Supply chain risks are those risks associated with the use of third parties who provide a product or service to your organization. This is similar to Vendor Risk Management (VRM) as vendors are a key aspect of an organizations supply chain (e.g., Cisco may be a vendor but still act as part of the supply chain through providing firewalls). And to answer the question: yes it applies, no matter how big or small the organization.
It is quite alarming how far these threat actors, such as Nobelium (responsible for SolarWinds) are willing to go to gain access to sensitive information; even going as far as to wipe their digital footprints prior to initiating the compromise.
I would argue no. For the simple fact that the end far outweighs the means. Why focus in on one organization, when an attack can affect hundreds, or even thousands? This is the new mentality of many threat actors, especially Advanced-Persistent Threats (APT’s) such as Russia’s APT28 “Fancy Bear”, or China’s “Iron Huskey”. To really bring this into perspective, here are a few incidents that are more recent (2019+):
If you haven’t picked up on it yet, these attacks are not carried out by the run of the mill script kiddie, or one-off hacker. They are carried out by well-funded, organized nation states, and cyber crime syndicates. As we can infer, one of the main goals is to go unnoticed as long as possible, which takes time and mounds of effort. Many Nation states even go as far as to put groups or teams together for the sole purpose of carrying out these attacks, which leaves us with time being of the essence; like we say, its not if, its when.
For additional information on Nation State attack vectors, please visit CISA by clicking here.
There are quite a few ways an organization can prepare against these type of attacks. However, it requires a holistic approach and an understanding of where you are, where you are going, and who is helping to get you there (suppliers and vendors). Below I have identified some major points to address when considering your organizations cyber security posture:
Emagine IT, inc. (EIT) is an information technology services and consulting company based in the Washington, DC metropolitan area. EIT provides IT modernization, cybersecurity, and full lifecycle IT services to the public and private sectors. For more information, please visit their website at www.eit2.com.
Contact
Jared Snyder
CISSP, CCSFP
Sr. Consultant, Commercial Services & Federal Cyber Security Services
jared.snyder@eit2.com · (614) 633-9130
Make a difference in your career and community.