Every business of every size is going to have a handful of vendors that they collaborate with for materials and services. In today’s digital landscape, more businesses are reaching out to technology vendors for things like Software as a Service programs and online collaboration platforms. This introduces a new level of risk for your business, as you are shifting the responsibility for certain assets to another party whose security you are not in control of. We have many examples of the destruction that can be brought by this, such as the MoveIT breach in May 2023 that affected around 2,700 organizations. Your company’s sensitive data could be breached by no fault of your own. On the availability side, important workflows could cease if one of your vendors goes offline. This is why it is important to weigh the pros and cons of each cloud vendor you utilize, as well as the pros and cons of any new vendors you plan to implement. This is why it is essential to minimize the data flows out of your internal environment into cloud environments. Make sure cloud sessions are properly monitored and logged, and that data is encrypted at rest and in transit. Data Loss Prevention (DLP) is another increasingly mandatory control to implement to minimize sensitive data leakage to cloud environments. In addition to controls on your end, you need to take the due diligence to study the security practices used by the cloud vendors themselves. When you sign up for a cloud service, you will be presented with documentation that outlines a Service Level Agreement (SLA) that the cloud provider agrees to provide you. The cloud provider will guarantee standards for confidentiality, integrity, and availability of your resources. Make sure that you thoroughly review this data and save it in a secure location for vendor data. If a violation of the SLA occurs in the future, you will usually be able to claim compensation in the form of account credits or other means.
Besides cloud service vendors, there are security issues that can be encountered with regular tech vendors that provide your core network infrastructure components, like routers, switches, and access points. Vendor lock-in is an issue that can creep up slowly on organizations. It is where an organization purchases all its infrastructure from one vendor, slowly making it dependent on that vendor. This can result in cost-effectiveness issues, as the organization needs to seek out support for that specific vendor’s technology, which can be much more costly than supporting a mixed or open standard environment. A common example of this is employing all Cisco products for your network infrastructure. Cisco is a great, powerful networking company, but its products require a specific level of knowledge to configure and manage, not to mention that they are expensive. A business with no dedicated IT support and networking knowledge would run into trouble if it purchased all Cisco products. In addition to this risk, different vendors have specific end-of-life dates for their products, some of them being accused of planned obsolescence. If you use just one vendor, you run the risk of all of your infrastructure expiring and needing to be replaced at the same time, rather than just one or two components. To mitigate vendor lock-in, try to use a mix of networking devices for your business. Try to include open-source solutions wherever you can. For example, you could run an open source pfSense router with Cisco switches and Palo Alto access points.
Besides vendor lock-in, it is important to be wary of vendor lockout. This occurs when vendors refuse to support your use of their products due to factors like broken agreements and the vendor itself going out of business. One very common vendor lockout situation arises from jailbreaking or rooting devices. This occurs when a user removes the built-in protections on a device (usually a mobile device) to gain extra functionality not normally present. While this is handy for the user, it makes the device less secure, and the vendor will usually refuse to work on any jailbroken/rooted device. To avoid these issues, ensure that you read all terms and conditions provided to you by vendors when implementing them. You should also have some idea of an exit strategy if you are forced to discontinue a vendor. Again, a lot of issues here can be mitigated by using open standards and open-source software wherever possible.
While Software as a Service vendors are taking over much of the software market for businesses, many businesses still rely on locally installed desktop software for their daily workflows. This is especially common in many small businesses without many prospects for digital infrastructure changes. Even though they aren’t hosted over the Internet, desktop programs can host a wealth of security issues stemming from supply chain attacks. The code for a program can be manipulated by attackers and injected with malicious code. A famous example of this involves the popular system optimization program CCleaner. In 2018, the program’s manufacturer, Piriform, was attacked, and official copies of CCleaner were replaced with malicious versions, affecting around 2.3 million users. These kinds of supply chain attacks can be very difficult to mitigate.
One measure you can take to reduce the chances of a supply chain attack is to verify the hash of each program you download. When a piece of software is completed, its code can be “signed” using cryptography. This results in a “hash,” which is a string of characters. If the code for the program is ever changed, it will result in a completely different hash value. Many software vendors provide the hash (often called the checksum) of their completed program. When you, as the customer, get hold of the files to install the program, you can use your computer to generate the hash of the file you have and compare it to the one provided by the vendor. If the two hashes do not match exactly, then you know the program has been altered and should not be installed. Almost all open-source programs provide hashes with their downloads. Linux package managers like yum and apt check hashes automatically. However, you are less likely to see hashes provided for proprietary software like Windows operating systems and app store programs. However, you can still check the integrity of these programs by verifying that they use code signing:
Windows: right-click → Properties → Digital Signatures
macOS: codesign -dv --verbose=4 app
Another major threat posed to the software supply chain is the existence of Zero vulnerabilities. Even the brightest programmers in the market can make mistakes, and threat actors are always looking out for them. Security vulnerabilities left dormant in a program's code can be exploited by attackers before anybody even has the chance to discover them and fix them, hence giving them “0 days” for fixing. By nature, you can’t prepare for zero-day attacks, but you can take measures to strengthen your posture against them. Ensure that automatic updates are configured on all pieces of software so that the latest security patches are applied immediately. Make sure your systems only run the necessary programs and that unneeded programs are uninstalled. Using Application Whitelisting is a great way to narrow down the amount of software active in your environment. Ensure that software access controls are using the principle of least privilege. For example, always make sure that daily workflows are performed using standard operating system accounts, never with administrator-level accounts. This way, if a program ever falls victim to a zero-day, the attackers can't escalate their privileges to administrator/root-level control of your local systems.
It can induce a lot of anxiety to realize that security for a lot of your organization’s backbone is out of your hands. This is why it is important to keep a full view of all vendors and supply chains powering your organization. Not only do you need to be smart when picking and implementing third-party components, but you also need to do regular check-ups to make sure that components are still functional and that you comply with vendor best practices. Take note of any recalls put out by vendors and make sure to monitor basic cybersecurity news to get a heads up on any new vulnerabilities that may affect your environment.