MANAGING CYBER RISK IN THE SUPPLY CHAIN



Similar documents
THE TRUSTED GATEWAY. A simple strategy for managing trust in a diverse portfolio of domains. Author: Gunter Ollmann, CTO

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Educa&onal Event Spring Cyber Security - Implications for Records Managers Art Ehuan

Information Technology Security Review April 16, 2012

How To Stop A Cybercriminal From Stealing A Credit Card Data From A Business Network

Reducing the Cost and Complexity of Web Vulnerability Management

How to Protect Sensitive Corporate Data against Security Vulnerabilities of Your Vendors

IT Risk Management: Guide to Software Risk Assessments and Audits

Penetration Testing Services. Demonstrate Real-World Risk

The Value of Automated Penetration Testing White Paper

Agenda , Palo Alto Networks. Confidential and Proprietary.

Cyber Security for Competitve Advantage: How SaaS Providers are Transforming their Business

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Cyber Security An Exercise in Predicting the Future

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

BIG SHIFT TO CLOUD-BASED SECURITY

I D C E X E C U T I V E B R I E F

BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security

Metasploit The Elixir of Network Security

Hackers are here. Where are you?

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

PCI Risks and Compliance Considerations

How To Test For Security On A Network Without Being Hacked

Application Security in the Software Development Lifecycle

IT Security & Compliance. On Time. On Budget. On Demand.

Managing IT Security with Penetration Testing

Foregenix Incident Response Handbook. A comprehensive guide of what to do in the unfortunate event of a compromise

Security and Compliance Play Critical Roles in Protecting IT Assets of Law Firms and Their Clients

Understanding SCADA System Security Vulnerabilities

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Too Critical To Fail Cyber-Attacks on ERP, CRM, SCM and HR Systems

NATIONAL CYBER SECURITY AWARENESS MONTH

VOLUME 3. State of Software Security Report. The Intractable Problem of Insecure Software

Is your business prepared for Cyber Risks in 2016

Current IBAT Endorsed Services

PCI Compliance: Protection Against Data Breaches

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Paul Vlissidis Group Technical Director NCC Group plc

SecurityMetrics Vision whitepaper

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

Aalborg Universitet. Cyber Assurance - what should the IT auditor focus on? Berthing, Hans Henrik Aabenhus. Publication date: 2014

Web Application Security: Connecting the Dots

Security Testing for Web Applications and Network Resources. (Banking).

A Guide to the Cyber Essentials Scheme

PCI Security Scan Procedures. Version 1.0 December 2004

Vulnerability Assessment Report Format Data Model

Quality Programs for Regulatory Compliance

SECURING YOUR REMOTE DESKTOP CONNECTION

Avoiding the Top 5 Vulnerability Management Mistakes

PCI Compliance for Healthcare

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January kpmg.com

Procurement Policy Note Use of Cyber Essentials Scheme certification

Keeping your data yours.

Protecting your brand in the cloud Transparency and trust through enhanced reporting

Vulnerability Management

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

NETWORK PENETRATION TESTING

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

8 Steps to Holistic Database Security

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

REGULATORY COMPLIANCE. Dynamic Solutions. Superior Results.

defense through discovery

Procuring Penetration Testing Services

Cyber security Building confidence in your digital future

BIG DATA TRIAGE & DIGITAL FORENSICS

Cybersecurity in the maritime and offshore industry

Using Skybox Solutions to Ensure PCI Compliance. Achieve efficient and effective PCI compliance by automating many required controls and processes

AUTOMATED PENETRATION TESTING PRODUCTS

Network Security Audit. Vulnerability Assessment (VA)

Continuous Network Monitoring

Total Protection for Compliance: Unified IT Policy Auditing

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Ensuring security the last barrier to Cloud adoption

2010 Data Breach Investigations Report

Moving to the Cloud? Take Your Application Security Solution with You. A WhiteHat Security Whitepaper. September 2010

NERC CIP VERSION 5 COMPLIANCE

WHITE PAPER Leveraging GRC for PCI DSS Compliance. By: Chris Goodwin, Co-founder and CTO, LockPath

SecurityMetrics Business Associate HIPAA compliance program

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

How To Protect Yourself From A Hacker Attack

THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

SecurityMetrics. PCI Starter Kit

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

SANS Top 20 Critical Controls for Effective Cyber Defense

CYBER-ATTACKS & SAP SYSTEMS Is our business-critical infrastructure exposed?

McAfee Database Security. Dan Sarel, VP Database Security Products

Keeping your data yours

The State of Web and Mobile Application Security in Healthcare

eeye Digital Security and ECSC Ltd Whitepaper

PCI Compliance in Multi-Site Retail Environments

HP Application Security Center

Transcription:

MANAGING CYBER RISK IN THE SUPPLY CHAIN How.trust simplifies the validation of trusted supply partners Author: Gunter Ollmann, CTO

INTRODUCTION In today s highly competitive business world the speed at which an organization can bring new products to market and the agility of its supply chain to produce or procure the core components of their offering are increasingly seen as definitions of success. For most organizations Internet-based communications and online management technologies lie at the heart of their demanding and time-sensitive supply chains. Businesses that have forged trusted relationships with their suppliers are able to remotely interact with key purchasing, logistics, and control systems as if they were internal employees simplifying processes, quickening responses, and reducing costs. business systems. The integrity of an organization s system is now dependent upon the security and integrity of their trusted suppliers and their supplier s suppliers. Verifying the robustness of a supplier s systems to Internet threats and evaluating its adherence to industry best practices in Internet security has traditionally been a difficult and costly exercise. The new.trust domain service and associated community with continual monitoring against the.trust technical policy dramatically simplifies this task across the whole supply chain. These complex and intricate relationships, while bringing great efficiencies to the supply chain, also expose businesses to a realm of new Internet-borne risks. Failure to adequately secure business communications, access credentials, web portals, and other critical Internet-accessible services, offers cyber criminals an easy route in to an organization and anonymous access to core NCC Group Whitepaper 2

COST OF ASSESSING SUPPLIER SECURITY The intricate relationship between an organization and its suppliers as they share information and access to business systems comes at a cost. In order to ensure the security and integrity of their suppliers, many organizations rely heavily upon a number of internal verification and audit processes that are expensive and resource intensive for both sides of the relationship. Most large organizations have been forced to add rigorous validation steps to their supplier management process in an attempt to reduce the risk of cybercrime and online fraud by preventing attackers piggy-backing on the trusted relationship. These steps, while well intentioned, have done very little to reduce or even manage the exposure a business faces against known Internet attack vectors. They are typically an annual exercise involving questionnaires and possibly audits. Heavy reliance is placed on the supplier s own cyber risk skills and choice of service provider. If we ve learned anything over the last five years about mega breach disclosures, it is that trusted suppliers (both big and large) tend to present a softer target to an attacker and consequently an easier route to core business systems and the salable information held by the ultimate target of the attack. The costs of managing the security of suppliers are often not transparent to an organization. Typical supplier integrity checking processes include the following: Negotiation and agreement on supplier contracts that specifically call out minimum insurance and liability amounts requiring copies of insurance documents to be received, reviewed, validated, and stored. Verification of internal governance and data management policies requiring the suppliers to complete self-certified questionnaires and nominally supply copies of relevant policies for review and storage by the procuring organization. Review and acceptance of industry-specific certification reports such as PCI and ISO27001 requiring the supplier to invest in third-party assessment of minimum certification criteria, and the receiver to review, validate, and store copies of the certification. Annual penetration testing reports of web services requiring third-party assessment and reporting, trust in the supplier of the report, trust in the coverage of the testing, trust in the scope of the management summary, and safe storage of the report. Annual code reviews of core products requiring automated testing of the source code of key software products and portals offered by the supplier, review of technical test results, and safe storage of the report. NCC Group Whitepaper 3

CONSISTENT FAILURE The traditional processes of verifying the security and integrity of a supplier and their place in the supply chain, while robust in principle, consistently fail to protect an organization targeted by professional cyber criminals or even opportunistic intruders. There are two core problems: Timeliness - Just as your business advances throughout the year, so do hackers and the tools they use to exploit weaknesses in Internet accessible systems. Annual penetration tests, code reviews, certifications, and audits provide at best a point-in-time snapshot of the security of a supplier. Throughout a typical year hundreds of vendor patches are released, thousands of new vulnerabilities are disclosed, and millions of lines of new code are created. The delta between what was and what is grows with each passing day greatly increasing the risk of compromise. Minimum bar certification - It s an easy trap for organizations to demand compliance with common industry certifications. At best, these common certifications represent the minimum level an organization needs to attain. Unfortunately the reality of the situation is that they have been shown to represent a fairly inconsequential hurdle that a clever and resourceful attacker will overcome. Furthermore many such certifications still rely on subjective interpretations of what constitutes compliance. NCC Group Whitepaper 5

SIMPLIFYING SUPPLY CHAIN SECURITY WITH.TRUST The complexities of managing the verification of a supplier s security posture and the cost of applying that process to dozens or hundreds of suppliers around the globe is burdensome and is a pure cost to the business. Similarly, for those suppliers that must respond to similar but unique requests of hundreds of their clients and have to provide proof of achieving each stipulated security or audit criteria, there is an equal and costly burden. Neither member of the supply chain benefits from the traditional model. Securing the supply chain or, at the very least, simplifying the process of validating the security and integrity of members of the supply chain, can be achieved more efficiently through third-party involvement in which a single high bar of security is accepted and applied. NCC Group s.trust domain service is designed to simplify and strengthen the integrity of today s complex supply chains. Through.trust, member organizations are continually monitored and assessed against one of the highest bars in Internet security the.trust Technical Policy. This public policy encapsulates the best practices in security, is overseen by a board of international experts in Internet security and hacking techniques, and is updated throughout the year to reflect advances in best practice security recommendations. Not beholden to a single or proprietary scanning engine, the.trust service utilizes multiple best-of-breed vulnerability and code scanners from trusted security vendors to continually monitor all devices and services a.trust member has operating under their.trust domain names. Services that fail to achieve or maintain compliance with the.trust technical policy will be suspended if they represent a threat to the.trust community but more importantly all members of the supply chain gain assurance daily that the community is actively managing cyber risks instead of relying on an annual snapshot. NCC Group Whitepaper 6

THE SUPPLY CHAIN HIGH BAR Any organization with Internet services operating under a.trust domain name is currently in compliance with the.trust technical policy and will have reached the high bar in Internet security. Suppliers that provide their services via a.trust domain are therefore already operating above and beyond any generic industry certification standard, and demonstrably take both their and their customers security very seriously. As a consequence, the supply chain validation process is simplified and assurance increased in the following ways: Any business providing online services or communicating via a.trust domain employs the highest level of security and is proven to be following industry best practices..trust members are continually assessed for compliance against the.trust Technical Policy replacing the prospect of a single point-in-time snapshot of security compliance. Services that fail in their.trust compliance and could represent a threat to other members of the.trust community may be suspended. A single, objective, technically verifiable standard to strive and achieve for a supplier. While higher than many past client requirements, achieving.trust compliance means that security criteria for all clients are achieved simultaneously. The overhead for managing compliance verification is removed. Continual scanning and monitoring of all.trust services is a core tenet of the service. NCC Group Whitepaper 7

www.nccgroup.trust @nccgroupplc

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information