I was fortunate to be on a panel to discuss the Software Supply Chain with Richard Rushing, Bryan Hurd and Richard Greenberg (moderator) for the ISSA Los Angeles chapter on Wednesday (1/19/21). Click here to view the recording, https://www.youtube.com/watch?v=y3wqCc34tME.
Supply chain security can refer to suppliers who provide services, staffing, support, or who develop software/hardware. The supply chain is varied and different across industry segments and organizations. If you consider the development of applications or electronics, there may be a long list of companies who contribute to the final product. The longer the supply chain and the less visibility you have into (or ability to assess) each supplier, the higher the overall complexity and resulting risk to your organization.
Let’s consider the software that we use in our own organizations. There is a lot of it. Do you have a complete inventory of the software you have running on your endpoints, or supporting business processes? Having a granular software inventory and an approved enterprise application catalog is a starting point. The granular information you need includes: “Who owns and makes decisions about the application?” “Who supports and patches it?” “Who budgets for and pays for licenses?” “What is the application architecture and how does it communicate?” Having a central trusted software inventory (this may differ between desktops and servers) is a starting point. Read More
[via CI Security] “The National Critical Functions construct provides a risk management approach that focuses on better understanding the functions that an entity enables or to which it contributes, rather than focusing on a static sector-specific or asset world view. This more holistic approach is better at capturing cross-cutting risks and associated dependencies that may have cascading impact within and across sectors. It also allows for a new way to view criticality, which is linked to the specific parts of an entity that contribute to critical functions. By viewing risk through a functional lens, we can ultimately add resilience and harden systems across the critical infrastructure ecosystem in a more targeted, prioritized, and strategic manner.”
Equifax suffered huge damages after the well-publicized breach. Now, come to find attribution points to a culture of complacency. Executives should attend the The First Annual Atlanta Symposium on Cyber Culture and Team Building with others from their executive team. This event is intended to be cross-cultural and bring together the entire C-Suite. Learn more and register today!
Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware --
Threat actors are exploiting unpatched Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware.
