Singapore Consultancy Pte. Ltd.

Are your technology suppliers putting you and your customers at risk?

Cart 0
Default
Servicing needs through
Meaningful Engagement
line
Are your technology suppliers putting you and your customers at risk?
Are your technology suppliers putting you and your customers at risk?

Supply-chain risk has emerged as a significant cause for concern amongst organizations who use third-party technology products and services either for their own benefit, or as part of solutions they provide to their clients. In this article, we discuss what supply-chain risk is, why it should matter to you and what you can do to address the risks.

 

What is supply-chain risk?

Supply-chain risk is the risk that you as a provider of a technology product/service (“supplier”) to your clients have exploitable weaknesses in the product/service (“solution”).  The weaknesses may be present in your own work products, or the work products of third-parties that you may have incorporated into your solution e.g. hardware components, software libraries, open source-code.  Such weaknesses can be exploited by malicious parties, or even unintentionally by your own employees.

 

Recent examples of supply-chain risks that have materialized include the following high-profile incidents:

  • Open Source Dependency Confusion Attack – In February 2021, security researcher Alex Birsan disclosed a novel attack against the process of building line-of-business applications and tools that depended on public software repositories. Birsan successfully infiltrated 35 organizations including Apple, Paypal, Microsoft and Uber, and his work was acknowledged via software security bug hunting bounty awards from several of those organizations that totaled more than one hundred thousand US dollars.  

  • SolarWinds – In December 2020, SolarWinds, a supplier of information technology infrastructure management software, disclosed that hackers had inserted malicious code into a product update, which infected about 18,000 SolarWinds customers worldwide. From there, hackers infiltrated a targeted subset of customers ranging from government departments to providers of popularly used software.  The true impact of this hack is not yet fully known.

 

Why should supply-chain risk matter to you?

Financial regulators, who have already been wary of supply-chain risks, are now providing further guidance to financial institutions (“FIs”) to step up governance over a broader set of their suppliers.  The Monetary Authority of Singapore released an updated Technology Risk Management Guidelines to FIs in January 2021, highlighting that “The recent spate of cyber attacks on supply chains, which targeted multiple IT service providers through the exploitation of widely-used network management software, is a clear indication of a worsening cyber threat environment.”

 

We expect your FI clients to pay more attention to this matter and will increase oversight over your organization. This may include additional checks on measures your organization takes to:

  • Prevent exploitable weaknesses in your solutions, and

  • Ensure your suppliers are not introducing exploitable weaknesses in your solutions. 

We expect these checks will take place during evaluations of solutions and on an on-going basis.

 

What can you do to mitigate supply-chain risk?

Mitigating supply-chain risk requires a multi-pronged approach.  We describe several ways you can adopt to minimize supply-chain risks:

  • Sound risk management governance.  Management commitment, a robust risk management framework and processes are necessities to ensure that your organization is aware of its risks and is managing them proactively.  Undertaking a risk assessment will help identify weaknesses and allow you to address your risks, including your supply-chain risks, and monitor ongoing compliance to measures you have implemented.  You may consider engaging an independent party to perform the risk assessment to provide you with an objective view of your current state, and to recommend and monitor remediations.  An independent assessment will increase confidence amongst your clients that you are in control of your risks.

  • Improving solution development and delivery processes.  This will reduce the likelihood that you will introduce exploitable weaknesses during the solution development phase.  This may include:

    • Uplifting software development practices to focus on security considerations at early stages of the development lifecycle.

    • Increasing testing coverage to include testing regimes like static analysis security testing (SAST), dynamic analysis security testing (DAST) and source code reviews.

  • Enhancing your cybersecurity posture.  A good posture will include proactive and defensive measures to ensure that you are protecting your infrastructure and environments against threats.  Besides adopting standards, processes and tools, the human element should not be overlooked as this is usually the weakest link in ensuring good cybersecurity.  Some immediate actions you can take to determine your exposure to recently known weaknesses include:

    • Assessing your software delivery pipeline against Birsan’s dependency confusion attack described above

    • Reviewing your malware incident response playbook against a SolarWinds-like scenario, and

    • Evaluating Microsoft’s patches to address exploited weaknesses in Exchange servers.

 

Singapore Consultancy is here to help you.  Singapore Consultancy’s Operational and Technology Risk Management (OTRM) Practice is staffed with Audit and Risk Management experts who have worked in the Financial Services industry.  They will be able to assist you with your IT Risk Management needs for your organization as well as for your oversight of suppliers. For further information, please contact:

Eliza Leong    eliza.leong@singaporeconsultancy.com

Ng Pheng Siong    phengsiong.ng@singaporeconsultancy.com

Deepak Sekhri    deepak.sekhri@singaporeconsultancy.com

 

 

 

Posted by DEEPAK SEKHRI