It seems every day there is a cybersecurity attack on companies.
To help companies prevent these, last month National Institute of Standards and Technology (NIST), issues a publication on how to use the agency’s Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks.
A software supply chain attack occurs either when someone infiltrates a software vendor’s network and the code is passed along when sold, or the attack can stem from a patch or hotfix. Whatever the method the “attack can affect all users of the compromised software and can have widespread consequences for government, critical infrastructure, and private sector software customers,” the report notes.
The consequences of these attacks are widespread. “Depending on the threat actor’s intent and capability, this additional malware may allow the threat actor to conduct various malicious activities that may include performing data or financial theft, monitoring organizations or individuals, disabling networks or systems, or even causing physical harm or death,” the report says.
As it is difficult to mitigate these consequences after an attack, NIST recommends implementing some simple steps to start the process of understanding the risks.
1. Identify your key mission or business processes—what essential services do you provide or what drives your revenue?
2. Maintain an inventory of your organization’s current and future software licenses
3. Research and document how each software license is supported by its supplier (e.g., Are patches provided? Does the supplier offer NIST suggests eight key practices for establishing a C periodic email updates about the product?) - SCRM approach that can be applied to software.
4. Understand how your software (current or future purchases) supports or otherwise relates to your key processes Document how you would plan to address.
5. Document how you would plan to address
NIST suggests eight key practices for establishing an SCRM approach that can be applied to software. These practices can assist in preventing, mitigating, and responding to software vulnerabilities that may be introduced through the cyber supply chain and exploited by malicious actors.
1. Integrate C-SCRM across the organization
2. Establish a formal C-SCRM program.
3. Know and manage critical components and suppliers.
4. Understand the organization’s supply chain.
5. Closely collaborate with key suppliers.
6. Include key suppliers in resilience and improvement activities.
7. Assess and monitor throughout the supplier relationship
8. Plan for the full lifecycle.