CCT 050: Mastering Supply Chain Risk Management (SCRM) for the CISSP

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey, all this is Sean Gerber, with CISSP Cyber Training. How are you all today? I hope everybody's doing well on this beautiful day. I'm in here in Wichita, kansas. It's a gorgeous evening and we have a thunderstorm rolling into town, so it's going to be quite pleasant. I actually enjoy those a lot from being my days of flying B1s and seeing the weather. From a meteorologist standpoint, it is awesome. I just love watching the weather Super cool. But you aren't here to talk about whether you are here to talk about CISSP, right, watching the CISSP exam and what you need to do to pass that doggone test. So what you're going to talk about today is securing the chain, the supply chain, and how you need to understand supply chain risk management, and it's typically called SCRM or, if you're genetically, phonetically Sierra, charlie, romeo, mike, right. So we're going to talk about supply chain, risk management, and the reason we're going to talk about that today is because one it's in domain one, because we're starting over at domain one, and that's a positive. The second thing is, though it's become such a humongous thing that you're going to have to deal with as it relates to your company that you go and work for. In today's world, everything is connected, and I can't express this enough. I was talking to a friend of mine who is associated with a non-profit and talking to him and what are the different aspects that he has to work through to relate it to security? It's amazing, and, on top of that, it's not his full-time job And the supply chain, the people that are supplying him with what he does they as well, have been victims of many different types of cyber attacks. So it is happening to everybody, and it's one of those aspects that when you, as a security professional, get your CISSP and you move on, you cannot leave this or stop doing what you're doing, and you really need to help other people, and what I mean by that is that various non-profits do need your help, especially when you get the CISSP done. You have a lot of skills and you have a lot of technical knowledge and you can give back, because you're going to get paid. Well, there's no question about it. But what you're going to want to do is you're also going to want to give back to non-profits and to other companies that need some assistance that can't do it themselves Mainly your local schools, your local municipalities, your local governments, as well as any non-profits you may have. It's an important factor because they are struggling in this world and, unfortunately, they don't have people like you to help them because, honestly, they can't afford it. So something to think about. I know it's a little bit down the path of altruism, but it really is important. That doesn't matter how much money you make or what you do. It's who you help, and you really need to use the skills you have as a security professional to help lots of people. So, what exactly is supply chain risk management? So, really, what it comes down to is it's a process by which you encompass identification, assessments, mitigation and monitoring of potential risks to the business supply chain. Now, what exactly is a supply chain? So let's just say you are a manufacturing company and you make a widget, and in this widget, it's made out of plastic, for an example. Well, you need to be able to get the stuff that you melt down, the plastic melt that down and you put that into a form. Right, that's how you make your plastic widget. Well, you need to get that plastic from somebody, so you buy that from another company that provides you the plastic, but you have to get the plastic to you. So how do you get the plastic to you at your location so you can make the widget? Well, you have trucking companies, and these trucking companies may even use freight or like rail freight to be able to get the plastic to you. So, and then there's the gas. The gas is maybe a need a large gas containers to move your trailers or whatever it is, but you can see that this is just in time. Type of mentality or business process we've created here in around the globe, honestly is it's all very dependent upon each of these cogs working together. Now, if you go and you disrupt one of these cogs and you disrupt one of these areas of getting the information or the data or the product, or whatever it is, to you, it then totally throws everything out of balance, and that's your supply chain. So you need to, even though you may put a really tight, strong protection around your company, but you may have secondary companies that actually connect into your networks, that provide you information, provide you products that you don't necessarily protect. So you're going to need to understand what is that risk mentality around those. So these risks can range from physical vulnerabilities, such as transport disruptions, like I just kind of mentioned your train, rail shipping from my trucks and so forth to digital threats, like, obviously, cyber breaches and so forth. You don't know what's going to happen. So, like for an example, i know of a company that was a supply chain provider. They got hacked. In the process of getting hacked, they ended up. It caused all kinds of disruption throughout their entire supply chain, and so by doing so and you can go to any place on the web and you can see these exact same stories playing out time and time again. So, when we have global business ops and everybody's dealing with an interconnected supply chain because it isn't just hey, i have my company, it makes widget A and you know what there is this transportation company and only that transportation company serves me. No, that's not the case. That transportation company will serve multiple companies. As an example, my wife has a Kona Ice franchise right And as that Kona Ice franchise. She gets product from various places. Well, that product comes in through, like Cisco or these various other third parties that will provide you that type of product. Well, if they get hacked, i can't get my product. If I can't get my product, i can't sell my product, i can't make money, i go out of business. So it's important factor that you really need to understand how to best do this Now. It also comes into that, when you're maintaining this, you're these different types of supply chain issues. You need to understand business continuity, securing your intellectual property and then also safeguarding your company's reputation, and all of those can be pretty much mixed together, depending upon what your company does for a living. Now, when the organization's supply chain is compromised, these ramifications and these consequences can go well beyond a financial loss. Okay, so you have the financial hit. You maybe you deal with a situation where you don't aren't having revenue but because of the reputational hit, now you lose customers. Or now you lose vendors that are worth supplying you before, but they don't want to supply you now because of the legal and reputational aspects that you may have to go through. So it's an important factor as you as a CISSP and as you, as a security professional, need to consider. It's not just hey, my supply company got hacked, it's okay. What are the cascading effects that affect you? Now? how does this relate with cybersecurity? Like we talked about before, is everything is interconnected, it's all through. And I was giving an example with another friend of mine who is a police chief in a very large facility or a very large city, and in this very large city, as a police chief I mean it's not super large, it's probably around 20, 30,000 maybe and he's a police chief And in this police, as a police chief, he does with all kinds of things from EMS, fire, the police. All that stuff comes into central locations and it's all managed by central computers, right? Well, we see this time and again where that, if those get compromised, it can cause all kinds of issues where people cannot respond to 911 calls or any sort of emergency action calls. So therefore, it's important that you have a good grasp of where are your risks. Now. You may have situations that come up where you just may have to accept the risk, but you really truly need to understand what are the risks to your company. As I was talking to my buddy, i realized just a couple things that I mentioned to him. Hey, you might want to consider this. You might want to consider that, because, even though he's in it, he doesn't see all the risks that are associated with it. Therefore, ie, we come in as security professionals. We can then talk to them and give them guidance, which it's not in their world. He's a really good police officer. he's not a good hacker and that's not a good security person. Why? Because it's not his comparative advantage Now we're going to talk about. We have a couple of use cases that I'm going to get into here just at the end of the podcast, but one of them I'll kind of touch through here is the SolarWinds breach in 2020. And this is a factor where the hackers were able to get access to thousands of organizations globally via compromised software updates. This also just happened with Fortinet, and there's multiple ones that are happening and you can see it pretty much on a monthly basis. There's one significant supply chain situation, pretty much monthly Now. They all vary in their complexity and their impact, but it's continuing to happen And I would be willing to bet that in most cases, it's because these supply chains are run by smaller organizations, the smaller groups of people, and therefore what ends up happening is they don't have the resources, obviously, to protect their environment. But what the whole SolarWinds thing basically proved is that a single vulnerability in the supply chain can have widespread implications, and that was a great example of how it actually did. Now, when we talk about the CISSP, what are some key things around? why is SCRM an important factor? Well, again, of the eight domains, we talk about security operations as one domain, one. We get into various other aspects, but at the end of all of this is that it emphasizes the importance of hardware, software and third party services, the vetting of them and the controlling of them. Now I will tell you that one thing that I always consider is, when I'm bringing on a third party, wherever that might be, you want to walk through and do your due diligence around. What do they have? One, what are they going to be asking for within your company, whatever that might be, whether they want a VPN connection, whether they want an account, whether they want API connections. They're going to want to know what these folks want within your environment, and so, also, you're going to want to have individuals that work in your company that may be doing background checks on the company itself. It's like all done in Bradstreet check. They may do that just to see hey, are these folks paying their bills? Are they a legitimate business? You're going to want to have multiple checks on these third parties, especially if they become one of those that's critical to the operation of your business. So, as an example, you have, let's say, your manufacturing facility. I talk about that a lot because that's obviously something I deal with. But when you deal with a manufacturing facility, how is that powered? Is it powered through natural gas? Is it powered through electricity? Is it powered through fuel, like diesel fuel, whatever that might be, whatever could be powering your facility? is that a critical link? Do you own that capability on site to your facility or do you outsource that and pay for the electricity, for the gas, for whatever that might be? If that is the case, then that is a critical situation within your company. And a good example of this is what happened a couple years ago in the winter down in Texas, when there were super cold time, freezing temperatures, way below normal, and what ended up happening is it caused all kinds of disruptions to that part of the country because they weren't used to that level of cold. More heat was being produced, therefore, less gas reserves were available, so on and so forth, and that was a consequence to it. So, again, it's really important that you understand these principles for passing the CISSP, because they're going to be directly involved in what you do on a day to day basis. Now you must really understand, when you're talking to the test, what are the supply chain threats and then what are the impacts to you. The point of it is that you may have to ask specific people within your organization what could be the impact. So I'll give you an example you're the IT person And, as the IT person, you go all right, if this system goes down, you then will run into a situation where the power goes off in your facility. Okay, well, that's bad, but you need to find out from the people that own the facility, whatever that might be, what is the impact of the power going down. And then this comes down to business continuity planning. You may have a situation where, okay, if the power goes down for two hours, or, golden, if it goes down for eight hours, i'm now losing X amount a day. If it goes down for 20 hours, i'm losing X amount. So you might want to have to go through that and understand with your leaders of your business when you get on there, what would those potentially be? So, again, it's important that you do understand your supply chain and you really need to kind of grasp what are some of the key factors around that. Okay, so what are some key components of the SCRM? So it's crucial to identify potential risks within your supply chain by analyzing all its components. Again, we talked about from raw materials they're sourcing to the actual end product delivery. Now, you may be in the middle of that And so you go. Okay, well, for me, if I'm in the middle and it's coming from being physically created out of a chemical, or it's oil coming right out of the ground, what part of that whole process am I involved in? What part do I have to pass on? And this same type of situation should be occurring with people that are upstream in the business. Right, they are the ones that are under. They're getting your product as you give it to them. So they need to understand what kind of threat are you to their daily operations? And you need to understand when you do that, you need to look at what are some potential impact packs and the likelihood of these specific risks. So let's go, for example, the stray backhoe or the stray digger dirt digger. That may be a situation where you have a lot of maintenance being done in your facility. So if you have a lot of maintenance being done or they're going through a big, rapid change, there's a high likelihood that somebody's going to be digging a hole that's going to hit a line that's important to you. Now, if you don't have that within your organization, maybe that's not much of a risk. However, then what could be one of the risks that happens to you? Maybe you have a publicly exposed websites and therefore your risk would go up because it's out there on the internet and it's totally exposed to individuals trying to attack it. So it's important that you use various tools to help you understand the threat, the modeling around it and the overall risk matrices and come up with a plan. Now here's the other aspect. There's plenty of tools out there to help give you some good ideas about what is the overall risk strategy for your organization, and I recommend that you do get with your organization's risk professionals to help you walk through how to understand risk and then how to also convey risk. That being said, in some cases, you know what you just may be sticking your thumb in the air, going, yeah, i think that's a threat, or yeah, no, i think we're good One that always is biting everybody now and you're seeing this time and again is backup and recovery solutions. There are tons of companies out there, businesses that do not have good backup and recovery solutions in place. They may have a backup system, but they've never tested it, they've never actually pulled anything. If they're backing up to the cloud, they've never pulled it down. They've never done any of those things to physically test what are some of the risks to their company, and so, therefore, they're just hoping, they're making the assumption that, well, it's got it, They're going to take care of it. Well, it's going, i don't understand the risk. So I'm just backing this stuff up. Well, when things go bad and you go, hey, i'm backing it up, and they go, bring it up, let's go, and you don't have it because you never tested it, they're going to blame you. Well, you're going to turn around and blame them because you're going like, well, i didn't know it was that big of a deal. So, again, it's important that you do understand all of these various situations that could affect your company. Now, after identifying the risks and assessing these various risks, you need to consider various appropriate mitigation strategies should be developed for these supply chains. Now, what could that be? Well, you say I don't know. What could that be? Well, you could actually dedicate your own people to help that third party if they're that critical to be secure. Say you don't buy them, say that they're just an independent company, but you work really close, you are tied to them very closely. You cannot leave them. You have to have them as your supplier of whatever that is. You could then dedicate resources to help that company secure their network. Now, by doing so, you now have the ability to control a little bit of your destiny, versus being at the whim of them doing it. Now the situation comes in, especially if they're a small company, their IT person is their IT person, their finance person and probably the driver for the CEO. I don't know. But realistically, they've got many different opportunities, many different hats that they're trying to wear to be successful with their company because they're watching costs. Well, yeah, that's one good point. That just gets you to work really closely, because that I tell you right there, you can do a lot of things, but you can't do them any good, and it's important for you to hire the right people to get to be able to do the job correctly. Once you pass the CISSP and you become a security officer or you become a director of security or whatever that might be within your company, make sure that you hire the right people that understand the risk. And it's up to you and your role and this is one of the reasons the CISSP is so important that it's going to help teach you how do you convey risk, how do you understand risk and how do you ensure that your people get it so that they can put proper mitigations in place. So when you're looking at monitoring and reviewing supply chains, there's various ways that you can do it. Now you can see, go out on Showdan And Showdan will be able to tell you what kind of computers are out there exposed, both for your own internal computers, potentially even third party computers. There's also there's various third parties that provide this service for you. I think one of them is like security scorecard. There is Blackkite. There's various other companies out there that will do this type of activity for you. They'll give you a score. They search the web for any of this company X's vulnerabilities. So like say, i'm living Kansas, so one of the jokes is Kansas. Spell backwards is Saznak. So I own company Saznak and Saznak is producing something for this big conglomerate. Well, if I have systems that are on the web Saznak's computers you can scan for those And if you find them vulnerable, you it would be wise to tell me that my systems are vulnerable Why? Well, because one. If I'm working on your stuff, the last thing you want is me to bring in whatever virus I may have and just basically spoil your network. You don't want that. So it's important that we work together, that you would help me to get my network straight. Now I say that, going out there as a security professional, you need to work with your legal teams and your compliance team to ensure that you can do that. There are some ways, some things you can help with and some things you cannot help with. By you helping somebody, you do run the risk that you could actually make things worse, and then, therefore, you're open to legal liability. Again, not a lawyer, don't play one on TV, don't know anything about the law. I'm just telling you that the moment you open yourself up to teaching these folks, you then make sure you could potentially incur some level of risk for your company. So you just want to make sure that you have all of that lined out before you do it. But it's not out of the realm of possibilities to help your third parties secure their networks. And I say that's because, again, like I mentioned before, where, if you're dealing with nonprofits, what can you do as a security professional to help nonprofits? You can create security programs for them. That is an important, important piece of what you're trying to accomplish. So it's crucial for businesses to adapt to these changing risk landscapes, because they're just going to have to. So, understanding supply chain threats and risks they can range from all different types of aspects, from natural disasters affecting the supplier's operations to potentially cyber criminals obviously getting a hold of their IT systems. But it can end up in a lot of different things. These are some of the outcomes Supplier insolvency, basically go out of business, quality issues, geopolitical factors all of that can roll into it. I was just reading an article today or yesterday about a hospital that was hit with ransomware And this ransomware encrypted everything And it's in the process of encrypting it all. They ended up they couldn't accept any more insurance payments And so they couldn't accept insurance payments because their computers were compromised. So they went out of business. This is a hospital went out of business because of this stuff. So it's important that you do understand these suppliers, because now, let's say, you are that hospital and you get your syringes from this company X. Company X goes out of business. Where are you gonna get your syringes? Well, i need my syringes, like yesterday. Well, the soonest you can get them from company XYZ is a week and a half. Well, that's not good. So again, you're gonna have to work through all these various aspects of the supply chain, and it did. We kind of talked about solar winds. We'll come back around to that a little bit on how it impacted everything else. Now, what are some of the frameworks that are associated with SCRM? One of them is NIST 800-161. Now it provides guidelines for federal agencies to implement supply chain risk management practices to protect their critical infrastructure. Now, does that NIST 861 apply to corporations? No, it does not. Now they are doing that for federal agencies. However, there's a lot of good things you can glean from these various NIST regulations, especially as they're targeting the US government. Why? Because the government is a monster corporation. It's huge, right? Well, because it's so big, it has so many moving parts. Well, you can take some of the aspects that they are highlighting in 861 and apply them to your own business. Now there's other NIST frameworks out there, and there's also the ISO 27001 frameworks. There's various frameworks you can use, but when it comes to supply chain risk management, the NIST 800161 is actually a pretty good one. Now there's also the ISO 28000. This is another one that's dealing with security, risk or security management systems for supply chain, and the ISO 2200243. Try saying that 10 times. And both of these offer what different aspects are around from an ISO standard. Now, if you're not familiar with ISO, it's the International Standards Organization. I think that's what it is. They provide a level of standardization that you can use as an example, right As a template, globally. So when you're dealing with a country such as, let's just say, china or in Italy, and they want to have some sort of protections in place, well, the NIST 800 series great, that's great for the United States, but that doesn't really help China and Italy. Now they can take those same things and utilize those within their own countries. However, let's take a step in their shoes. If I'm from Italy and I'm using the US government's NIST standards. Okay, yeah, big US, go away, right. But if I have the ISO standards, ooh, that might be more along my lines because it's an international standard and it maybe fits more of what I'm trying to accomplish. The bottom line is use a framework. You want a framework. Well, the 28,000 is a security managed systems and supply chain framework and the 20,243 is mitigating maliciously tainted and counterfeit products. But, bottom line, these are ones you'll hear about when you take your CISSP, so understanding them is a crucial factor. If you got to pick one that you got to know, go with the ISO 28,000. And because it's gonna be focused on the SCRM Now, knowledge of each of these standards is crucial as they set the international benchmark. We kind of talked about that a little bit earlier. Now, when you're dealing with strategies to get an effective SCRM, you wanna have supply performance management. This basically means you have a criteria for suppliers and you monitor them. Kind of back to what I mentioned before is you're monitoring to ensure that they meet whatever standard you have. If, for example, you have very sensitive data and you have a very high standard about your third parties, well, checking them out before you actually go and hire them might be a good idea, because the last thing you wanna have happen is you hire them and give them your most sensitive information and now, yeah, they don't have good controls, and that would be bad. So you wanna make sure that you have a plan to deal with that. Again, poor supplier performance can reduce risks in the supply chain, and supply management strategies can also help to detect issues early. If you can detect them early, it's better for everyone, especially you, right? Obviously, if it's your data, you wanna make sure you've got a hold of that early rather than later. However, it's important that you are transparent with these various third parties what you're trying to accomplish. The other point is, if there's somebody that is a third party that doesn't really want to partake in what you're coming forward with, they're probably not the third party you wanna work with, because what they're probably telling you is they don't have in place what you need to ensure that your data is protected. Now you also wanna ensure you have tight controls in place against both physical and the cyber side. Now this could be accounts. Have you utilize multi-factor authentication? It could be the fact that you have, if you share data with this. Third, with the supply chain company that you only share certain pieces of the information. Maybe you share, i don't know SOS A, b and C, and then you keep D, e and F and they never, ever see D, e and F. So the most that you could ever get exposed potentially is A, b, c. So something to consider. You also wanna ensure you have some level of security training for staff. This would be your staff, this could also be their staff. Like I mentioned before about teaching, a lot of these companies don't have anything. So if you came up with a training program for these people, how beneficial could that be And what kind of benefit would it provide to your company building that relationship with them? Again, we're all in this same mess together. We're all in the same boat and the boat has some holes in it and the boat is sinking. We either can all work together to plug the holes or we all go down together Now and then. The other thing is implementing an incident response plan. What exactly is that? Well, you will talk through the CISSP. We talk frequently about incident response plans, business continuity plans. Well, if you have an incident response plan in place, you are in a really good spot to start going And you want to also pass on your incident response plan, potentially to your third party, so they understand what you're doing and why you're doing it. It also may spur on them to go actually get their own plan, because maybe they need one themselves, but they're really really good to help you, give you some level of guidance and direction. As it relates to the various yeah, the SERM, i just totally lost my train of thought. All right, then the technology some of the technologies that are using with this, so these can be in various ways. Right Now, ai is coming on the market. You're getting a lot more of the AI out there. That is something that can be happening. You have IoT environments that are connected. Potentially, what if you have third parties that are managing your networks? how are you dealing with them? So there's lots of different tools that you may have out there to help you with this overall risk, and some of these other tools could be a supply chain management software, risk assessments and then various cybersecurity solutions. Each of them have pros and cons associated with them. You just have to decide which one of them is the most useful for you. So now, what are some of the futures that are dealing with SCRM. Obviously, we've got blockchain and AI, have the big buzzwords out there that have some level of implication to the SCRM plan. So, again, understanding if the AI well, i do like an example. Today I saw that AI, whatever that means, helped develop a new vaccine that is going to be ready for human trials. Well, if you have that capability already going and it's looking at all the entrance and exit points and it picks up on anomalies, that would be beneficial. They'd be very beneficial for you. So, understanding these new emerging technologies can really help with your organizations. So, the companies that are providing you information and the supply. Future challenges, again, that are dealing with SCRM. Obviously threats, global trade, regulations, war, you know, those kind of have a little bit of a negative impact on global community and the global transport. So it's important that you do understand these Now. You can't put your head in the sand and live in a bubble. You're going to have to work through these various aspects. However, knowing them is a big factor in ensuring you have the right controls and the right protections in place. And, again, as a security professional, you do really need to understand these challenges and the opportunities to help get you what you want. Okay, so here's just a couple of use cases that I know. There's others that we've just kind of even talked about between this timeframe and now, but these are two of the main ones that I've seen and actually have some good numbers behind. So obviously is the SolarWinds attack right. That occurred and it really implemented a lot of companies, both private and governmental agencies, these attackers they got in here. They were able to gain access to the SolarWinds Orion software updates, which basically allowed them to push their code wherever they wanted. This is one of the aspects I did when working as a red teamer. We wanted to try to get into this because it would push all of the updates basically magically right and you would not have to even look for or you wouldn't. All you'd have to do is put them in that package and ship them and you're good. They basically said that it included many of the Fortune 500 companies and the government agencies were affected, but what it really did was is it wanted to put negative reputation on the SolarWinds, obviously the Orion software but it also opened them up to legal litigation. Okay, potentially, i know all of that, other than say it would most likely open you up to some level. Legal litigation Again, not a lawyer, don't play one on TV but those are considerations you need to be aware of, and so if you were to be part of this overall third party hack, you can expect that you will be pulled into something that you may not want to be at some point here. The other one is not Petia. This is the not Petia ransomware attack that occurred in 2017. This affected Marsk shipping and they did about 300 million in losses just from that incident alone. They came out and they basically cleaned house, they put in all of new equipment. That was their downtime. Everything was $300 million. And then there was a pharmaceutical giant Merck. It got hit with another, with the same not Petia and it cost them close to a billion right Almost $900 million to do that. So we're talking it's crazy how many damages were accomplished, but basically they're saying that it was around $10 billion has been affected because of these type of ransomware events. I read an article It must have been gee, how long was it? Maybe about a month, two months ago And they're expecting it to be close to $25 billion in overall exposure by 2025. So $25 billion by 2025. I mean, can you imagine. So what is proven is that the other and I've mentioned this before in the podcast the other types of activities that are nefarious out there your drugs, your money laundering, prostitution, all of those things that costs that are just extremely detrimental to society. You can make $10 billion in hacking people And in their mind, nobody really got hurt except for cleaning out people's bank accounts. So, yeah, that's not good. Okay, that's all I have for today. I hope you guys enjoy this. Again, we're talking about supply chain risk management and the importance of it, and I hope you all have a blessed day and we will catch you on the flip side, see ya.