Know what it takes to create a VRM program that’s ready and able to stand up to the current state of affairs and find a step-by-step guide for creating a sustainable and scalable vendor risk management program from the ground up.
A little over a month ago, Microsoft discovered a software security vulnerability that could ultimately lead to one of the worst cybersecurity attacks since 2017’s infamous WannaCry ransomware incident.
Dubbed BlueKeep, the Remote Desktop Protocol (RDP) vulnerability is so potentially dangerous that both Microsoft and the National Security Agency (NSA) have issued advisories about its existence. Microsoft has written two blog posts on the topic, while the NSA has gone so far as to say that the terrorist organization ISIS is actively exploring ways to exploit BlueKeep. Meanwhile, the Department of Homeland Security is encouraging everyone to patch their systems now.
The commonalities between BlueKeep and WannaCry are troubling. Both are the result of RDP exploitations, the latter arising from the NSA’s EternalBlue, which was also tied to the Petya ransomware. Both are “wormable” exploits which can automatically propagate across systems without the need for user authentication or interaction.
Most troublesome, WannaCry spread because thousands of systems went unpatched. Several weeks after BlueKeep was discovered, close to one million systems with RDP exposed to the internet remain unpatched.
Perhaps one reason is that companies are not as diligent as they could be about monitoring the cyber posture of their supply chain partners. As we’ve written about before, supply chain visibility — or lack thereof — is a big problem, especially in an increasingly interconnected world.
Thanks to the global economy, organizations routinely work with vendors from all over the world, with vastly different expectations of security exposure. How can you be sure that these vendors and partners are routinely patching their systems to ensure that they’re protected against “wormable” vulnerabilities like BlueKeep and WannaCry? Sure, you could ask your suppliers if they’re doing their due diligence and practicing good security hygiene — and they may answer “yes” — but who knows if that’s really true?
You can take extra measures to ensure that these vendors are implementing precautions to protect their applications, but often these measures come with some drawbacks. You could demand that your vendors take remedial action, but you still need a way to prove that those actions occurred (“trust, but verify”). You could also go to extremes and disconnect the business entity from your network, but that can result in huge disruptions to your business.
Gaining visibility into your vendors’ security postures is a better approach. Third-party risk management should be about understanding where your partner’s vulnerabilities lie in real-time so that you can work with them to target those vulnerabilities. You can then get a sense for which of your partners is serious about delivering solutions that are impervious to risk, allowing you to keep your supply chain clear and free from threat. Without visibility, you’ll run the risk of leaving your entry points open.
That’s precisely what organizations like ISIS and other groups are counting on. They understand that companies are busy and perhaps not paying as much attention to issues like BlueKeep as they should, despite all of the alarms that have been sounded. All they need is a single point of entry for an attack to spread like wildfire.
Right now, the companies that are most vulnerable to BlueKeep are in the telecommunications, education, and technology sectors. Imagine what could happen if an assailant were to use BlueKeep to gain a foothold into the nation’s communication grid?
Don’t provide them with the opportunity to initiate an exploitation. Don’t sit back and wait for malware to be detected, because it’s only a matter of time. Don’t take the chance of being an accidental party to financing a terrorist attack because bad actors were able to use the exploit to steal your financial data.
Instead, gain visibility into your supply chain. Close the potential entry points. Develop a plan and be prepared. Know that although no malware resulting from BlueKeep has been detected yet, it’s only a matter of time. Act now before BlueKeep evolves into WannaCry 2.0.
Visit our BlueKeep Resource Center to stay up to date on the latest news & BitSight research on the BlueKeep vulnerability and learn how you can protect yourself and your supply chain from this and other emerging risks.