Reducing Risk Against Cybersecurity Threats To The Supply Chain

The Challenge

The highest number of supply chain attacks of 2021 took place in December, with one of the most detrimental being the Log4j vulnerability. Commonly used by apps and services across the internet, Log4j is an open sourced logging library within a development language called Java. The vulnerability meant that threat actors had the ability to remote execute code and take control of anything that was making use of its components. The attack required very little expertise to execute, making Log4j one of the most severe vulnerability seen in recent years. Left unresolved, attackers could break into systems, steal sensitive data and infect networks with malicious software. A significant danger of these attacks was their ability to go undetected for months. Consequences for an organisation or it’s third-parties suffering an attack would range from operational delays to corporate or government surveillance, including the potential loss of data.

Companies across most industries had to undergo a number of processes in order to assess whether any of their systems were vulnerable. They had begun with checking whether their own systems used Java, and if so, whether these systems were internet facing, which would make them more accessible to exploitation. After this activity commenced a mass-coordination event in which organisations were advised to contact all of their suppliers to assess their vulnerability. At Brooklyn Solutions, most of our clients have thousands of suppliers whom they had to rapidly assess on scale and on mass.

The Solution

Brooklyn’s Step by Step Process

One of our clients, a major retail firm, was made aware of Log4j and its potential risk to hundreds of suppliers. Using Brooklyn, this client rapidly remediated risk from the Log4j vulnerabilities for the wider vendor tail, where it’s suggested that over 60% of technology suppliers use Log4j as an indirect dependency. The Brooklyn platform fast-tracked a vendor consolidation exercise that would have usually required vendor managers to separately contact each supplier, as well as follow up on their individual responses. For our clients that were vulnerable to the cyberthreat, Brooklyn executed the following:

1. Bespoke Cyberthreat survey template for Log4j
2. Implemented a deadline & automated reminders
3. Identified survey recipients
4. Risk record created from negative responses
5. Progress tracked by survey report

Overview

• Protected a large retailer against a severe supply chain vulnerability
• E-Meet capabilities and intelligent surveys enabled the customer to rapidly contact their suppliers at scale
• Customer established and maintained a ‘fit-for-audit’ stage
• Successfully contacted 492 suppliers in just 72 hours
• Implemented a risk strategy for future cybersecurity threats