Fast and decision-enabling cybersecurity information
Assessment Services
Vendor Controls Assessments, Data Driven Vendor Assessments, Data Driven
Product Assessments, and File Integrity and Authenticity Assurance
Standardized and Customizable.
Supply Chain Risk Management is about Vendors and Products
Utilizing best practices for security and NERC CIP compliance.
Vendor Controls Assessments
Standardized A2V Vendor Questionnaire
- Quantifying cybersecurity risk
- Findings are resolved by avoiding, mitigating/remediating, accepting or transferring the risk
- Out-of-the-box workflows enable industry best practices whlie allowing for configurations
- Non-responsive vendors flagged to be revisited during contract renewal
- A2V provides collective bargaining power
Data Driven Vendor Assessments
Summarized & scored with full transparency into…
- Risk management personnel
- Public cybersecurity posture
- Web scanner results
- Negative news, regulatory & compliance
- Financial, merger & acquisition
- Fourth-party incidents
- Privacy policies
Product Assessments
Cybersecurity information for products addressing risk across…
- Inherent product risk
- Vulnerability and patch remediation risk
- Product security risk (controls-based)
File Integrity Assurance
- Software source authenticity verification
- Patch integrity validation
Oct 1, 2020 is coming. Get your running shoes on!
CIP-013-1 R1.2 Security Requirements
- Notification by Vendor
- Coordination of Response
- Disclosure by Vendor
- Verification of Software
- Identity Verification
- Integrity Verification
Asset to Vendor Network
We can help you reach your CIP requirements on time
Continuous Monitoring
Data-Driven Risk Ranking
The analytics-based approach to ranking vendor risk.
Data Driven Risk Ranking uses web scraping, API’s, cyber geolocation and machine learning to classify vendors by industry and inherent risk.
Data-driven risk ranking/tiering uses machine learning, web scraping, cyber scans and human analysis to determine inherent risk across (1)system access [application and/or hardware] (2)data access, (3)physical access, (4)offshore, (5)cloud, (6)financial, (7)strategic, and (8)fourth-party
Validation
- Company’s primary business
- Revenue
- Employees
- Domain names
Information Gathering
- Keyword scan vendor website
- Identify cyber global footprint
- Match against public and private databases
Enrichment
- Learning for classification
- Review validation and conclusions
Business Rule
(Configurable)
- Mimics the risk rank scoring methodology
Insights
- Cyber risk
- Breach data
- Compliance data
- Custom data sources
Data-driven risk ranking can rank up to tens of thousands of vendors in days.
File Integrity Assurance
Software source authenticity and file integrity
In Compliance with NERC CIP-010-3
Software Source Authenticity
Is the IDENTITY suspect?
Best Practices: Monitor…
- DNS IP changes
- BGP route hijacking
- Prefix, path, data plane, policy
- SSL/TLS certificates
- Threat intelligence
Software File Integrity
You can’t trust the vendor hash
What if the attacker replaced it when they replaced the newly infected file?
You can’t trust MD5 hashes
They are cryptographically insecure
You can’t trust third-party sites
How do you know they have not been compromised?
File Integrity Assurance Meets These Requirements
Chain of custody
Immutability
End-to-end encryption using non-interceptable means such as Perfect Forward Secrecy
Malicious Code Detection
Asset to Vendor Network
Continuous Monitoring
A2V continuously monitors
- Hash lookups in malicious file databases
- Antivirus scanning
- Yara Rule detection
-
Malicious JavaScripts loaded on compromised download pages
(It’s not just the software, but the source too!)
Firmware Analysis and Source Composition Analysis
- Hard-coded Secrets
- Weak Passwords
- Vulnerabilities
- Outdated/Third-party Components
- Insecure Coding Practices
- Insecure Functions
- Lack of Exploit Mitigation
- Manual Suspicious File Investigation
- Custom Security Analysis (YARA Rules)
File Integrity Assurance
Verifying the source of the file and the integrity of the software
File Integrity Assurance (FIA) Process
Fortress downloads target file
- Optional on-premise file repository
- Optional integration/configuration with ticketing and patch deployment systems
- E.g., ServiceNow, Remedy, LANDesk, RH Satellite, Ivanti
Authenticity & integrity checks
- Authenticity – breaches, encryption, certificates, DNS
- Integrity – code signing, malware, sandbox (when other checks fail), firmware 3rd party analysis, custom rules (e.g., YARA rules)
- SHA-256 hash stored in private blockchain
Utility checks file hash
- Via command-line interface or
- Via upload file to online repository or
- Via integrated secure file storage
ADOPT THE CONSERVATIVE APPROACH TO CIP-013-1
The largest utilities (including those set to be audited in late 2020 and early 2021) and industry advocates are embracing the secure spirit of CIP-013 by adopting these best practices:
1. Broadly defining a BES asset
By including any vendor with physical, not just remote or logical, access to BES assets
2. Retroactively applying the standards
The letter of CIP-013 requires a security risk management plan, but these organizations are planning retroactive implementation
3. Ultimately including all vendors
Processes are being completely overhauled from supply chain to procurement/sourcing to IT, and analytics are being used to quickly classify legacy vendors with a high likelihood for CIP-013 applicability
4. Performing comprehensive assessments
The CIP-013 standard vaguely requires an assessment, and these organizations are choosing to use assessments with up to several hundred questions
