Protecting Your Business From A Supply Chain Attack

Uploaded on 2022-03-26 in TECHNOLOGY--Resilience, FREE TO VIEW

A common go-to strategy that a cyber criminal uses to gain access to a corporate network is a simple phishing exercise. That’s because with minimal effort or resources, they can target thousands of end-users who work within your supply chain, which offers a good chance of success.

When criminals have gained access to one of your suppliers’ networks, they typically try to access other devices and aim to obtain key login credentials that will provide them access to even more valuable internal systems. Their ultimate goal is to access a machine or system from which source code can be modified.

And from this point, your supplier is at the mercy of the hackers, and soon so will your organisation!

However, through understanding how criminals operate, it is possible to protect your organisation’s supply chain from cyber attacks.

What Is Motivating The Rise In Supply Chain Attacks?

According to the European Union Agency For Cybersecurity (ENISA), the number of supply chain attacks last year almost quadrupled, no doubt kick-started by the infamous SolarWinds breach that went on to impact tens of thousands of government and private organisations. Microsoft President, Brad Smith, even referred to the SolarWinds breach as the “largest and most sophisticated cyberattack the world has ever seen.” It certainly appears to have opened the floodgates for other threat actors to try their hand. But what is motivating such attacks, and does that have any bearing on how they are evolving? 

Let’s put ourselves into the shoes of a threat actor. Are we going to look at the supply chain first and then take an opportunistic approach to carrying out an attack, or do we choose a high-value target and work backward through the supply chain to find a weak link? Unfortunately for businesses, most cybercriminals don’t discriminate between these two approaches. They will use either strategy to hit their mark or uncover a vulnerability they know could open the door to countless further attacks. 

Advanced persistent threats (APTs) are unique in that they are usually quite organised and will have a very specific target in mind that they will seek to infiltrate over long periods of time, often lying dormant or quietly siphoning off data until they strike or leave unnoticed. APTs usually have motives that extend beyond mere financial gain, such as the politically motivated Colonial Pipeline attack in 2021.

These are the kinds of supply chain attacks that government organisations and public entities need to be mindful of.

For regular businesses, however, opportunistic software supply chain attacks are far more common. Cybercriminals will often focus their attention on large software providers whose products underpin critical business infrastructure or support the development or delivery of products, derailing businesses and spiralling them into chaos.  

The Tightrope Of Third-party Risk

Today’s digital landscape is almost entirely predicated on the concept of outsourcing. It’s impossible for one business to excel at every single function it needs in order to thrive and compete in the modern world, so things naturally get outsourced. Today’s supply chain is therefore less like a “chain” in the traditional sense, and more like an interconnected web of software that keeps things ticking over for businesses. These dependencies on third parties, while necessary, are the reason so many businesses are finding themselves vulnerable. Perhaps it’s time for businesses to “reframe” the relationships they have with software suppliers to be more security-centric. 

It’s important that businesses maintain an element of independence and separation from their supplier partners. Regardless of how close an organisation’s commercial relationship may be with its suppliers, it should nevertheless always “assume zero trust” by only giving partners access to what they need in order to carry out their function. By enacting “least privilege”, businesses are ensuring that even if their suppliers are breached, the damage to them will at least be limited. It’s like the difference between keeping fire doors closed or leaving them wide open. Give third parties the access they need to certain rooms, but don’t take the doors off the hinges otherwise any fires that occur will undoubtedly spread. 

Broadening Attack Surfaces

Attack surfaces are not only larger than ever before, but they’re expanding at a rate that’s unprecedented. As more businesses allow more endpoints on their network, from employees’ personal devices to security cameras and other “smart” technologies, the opportunities for attackers to infiltrate a supply chain are increasing. This has, of course, been exacerbated by the pandemic and hybrid working, forcing businesses to revaluate their security posture and put tighter control policies in place that account for remote working. But while a business may take those steps, the companies along its supply chain might not.

This is where third-party risk management (TPRM), which should be a crucial component of any risk management solution, really comes into play. 

It’s very difficult for organisations to audit every touchpoint along the supply chain journey from, say, an accountant in one company to somebody processing an order in the next, each using their own devices at home or in the office. But this is where supply chain assessments come in, ensuring that each organisation along the supply chain complies with basic security standards that reflect those of the business in question. In short, security maturity must be assured across the board. 

Craig Moores is Risk Advisory, Senior Director at SureCloud

You Might Also Read: 

Multiple Location Supermarket Suffers Supply Chain Attack:

 

« Phishers Use Ukraine Invasion To Solicit Cryptocurrency
Hackers Breach Multifactor Authentication »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Hex Security

Hex Security

Hex Security Limited is a specialist Information Assurance (IA) consultancy working with associates and partners to deliver security certification and accreditation support.

DataCore Software

DataCore Software

DataCore Software is a leader in Software-Defined Storage. Solutions offered include back up and disaster recovery.

Indium Software

Indium Software

Indium Software is an Independent Software Testing Company offering software testing services (including security testing) and offshore Quality Assurance solutions.

Odix

Odix

Odix security software neutralizes file embedded targeted cyber attacks before they enter your organization’s network.

Security Network Munich

Security Network Munich

Security Network Munich brings together leading players in the field of information and cyber security through joint research and innovation projects.

BioCatch

BioCatch

BioCatch uses behavioral biometrics for fraud prevention and detection. Continuous authentication for web and mobile applications to prevent new account fraud.

Cyber Security Agency of Singapore (CSA)

Cyber Security Agency of Singapore (CSA)

The CSA is the national agency overseeing cybersecurity strategy, operation, education, outreach, and ecosystem development.

Data Recovery Services (DRS)

Data Recovery Services (DRS)

DRS provides data recovery services from media including hard disk drives, RAID, solid state disks SSD, memory sticks, USB drives, SD cards, tapes and mobile phones.

GOVCERT.lu

GOVCERT.lu

GOVCERT.lu is responsible for the treatment of all computer related incidents jeopardising the information systems of the government and defined critical infrastructure operators in Luxembourg.

CybeReady

CybeReady

CybeReady’s Autonomous Platform offers continuous adaptive training to all employees and guarantees significant reduction in organizational risk of phishing attacks.

UMBRA

UMBRA

UMBRA is solely concerned with protecting governments against Nation State attacks. We are not a consumer or enterprise company.

Absa Cybersecurity Academy

Absa Cybersecurity Academy

Absa Cybersecurity Academy is an initiative aimed at empowering marginalised South African youths to become certified cybersecurity specialists.

Gula Tech Adventures

Gula Tech Adventures

Gula Tech Adventures invests in companies and nonprofits that help close the gap in needed technology and workforce to defend the country in cyberspace.

BrainStorm

BrainStorm

BrainStorm Threat Defense takes a new human-focused approach to security awareness that traditional training lacks. It’s a cutting-edge platform to make your users more security savvy.

Kubus Hitam

Kubus Hitam

Kubus Hitam are a research-based company focused on cyber security. we strongly believe that innovation and safety are the two keywords for the future business market.

Intelequia

Intelequia

Intelequia SOC is the Security Operations Center your company needs. 24x7 monitoring, protection and automated response to cyber threats.