I’ve had occasion over the last year to write about digital supply chain security more than a few times. There are the aspects of outsourcing helpdesk functions, code development, millions of interconnects with partners. There is no shortage to how wide the attack surface for your organization can spread in short order if not properly protected.
Case in point, there was a story I heard about not too long ago where an employee for an outsourced provider decided that they were not happy with the position one of their contracts were taking on a subject. They decided to cause no end of misery. It’s not really material what that position was but, more importantly, the fact that this person and their firm were contractually bound to deliver and not cause mischief and mayhem. Somehow, this staffer missed that memo.
What they did was in fact remarkable. They decided to attack their customers to exact some measure of revenge for an imagined slight. This was the point where I was absolutely amazed that this person would have the stones to try something like this. Using information for which they had privileged access they managed to destroy systems, corrupt data and take servers offline.
I never did hear what became of that person but, I would be willing to image that they did not get their red stapler back at the exit interview. This is the problem that we all face when with the ever expanding footprint of our digital supply chains. Just over a year ago I first gave a talk at Trinity College in Dublin Ireland on this very subject at the SOURCE Dublin conference. Since then I’ve been amazed at the stories that people have shared with me about their supply chains.
So, what can you do? In a situation like the aforementioned I’m really not sure if there is a good answer. To be fair that was not something that I’ve heard about before or since. Hope springs that sort of incident was one off but, what if it wasn’t?
When dealing with a third party outsourced provider, as an example, you need to make sure that you have tiered access control. Your contract workers should not be able to ride roughshod over your entire organization. They should be limited to only what they absolutely need to get their job done.
In one organization that I worked for there was an incident where an offshore development center was contracted to develop some code. They were strictly prohibited from dealing with any source code pertaining to encryption as per the contract. They however badgered support staff, who were also outsourced, incessantly often invoking the name of various C-suite executives to the point where they would eventually relent and provide the code developers access to the restricted material. To quote Mike Rothman, the author of "The Pragmatic CISO", no bueno.
In addition to restricting access be sure that you are NOT running a flat network in your environment. In another shop that I worked for once it turned out that if you had VPN access that you could connect to any system in the enterprise globally. Why was this possible? Well, there was a lack of any network zone segmentation of any description. The network diagram had designations for each zone of the network but, that was where the segmentation stopped. It did not translate from the paper rolled out on the table to the infrastructure deployed in the enterprise.
Be sure to have controls in place in your network to be able to shut off or at least mitigate an attack from a third party provider. It might not happen but, if it did the effects could be significant. I’ll be giving another talk on digital supply chain in a couple weeks in Indianapolis at CircleCityCon. I hope that more people will continue to talk about this often overlooked subject. Hopefully we can all avoid the wrath of the angry IT support staffer.
Originally posted on Forbes.