While companies are stuck knee-deep responding to alarms within the environment, the supply chain is typically overlooked. Yet, a supply chain attack can have deep repercussions on a company - from data theft and brand tarnishing to regulatory fines. As a security professional, you have the responsibility of safeguarding your company’s data and assets. But how can you control an environment that you don’t even have visibility into?
In this webinar, we will:
Present techniques to unveil your supply chain’s attack surface
Pinpoint warning signs of a supply chain breach
Provide a practical strategy to increase the cyber resilience of your supply chain
2. p.3 - Confidential -
ABOUT US
- Confidential -p.2
Dov Goldman
Director of Risk and Compliance,
Panorays
dov@panorays.com
Demi Ben-Ari,
Co-founder and VP R&D,
Panorays
demi@panorays.com
3. US companies that suffered a data breach via a third
party in 2018
61%
Source: “Data Risk in the Third-Party Ecosystem,” Ponemon Institute, November 2018
4. Source: “Data Risk in the Third-Party Ecosystem,” Ponemon Institute, November 2018
37%
43%
2016 2018
Percentage Of Third Parties that Share
Organizations' Sensitive Data with their Third Parties
5. p.3 - Confidential -- Confidential -p.5
• PNI Data Breach – Photo Services Affected – By Thomas George
• Geekwire, databreaches.net, Amateurphotographer.co.uk, scmagazine.com
A breach to even the smallest 3rd party may
cause a cyber typhoon in the industry.
11. p.3 - Confidential -
What is My Attack Surface
- Confidential -p.11
Risk = (Vulnerabilities X Threats X Consequences)
PrivacyContent
Identity
Files
Assets
Tor VPN
HTTPS
Encryption
2FA
HTTP Filter
Patching
WAFFirewall
SSL / TLS
SSH
Security Threats Adversaries
Vishing
Phishing
Spying
Adware
Backdoors
Adware
Exploit Kits
Spyware
Viruses
Malware
Mass Surveillance
Spies Nation-States
Hackers
Hacker Groups
Colleagues
Cyber Criminals
Law Enforcement
Ex-Partners
Governments
Pseudo
Anonymity
Anonymity
12. p.3 - Confidential -
Polling Question #2
- Confidential -p.12
What methodology do
you use to evaluate
your suppliers?
1. I don’t evaluate my
suppliers at all
2. External view
3. Questionnaires
4. External view &
Questionnaires
5. Other
13. p.3 - Confidential -
Why Should You Look at the Perimeter?
- Confidential -p.13
“Dirty window was
indicative of lack of
cleaning and attention
to details.”
-- TripAdvisor Restaurant
Review
14. p.3 - Confidential -
What You Should Be Looking At
Supplier
Employees
IT & Network Application
- Confidential -14p.
• Vircom
20. p.3 - Confidential -
Do You Know Your Assets?
The Hacker Does!
- Confidential -20p.
21. p.3 - Confidential -
Tell-Tale Signs of a Supply Chain
Attack
- Confidential -21p.
• Organization monitored supplier over time
• Exposed the attack surface
• Outdated technologies
• Untrusted certificates
• Mail server misconfigurations
• Lack of security controls
• Botnet traffic
• ….
• Measures the company took to avoid a breach
23. p.3 - Confidential -
What are we assessing in our supply chain
- Confidential -p.23
● Choose control frameworks, industry standards and
regulatory directives we adhere to
● “Scope” controls relevant to each relationship
● Test our suppliers adherence to the same standards
● Identify issues and request remediations
● Monitor continuously
26. p.3 - Confidential -
Polling Question #3
- Confidential -p.26
Which suppliers do you
focus on?
1. I don’t evaluate my suppliers
2. I evaluate all suppliers
3. I evaluate only those deemed
critical
4. Always the criticals and
occasionally the less critical
5. Other
27. p.3 - Confidential -
Scaling a Third Party Cybersecurity Program
- Confidential -p.27
Low Risk
Medium Risk
Critical
28. p.3 - Confidential -
Scaling a Third Party Cybersecurity Program
- Confidential -p.28
Low Risk
Medium Risk
Critical
29. p.3 - Confidential -
Scaling a Third Party Cybersecurity Program
- Confidential -p.29
Low Risk
Medium Risk
Critical
30. p.3 - Confidential -
Scaling a Third Party Cybersecurity Program
- Confidential -p.30
Low Risk:
Your Controls
Medium Risk
Critical
31. p.3 - Confidential -
Scaling a Third Party Cybersecurity Program
- Confidential -p.31
Low Risk:
Your Controls
Medium Risk
Critical
32. p.3 - Confidential -
Scaling a Third Party Cybersecurity Program
- Confidential -p.32
Low Risk:
Your Controls
Medium Risk:
Automation
Critical
34. p.3 - Confidential -
Key Takeaways
● Supply chain security is something you need to
consider – today!
● This is a problem you can mitigate
● Build a scalable third party cyber security program
● Consider the attack surface and work towards
minimizing it
- Confidential -p.34