Speaker 1: In this lesson, we expand risk management beyond our network perimeter to the supply chain. There are two types of supply chains, upstream and downstream. The downstream supply chain consists of customers and other private and public entities that receive products, services, or regulatory reports. They are essential in business continuity planning, but we focus on upstream supply chain risk in this lesson. Upstream supply chains provide products and servers that enable business operation. Upstream connections include materials for manufacturing, supplies for distribution, office supplies, and software maintenance and updates. The upstream supply chain does not stop with immediate suppliers. Those suppliers also have connections to their own supply chains. This can result in multiple steps in a supply chain before a product, service, or software is delivered to an organization. At a high level, upstream supply chain risks include disruptions to delivery of products and services and the insertion of malware. Supply chain compromises can enable attackers to bypass all controls and infect critical systems on implicit trust zones. Supply chain disruptions are caused by the same threats that affect all organizations. Threat of intellectual property or trade secrets, business continuity events, counterfeit components inserted somewhere in the supply chain, and malware and other cyber attacks against providers somewhere in the supply chain. Managing supply chain risks requires understanding the risks faced by suppliers and how they are managed. This includes understanding how governance activities are applied or if they are applied, supplier risk management procedures and residual risk, whether or not a supplier has adopted and uses a compliance framework, and if the supplier's security is certified by a third party. Not all of these considerations are needed for all suppliers, and the depth of assessments depends on the associated risk to the customer organization. Another critical risk assessment item is business continuity. How well have suppliers planned for business continuity events, including disasters? Supply chain malware is not just a possible product and service interruption. Malware can also make its way into the supply chain and infect highly protected systems in customer networks. For example, a cyber criminal can insert malware somewhere in a software vendor's supply chain. She could also compromise the vendor's network to compromise software products or their updates. Once this happens, customer businesses are at risk of installing infected software into highly secure network segments. This often occurs because software products are automatically updated at customer sites without any customer review. Firmware updates are also subject to malware infection. At either case, ensuring the software and firmware providers are using reasonable and appropriate controls is the first risk mitigation step. In addition to assessing supplier risk, customer organizations must also manage any supply chain malware that might get through. This begins with identifying critical mission or business processes and the trust zones supporting them. An up-to-date inventory is also needed to understand what applications are installed and may be receiving automatic or user-controlled updates. It's also important to know where those applications reside. An organization must also perform daily reviews of announced vulnerabilities or malware that may have entered the supply chain. This kind of incident must be included in incident response planning and training. Customer organizations must also know the correct IP addresses and URLs used by vendors for updates. Attackers sometimes redirect updates so they can come from malicious servers. Organizations should assume a supply chain attack will be successful. All endpoints involved in updates must be monitored and related business function interruptions included in business continuity planning. Various frameworks exist to assist organizations in managing supply chain risk including SCORE, ISO 28000, ISO 9001, and NIST IR 7622. That's it for this lesson. If you have questions, please ask. And until next time, be careful what you click.