BLOG

Steps for Medium Sized Businesses to Address Cyber Supply Chain Risk

by | Aug 17, 2020 | Blog, TPRM Exposure

Any business operating on the internet with internet accessible services provides an opening for anyone else on the internet – good, bad, or indifferent – to interrogate those services and see what’s running.

Bad actors and security companies are always actively conducting reconnaissance to find vulnerabilities but often lack additional context. This additional context is what should give a security team the advantage over bad actors running scrapers or scanners on the internet looking to take advantage of those vulnerabilities.

Medium sized businesses should expect their larger customers and clients to contact them about potential vulnerabilities. Generally, the requests fall into three categories, according to AlixPartners’ Bill Varhol.

  • A news-worthy vulnerability that brings data at risk such as Heartbleed or Shellshock. Larger organizations are going to want to know what exactly is vulnerable and when is it going to be fixed.
  • Vendor onboarding diligence usually through questionnaires or security companies. These will often involve smaller scale vulnerabilities such as missing spf records or weak cryptography. However, they can also include un-reviewed and automated findings with higher rates of false positives such as email addresses found on websites
  • Potential typo-squatting domains that a medium-sized business should be aware of
  • Outdated browser versions
  • Web-application vulnerabilities such as cookies without http-only flags
  • A suspicious email seemingly originating from a domain owned by the medium sized business.

Listen to Bill’s guidance for how medium sized businesses should prepare to address security issues like these with customers and clients:

Table of Contents

Podcast with Bill Varhol

 

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights Retainer℠
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks