FAQs on Ransomware and Supply Chain Risk Management

To protect themselves against ransomware attacks, credit unions should: 

• Update software and operating systems with the latest patches. Verify all of your networks and endpoints are patched and updated regularly. Consider automatically updating systems where possible.
• Never click on links or open attachments in unsolicited emails.
• Follow safe practices when browsing the Internet. Read CISA’s Good Security Habits for additional details.
• Replace equipment running older unsupported operating systems. Outdated applications and operating systems are the target of most attacks. For those rare cases where immediate decommissioning of legacy systems is impossible, isolate those systems from core networks and sensitive and critical systems and data.
• Verify your vendors and third-party service providers connected to your networks or holding your data have implemented appropriate security practices.
• Ensure you have complete and tested current backups of all critical systems and data. Keep it on a separate device and store it offline.

• Conference of State Bank Supervisors - Ransomware Self-Assessment Tool (R-SAT)
• Center for Internet Security white paper - Security Primer - Ransomware 
• National Security Agency Central Security Service - Cybersecurity page
• National Institute of Standards and Technology - Cybersecurity Framework
• Cybersecurity & Infrastructure Security Agency - Ransomware page
• Cybersecurity & Infrastructure Security Agency - Ransomware Guide
• Treasury Department - Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments

Information and communications technology (ICT) is integral for the daily operations and functionality of U.S. critical infrastructure. If vulnerabilities in the ICT supply chain; are exploited, it presents a risk to the entire institution. Institutions should consider not just the risk associated with third-party vendors, but their entire information and communications technology supply chain. This includes hardware, software, and all managed services from third-party vendors, suppliers, service providers, and contractors.

Vulnerabilities may be introduced during any phase of the product life cycle: design, development and production, distribution, acquisition and deployment, maintenance, and disposal. These vulnerabilities can include the incorporation of malicious software, hardware, and counterfeit components; flawed product designs; and poor manufacturing processes and maintenance procedures.

Cyber security experts¹  have predicted software supply chain attacks will become more widespread because many software development and distribution channels lack proper cyber and process protections.  Other cyber-attack paths are becoming less optimal as system owners improve the overall cybersecurity posture of their networks, components and computers.

The Cybersecurity and Infrastructure Security Agency has developed the following essential steps in building an effective supply chain management (SCRM) practice:

1. Identify the people: Build a team of representatives from various roles and functions of the company (e.g., cybersecurity, information technology, physical security, procurement/acquisition, legal, logistics, marketing, and product development). Ensure personnel at all levels are well-trained in the security procedures of their role or function.
2. Manage the security and compliance: Document the set of policies and procedures that address security, integrity, resilience, and quality. Ensure they are based on industry standards and best practices on how to conduct SCRM such as those from the National Institute of Standards and Technology (NIST).
3. Assess the components: Build a list of ICT components (e.g., hardware, software, and services) that your organization procures to enable your business. Know which internal systems are relied upon for critical information or functions, and which systems have remote access capability that must be protected to prevent unauthorized access.
4. Know the supply chain and suppliers: Identify your suppliers and, when possible, the suppliers’ sources. In today’s world of increased outsourcing, it is important to understand your upstream suppliers as part of the larger supply chain ecosystem.
5. Verify assurance of third-parties: Verify that your suppliers maintain an adequate security culture and SCRM program to appropriately address the risks that concern your organization. Establish the protocols your organization will use to assess the supply chain practices of your suppliers.
6. Evaluate your SCRM program: Determine the frequency with which to review your SCRM program, incorporate feedback, and make changes to your risk management program. 

According to the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, advanced persistent threat (APT) actors are actively attempting to infiltrate information technology (IT) service provider networks.² To ensure their IT service providers have adequate security controls in place, credit unions must conduct proper due diligence and ongoing monitoring.

The number of credit unions using IT service providers, such as managed service providers (MSPs) and cloud service providers (CSPs), has drastically increased in recent years because IT service providers enable credit unions to more cost effectively scale and support network environments. By servicing a large number of customers, IT service providers can achieve significant economies of scale. However, outsourcing processes or functions does not eliminate credit union responsibility for the safety and soundness of those processes and functions. 

Credit unions should know that the decision to centralize information with an IT service provider could present risks to the confidentiality and integrity of their information. For example, IT service providers generally have direct and unfettered access to credit union networks, and may store member data on their own internal infrastructure. A compromise, therefore, in one part of an IT service provider’s network can have cascading effects, affecting several credit unions and introducing systemic risk. 

To protect their infrastructure assets and increase the probability of successfully disrupting APT activity, MSP customers are encouraged to implement a defense-in-depth strategy. To that end, CISA recommends MSP customers consider the following mitigation measures.3

1. Manage Supply Chain Risk - MSP clients that do not conduct the majority of their own network defense should work with their MSP to determine what they can expect in terms of security. Besides understanding the supply chain risk associated with their MSP, clients should also consider contract language that supports the customer’s needs and requirements for both virtual and physical security, including supply chain risk management.
2. Architecture - Restricting access to networks and systems is critical to containing an APT actor’s movement. Below are key items that organizations should implement and periodically audit to ensure their network environment’s physical and logical architecture limits an APT actor’s visibility and access.
   1. Virtual Private Network Connection Recommendations
      1. Use a dedicated Virtual Private Network (VPN) for MSP connection. 
      2. Terminate VPN within a demilitarized zone (DMZ). 
      3. Restrict VPN traffic to and from MSP.
      4. Update VPN authentication certificates annually.
      5. Ensure VPN connections are logged, centrally managed, and reviewed.
   2. Network Architecture Recommendations
      1. Ensure internet-facing networks reside on separate physical systems. 
      2. Separate internal networks by function, location, and risk profile. Internal networks should be segmented by function, location, and/or enterprise workgroup. 
      3. Use firewalls to protect server(s) and designated high-risk networks. 
      4. Configure and enable private Virtual Local Area Networks (VLANs). Enable private VLANs and group them according to system function or user workgroup.
      5. Implement host firewalls.
   3. Network Service Restriction Recommendations
      1. Only permit authorized network services outbound from the internal network. 
      2. Ensure internal and external Domain Name System (DNS) queries are performed by dedicated servers. 
      3. Restrict access to unauthorized public file shares. 
      4. Disable or block all network services that are not required at network boundary. 
3. Authentication, Authorization, and Accounting - Compromised account credentials continue to be the primary way threat actors penetrate network environments. Because MSP accounts typically require elevated access, the accounts organizations create for MSPs increase the risk of credential compromise. It is important, therefore, that organizations adhere to best practices for password and permission management, as this can severely limit a threat actor’s ability to access and move laterally across a network. Provided below are key items organizations should implement and routinely audit to ensure these risks are mitigated.
   1. Account Configuration Recommendations
      1. Ensure MSP accounts are not assigned to administrator groups. 
      2. Restrict MSP accounts to only the systems they manage. 
      3. Ensure MSP account passwords adhere to organizational policies. 
      4. Use service accounts for MSP agents and services. 
      5. Restrict MSP accounts by time and/or date. 
      6. Use a network architecture that includes account tiering. 
   2. Logging Configuration Recommendations
      1. Enable logging on all network systems and devices and send logs to a central location
      2. Ensure central log servers reside in an enclave separate from other servers and workstations. 
      3. Configure local logs to store no less than seven days of log data.
      4. Configure central logs to store no less than one year of log data.
      5. Install and properly configure a Security Information and Event Management (SIEM) appliance. 
      6. Enable PowerShell logging. 
      7. Establish and implement a log review process.
4. Operational Controls - Building a sound architecture supported by strong technical controls is only the first step in protecting a network environment. It is just as critical that organizations continuously monitor their systems, update configurations to reflect changes in their network environment, and maintain relationships with MSPs. Listed below are key operational controls organizations should incorporate for protection from threats.
   1. Operational Control Recommendations
      1. Create a baseline for system and network behavior. 
      2. Review network device configurations every six months. 
      3. Review network environment Group Policy Objects (GPOs) every six months. 
      4. Continuously monitor and investigate SIEM appliance alerts.
      5. Periodically review SIEM alert thresholds. 
      6. Review privileged account groups weekly. 
      7. Disable or remove inactive accounts. 
      8. Regularly update software and operating systems.

Credit unions should also refer to guidance from the NCUA, the National Institute of Standards and Technology (NIST) and other references listed below to learn about Information and Communications Technology Supply Chain Risk Management.

• NCUA Evaluating Third-Party Relationships 
• FFIEC Outsourcing Technology Services 
• CISA APTs Targeting IT Service Provider Customers 
• CISA ICT Supply Chain Risk Management
• ODNI Supply Chain Threats
• NIST Cyber Supply Chain Risk Management
• NIST Cloud Computing Related Publications
• Canadian Centre for Cyber Security Cyber Security Best Practices: Contracting With Managed Service Providers