Sting9 Logo
Sting9
Learn/Professionals Course/Chapter 7
Chapter 7 of 12
10 min

Supply Chain and Third-Party Risks

Learning Objectives:

    Supply Chain and Third-Party Risks

    Supply chain attacks exploit trusted vendor relationships to compromise multiple targets simultaneously. The 78% increase in 2024, highlighted by major incidents like Change Healthcare and CrowdStrike, demonstrates how third-party risks can cause catastrophic business disruption.

    The Scale of the Problem

    2024 Major Incidents:

    • Change Healthcare: Ransomware affecting millions of patients
    • CrowdStrike update: Global outage affecting critical infrastructure
    • CDK Global: Auto dealer software compromise
    • XZ Utils backdoor: 2.5-year supply chain compromise attempt
    • 78% increase in supply chain attacks overall

    Attack Vectors

    Software supply chain:

    • Compromised updates/patches
    • Backdoored libraries/dependencies
    • Malicious open-source packages
    • Build environment compromise

    Vendor access abuse:

    • Stolen vendor credentials
    • Compromised VPN access
    • Lateral movement from vendor
    • Data theft via vendor access

    Hardware supply chain:

    • Pre-installed malware
    • Compromised firmware
    • Counterfeit components
    • Interdiction attacks

    Third-Party Risk Assessment

    Vendor security evaluation:

    • SOC 2 Type II reports
    • Penetration testing results
    • Incident response capabilities
    • Security training programs
    • Insurance coverage

    Access management:

    • Least privilege access only
    • Time-limited credentials
    • MFA required
    • Regular access reviews
    • Monitor vendor activity

    Contract requirements:

    • Security standards clauses
    • Incident notification requirements
    • Right to audit
    • Data handling requirements
    • Liability provisions

    Protection Strategies

    Vendor management:

    • Risk-based vendor categorization
    • Annual security assessments
    • Continuous monitoring
    • Alternative vendor plans
    • Regular contract reviews

    Technical controls:

    • Segment vendor network access
    • Monitor vendor connections
    • Restrict data access
    • Log all vendor activity
    • Anomaly detection

    Incident response:

    • Vendor breach notification procedures
    • Joint response exercises
    • Clear escalation paths
    • Regular tabletop exercises

    Key Takeaways

    • 78% increase in supply chain attacks
    • Vendor security is your security
    • Risk-based assessments for all vendors
    • Limit and monitor vendor access
    • Contract requirements for security standards
    • Incident response plans include vendor scenarios
    Previous Chapter
    Microsoft 365 / Google Workspace Attacks
    Next Chapter
    Advanced Persistent Threats (APTs)
    Back to Course Hub