Responding to Supply-Chain Risk—It’s Not Just About Vendor Management | BakerHostetler

0
204

Organizations around the globe began 2021 grappling with two significant supply-chain attacks. First, the SVR, Russia’s foreign intelligence service, planted malicious code in Orion, SolarWinds’ flagship network management suite. When 18,000 Orion customers updated their software, they also unwittingly installed the SVR’s malicious code, giving the Russian intelligence agency direct access to the customers’ networks.

The second attack came in March, when news broke that a threat actor labeled HAFNIUM was exploiting four previously unknown vulnerabilities in Microsoft Exchange, the ubiquitous email server platform. Information security teams scrambled to install Microsoft’s emergency fix and evaluate the damage. Within days, other threat actors began targeting unpatched systems for their own goals, including ransomware attacks.

With these incidents putting supply-chain risk in the spotlight, many organizations are now examining their process to assess vendors. Likewise, the Biden administration has promised new executive orders to address supply-chain risk that will impose new testing requirements and notice obligations on companies that supply software (and…

Read More…