the supplier of the report, trust in the coverage of the testing, trust in the scope of the management summary, and safe storage of the report.

• Annual code reviews of core products – requiring automated testing of the source code of key software products and portals offered by the supplier, review of technical test results, and safe storage of the report.

COST OF ASSESSING SUPPLIER SECURITY

All Rights Reserved. © NCC Group 2015 NCC Group Whitepaper 5

The traditional processes of verifying the security and integrity of a supplier and their place in the supply chain, while robust in principle, consistently fail to protect an organisation targeted by professional cyber criminals or even opportunistic intruders.

There are two core problems:

• Timeliness - Just as your business advances throughout the year, so do hackers and the tools they use to exploit weaknesses in Internet accessible systems. Annual penetration tests, code reviews, certifications, and audits provide at best a point-in-time snapshot of the security of a supplier. Throughout a typical year hundreds of vendor patches are released, thousands of new vulnerabilities are disclosed, and millions of lines of new code are created. The delta between “what was and what is” grows with each passing day – greatly increasing the risk of compromise.

• ‘Minimum bar’ certification - It’s an easy trap for organisations to demand compliance with common industry certifications. At best, these common certifications represent the minimum level an organisation needs to attain. Unfortunately the reality of the situation is that they have been shown to represent a fairly inconsequential hurdle that a clever and resourceful attacker will overcome. Furthermore many such certifications still rely on subjective interpretations of what constitutes compliance.

CONSISTENT FAILURE

All Rights Reserved. © NCC Group 2015 All Rights Reserved. © NCC Group 2015 NCC Group Whitepaper 6

THE SUPPLY CHAINHIGH BAR

Any organisation with Internet services operating under a .trust domain name is currently in compliance with the .trust technical policy and will have reached the high bar in Internet security.Suppliers that provide their services via a .trust domain are therefore already operating above and beyond any generic industry certification standard, and demonstrably take both their and their customers’ security very seriously. As a consequence, the supply chain validation process is simplified and assurance increased in the following ways:

• Any business providing online services or communicating via a .trust domain employs the highest level of security and is proven to be following industry best practices.

• .trust members are continually assessed for compliance against the .trust Technical Policy – replacing the prospect of a single point-in-time snapshot of security compliance.

• Services that fail in their .trust compliance and could represent a threat to other members of the .trust community may be suspended.

• A single, objective, technically verifiable standard to strive and achieve for a supplier. While higher than many past client requirements, achieving .trust compliance means that security criteria for all clients are achieved simultaneously.

• The overhead for managing compliance verification is removed. Continual scanning and monitoring of all .trust services is a core tenet of the service.

NCC Group Whitepaper 7

The complexities of managing the verification of a supplier’s security posture and the cost of applying that process to dozens or hundreds of suppliers around the globe is burdensome and is a pure cost to the business. Similarly, for those suppliers that must respond to similar but unique requests of hundreds of their clients and have to provide proof of achieving each stipulated security or audit criteria, there is an equal and costly burden. Neither member of the supply chain benefits from the traditional model.

Securing the supply chain or, at the very least, simplifying the process of validating the security and integrity of members of the supply chain, can be achieved more efficiently through third-party involvement in which a single high bar of security is accepted and applied.

NCC Group’s .trust domain service is designed to simplify and strengthen the integrity of today’s complex supply chains.

Through .trust, member organisations are continually monitored and assessed against one of the highest bars in Internet security – the .trust Technical Policy. This public policy encapsulates the best practices in security, is overseen by a board of international experts in Internet security and hacking techniques, and is updated throughout the year to reflect advances in best practice security recommendations.

Not beholden to a single or proprietary scanning engine, the .trust service utilises multiple best-of-breed vulnerability and code scanners from trusted security vendors to continually monitor all devices and services a .trust member has operating under their .trust domain names. Services that fail to achieve or maintain compliance with the .trust technical policy will be suspended if they represent a threat to the .trust community but more importantly all members of the supply chain gain assurance daily that the community is actively managing cyber risks instead of relying on an annual snapshot.

SIMPLIFYING SUPPLY CHAIN SECURITY WITH .TRUST

All Rights Reserved. © NCC Group 2015

www.nccgroup.trust@nccgroupplc