January 13, 2022 | Lisa Liu
The modern world is scary, but 80s horror slashers were no walk in the woods either. Except, there were plenty of walks in the woods and there were plenty of victims who “fell” prey to those walks...
In order to determine what some of those “unalived” teenagers should have done differently, we are going to ask a peculiar question: What does Jason Voorhees and a Cybersecurity Supply Chain Risk have in common? Answer: It can quickly become a compromise that single-handedly damages an entire organization - regardless of whether that is a group of unsuspecting counselors at a decrepit summer camp or the U.S. Department of Treasury.
Just as cybersecurity risk in the supply chain is “the potential for harm or compromise that arises from the cybersecurity risks posed by suppliers, their supply chains, and their products or services,” Jason Voorhees in the Friday the 13th series presents a nasty threat (that grows absurdly more powerful with each franchise).
A small risk can introduce a big problem. There are lessons the Christys can take from NIST Computer Security Resource Center's (CSRC's) Best Practices in Cyber Supply Chain Risk Management to have changed the unfortunate fate of its Camp Crystal Lake victims. Below are the Key Cyber Supply Chain Risks and a translation of mitigations that may have helped the franchise casualties achieve a more lively ending:
Third party service providers or vendors - from janitorial services to software engineering - with physical or virtual access to information systems, software code, or IP. Do not provide access to insecure third parties regardless of the desperation need for those services. This is especially true if you have not conducted a full background investigation on the provider and particularly if said provider is a psychotically violent short-fry cook that you met at the local diner.
Poor information security practices by lower-tier suppliers. Implement trustworthy, reliable access controls and fundamental security protections. Consider that the local police whose only experience is in chasing the town's outcast and holds a response time record of “right before credits roll” may not be the best protection for your camp.
Compromised software or hardware purchased from suppliers. Avoid using software or hardware with known vulnerabilities - no matter how “small.” Allow your psychotic cook to resign so she can address her son's compulsion with mutilating kittens offsite (and hopefully with professional assistance). Under no circumstances should you bring the child to the campground in order to retain the mother's services.
Software security vulnerabilities in supply chain management or supplier systems; Counterfeit hardware or hardware with embedded malware; Third party data storage or data aggregators. Supplier compromises and embedded malware become your vulnerabilities. If your cook resigns (again) due to grief associated with the drowning of her son, you may need to question why she would like to return to work a year later and whether she intends to exact revenge on the negligent camp counselors involved in her son's death. You may also want to check your policies to determine how she discovered your poor hiring decisions in keeping these negligent counselors employed.
Hockey masks aside, mentions of Friday the 13th is incomplete without addressing its many superstitions of bad luck to avoid: black cats, black birds, spilling salt, breaking mirrors, walking under the ladder, and many more. Superstitions, in many ways, are a form of preparation. They gain popularity because these beliefs set our expectations of threatening events and consequences and guide behaviors to avoid them. By anticipating potential risks, we gain an opportunity to move ourselves out of the threat range and into security, sometimes even gaining an attack of opportunity on our threats. However, superstitions are grounded in the unknown. Step one of any risk management is identifying all the potential unknowns. By proactively identifying the unknown, we elevate our ability to prepare and respond to the risk - sometimes mitigating and avoiding it altogether.
To ensure you enjoy a secure Friday today (and every day beyond this), NetImpact is thrilled to announce the upcoming launch of our latest SaaS app, Cybersecurity Supply Chain Risk Management (C-SCRM). C-SCRM provides real-time visibility into supply chain operations, including software security, to help you identify and treat potential risks that disrupts your supply chain ecosystem, which can threaten the entirety of your enterprise functions. With risk assessment wizards and predictive analytics, C-SCRM builds a resiliency for organization with each step, from detection through treatment.
While C-SCRM may not protect you against a deranged and disfigured immortal serial killer with inexplicable supernatural powers and his equally violent mother, it just may save you $12M, sleepless nights, and undesirable front page coverage.
Learn more about C-SCRM in our upcoming launch news by following NetImpact on LinkedIn.