The Anglophone Intelligence Alliance Five Eyes has issued a joint council that coincides with that of the National Cyber Security Center (NCSC) annual CyberUK conferencealerting IT-managed service providers (SMEs) and their customers to potential cyber attacks on the supply chain.
The joint consultationSupported by the national cyber organizations of Australia, Canada, New Zealand, the United Kingdom and the United States, sets out a series of practical steps that can be taken to reduce the risk of compromise in the supply chain – such as the notorious Solarwinds and Kaseya users, where threats use a vulnerable product or service as the initial point of access to customer networks, leading to global cascading effects.
Authorities have previously issued guidelines on this topic, but recent advice has focused on ensuring transparent, well-informed discussions between SMEs and their customers, focused on providing sensitive information and data.
They said these discussions should lead to a reassessment of existing security processes and contractual arrangements to meet the client’s risk appetite.
It can also be read in connection with the issued related guidelines in connection with the war in Ukraineas many recent incursions into the supply chain have been organized by Russian-based threats and it is considered a clear possibility that such incidents will continue to occur as the war goes badly for Russia.
“We are committed to further strengthening the UK’s resilience and working with international partners is a vital part of that,” said NCSC CEO Lindy Cameron.
“Our joint consultations with international partners are aimed at raising awareness among organizations about the growing threat of supply chain attacks and the steps they can take to reduce their risk.”
Jen Easterly, director of the United States Agency for Cyber Security and Infrastructure Security (CISA) said: “I urge both managed service providers and their customers to follow this and our broader guidelines – ultimately helping to protect not only them but organizations around the world.
“As this council makes clear, malicious cyber actors continue to target managed service providers, which is why it is crucial for SMEs and their customers to take recommended action to protect their networks.
“We know that SMEs that are vulnerable to exploitation significantly increase the downstream risks for businesses and the organizations they support,” Easterly said. “Providing SMEs is crucial to our collective cybersecurity, and CISA and our interagency and international partners are committed to enhancing security and improving the resilience of our global supply chain.
Cameron and Easterly’s Australian counterpart, Abigail Bradshaw, added: “SMEs are vital to many businesses and, as a result, are a major target for malicious cyber actors.
“These participants use them as launching pads to disrupt their customers’ networks, which we see are often compromised through ransomware attacks, business email compromises and other methods.
“Effective steps can be taken to strengthen their own networks and protect their customer information,” she said. “We encourage all SMEs to review their cybersecurity practices and implement the mitigation strategies outlined in this council.”
Some of the guidelines contained in the council include an emphasis on the importance of keeping the most important log files for at least six months, given that it can take a long time to detect incidents; the acceptance of multi-factor authentication in the client bases of SMEs and the requirement for its use in contracts; and draw attention to the correction of known exploited vulnerabilities in software, operating systems and firmware – CISA maintains an extremely detailed list of themwhich, although represented in American organizations, are globally relevant.
The Communication also clarifies that these guidelines must be applied appropriately to the unique environment of the organization, in accordance with its specific security needs and in accordance with various provisions.