DATA SECURITY PODCAST
In a recent podcast interview with Hillarie McClure, Multimedia Director of Cybercrime Magazine, Robert E. Johnson III, Cimcor CEO/President, discusses the latest views on Supply Chain Security and Integrity in today's cybersecurity climate. The podcast can be listened to in its entirety below.
Welcome to The Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Q: Rob welcome back always great to have you on the show.
A: Glad to be back on the show! I enjoy every time I'm back with you.
Q: Yes, us too. Rob today let's talk about securing the supply chain. So many organizations aren't sure where to start. And so, with your expertise, what are some of the growing concerns and risks associated with supply chain integrity?
A: You know, to answer that question, I think that I need to start by defining what supply chain integrity really is. Supply chain integrity is a process of understanding all of the vendors, and all the vendors of those vendors that are downstream, that can contribute to the products that you use in your enterprise. And, ensuring that those products and services are in a secure state and that you can trust that those individual contributions to those products and services that you're consuming are trustworthy and valid.
For our discussion, I think it would help to just focus on, for instance, software. Because that seems to be what really interests folks in the industry, nowadays, what you've been hearing on the news. You know, this also applies to hardware devices such as firewalls, switches, and routers, Internet of Things types of devices such as thermostats, and even to environmental control systems.
You know the government really began to put a focus on supply chain integrity when they implemented NIST 800-171 and made it a requirement back in 2017. They stepped it up recently, and now the entire defense industrial base is being held to an even higher standard now that CMMC is being phased in. But there has been a lot of concern lately about supply chain integrity. And this is largely driven by the incredibly invasive and pervasive SolarWinds hack, which many call Sunburst. This was an impactful event because the SolarWinds product had been such a great and reliable and trusted component of many organizations' infrastructure. And they were also doing seemingly all the right things to protect our infrastructure. But this tool was being used in many aspects of, in terms of government, and in many in the commercial space.
Q: Are enterprises prepared to detect or even prevent the growing supply chain cyber risks and attacks?
A: Well, this is an extremely difficult problem to solve. And no enterprise can really solve it alone. I believe that most companies are at a point now where they've implemented or are implementing strong vendor management processes and those processes often include security components.
However, this entire process is only as strong as the weakest vendor, and security controls of that weakest vendor. Furthermore, assessing the security posture and capability of each vendor involved in your entire supply chain is almost impossible. So the answer to your question — I hate to say it — no, I don't think most enterprises are prepared for these types of attacks.
You know what I've heard on the news over and over is the shock and awe that hackers were in their infrastructure or in their email systems for up to nine months before there was anything detected. Well here's the real shock and awe — that wasn't just specific to that attack — across our entire industry, it's an average of 276 days before a breach is detected.
Now, if you do the math that turns out to be nine months, two days. Almost the exact amount of time before the detection of the sunburst attack. So they're not unique. This is a problem that our entire industry is facing, and, to top it off across our entire industry, it takes another 73 days on average to contain a breach. So this is a real problem, and it needs to be dealt with because both of those statistics need to be driven down to zero and we're not making great progress.
Q: Yeah absolutely and, and so we aren't making great progress which can seem bleak but, are there things that can be done to help combat this?
A: Well, I do believe that the new CMMC standard and, by the way, that stands for cybersecurity maturity model certification. I think that is on the right track because that really requires all companies that need to comply with CMMC to actually go through an external audit.
However, there are some technical controls that we can put into place to at least help identify what a supply chain attack is in progress. I believe that a robust system and an integrity monitoring tool is the key to securing your organization and providing insight for when supply chain attacks occur. So here's the bottom line, most attacks even supply chain attacks, begin with the change. I mean something has to happen. So if you can identify unexpected changes in real-time, just as we do with our CimTrak Integrity Suite software, that provides you with the information about the source of change, who made the change, what process made to change, and what you need to do to remediate the issue.
You know, many times you hear that the industry doesn't know the extent that the Sunburst attack has proliferated and what additional back doors were installed. That scenario and that lack of visibility can be rectified by using next-generation system integrity tools such as CimTrak, which would allow you to understand what has been changed, understand their new back doors, new privileges, new users and so much more.
May 27, 2021