Protecting Your Business From A Supply Chain Attack

Uploaded on 2022-03-26 in TECHNOLOGY--Resilience, FREE TO VIEW

A common go-to strategy that a cyber criminal uses to gain access to a corporate network is a simple phishing exercise. That’s because with minimal effort or resources, they can target thousands of end-users who work within your supply chain, which offers a good chance of success.

When criminals have gained access to one of your suppliers’ networks, they typically try to access other devices and aim to obtain key login credentials that will provide them access to even more valuable internal systems. Their ultimate goal is to access a machine or system from which source code can be modified.

And from this point, your supplier is at the mercy of the hackers, and soon so will your organisation!

However, through understanding how criminals operate, it is possible to protect your organisation’s supply chain from cyber attacks.

What Is Motivating The Rise In Supply Chain Attacks?

According to the European Union Agency For Cybersecurity (ENISA), the number of supply chain attacks last year almost quadrupled, no doubt kick-started by the infamous SolarWinds breach that went on to impact tens of thousands of government and private organisations. Microsoft President, Brad Smith, even referred to the SolarWinds breach as the “largest and most sophisticated cyberattack the world has ever seen.” It certainly appears to have opened the floodgates for other threat actors to try their hand. But what is motivating such attacks, and does that have any bearing on how they are evolving? 

Let’s put ourselves into the shoes of a threat actor. Are we going to look at the supply chain first and then take an opportunistic approach to carrying out an attack, or do we choose a high-value target and work backward through the supply chain to find a weak link? Unfortunately for businesses, most cybercriminals don’t discriminate between these two approaches. They will use either strategy to hit their mark or uncover a vulnerability they know could open the door to countless further attacks. 

Advanced persistent threats (APTs) are unique in that they are usually quite organised and will have a very specific target in mind that they will seek to infiltrate over long periods of time, often lying dormant or quietly siphoning off data until they strike or leave unnoticed. APTs usually have motives that extend beyond mere financial gain, such as the politically motivated Colonial Pipeline attack in 2021.

These are the kinds of supply chain attacks that government organisations and public entities need to be mindful of.

For regular businesses, however, opportunistic software supply chain attacks are far more common. Cybercriminals will often focus their attention on large software providers whose products underpin critical business infrastructure or support the development or delivery of products, derailing businesses and spiralling them into chaos.  

The Tightrope Of Third-party Risk

Today’s digital landscape is almost entirely predicated on the concept of outsourcing. It’s impossible for one business to excel at every single function it needs in order to thrive and compete in the modern world, so things naturally get outsourced. Today’s supply chain is therefore less like a “chain” in the traditional sense, and more like an interconnected web of software that keeps things ticking over for businesses. These dependencies on third parties, while necessary, are the reason so many businesses are finding themselves vulnerable. Perhaps it’s time for businesses to “reframe” the relationships they have with software suppliers to be more security-centric. 

It’s important that businesses maintain an element of independence and separation from their supplier partners. Regardless of how close an organisation’s commercial relationship may be with its suppliers, it should nevertheless always “assume zero trust” by only giving partners access to what they need in order to carry out their function. By enacting “least privilege”, businesses are ensuring that even if their suppliers are breached, the damage to them will at least be limited. It’s like the difference between keeping fire doors closed or leaving them wide open. Give third parties the access they need to certain rooms, but don’t take the doors off the hinges otherwise any fires that occur will undoubtedly spread. 

Broadening Attack Surfaces

Attack surfaces are not only larger than ever before, but they’re expanding at a rate that’s unprecedented. As more businesses allow more endpoints on their network, from employees’ personal devices to security cameras and other “smart” technologies, the opportunities for attackers to infiltrate a supply chain are increasing. This has, of course, been exacerbated by the pandemic and hybrid working, forcing businesses to revaluate their security posture and put tighter control policies in place that account for remote working. But while a business may take those steps, the companies along its supply chain might not.

This is where third-party risk management (TPRM), which should be a crucial component of any risk management solution, really comes into play. 

It’s very difficult for organisations to audit every touchpoint along the supply chain journey from, say, an accountant in one company to somebody processing an order in the next, each using their own devices at home or in the office. But this is where supply chain assessments come in, ensuring that each organisation along the supply chain complies with basic security standards that reflect those of the business in question. In short, security maturity must be assured across the board. 

Craig Moores is Risk Advisory, Senior Director at SureCloud

You Might Also Read: 

Multiple Location Supermarket Suffers Supply Chain Attack:

 

« Phishers Use Ukraine Invasion To Solicit Cryptocurrency
Hackers Breach Multifactor Authentication »

Quartz Conference
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Galaxkey

Galaxkey

Galaxkey is a data protection product that protects email, documents and any data using access control and an encryption platform.

StratoKey

StratoKey

StratoKey is an intelligent Cloud Access Security Broker (CASB) that secures your cloud and SaaS applications against data breaches, so you can do secure and compliant business in the cloud.

Hodgson Russ

Hodgson Russ

Hodgson Russ is a US business law firm. Practice areas include Privacy, Data Breach & Cybersecurity.

8MAN

8MAN

8MAN is a leading Access Rights Management (ARM) solution in Microsoft and virtual server environments.

Cyberbit

Cyberbit

Cyberbit empowers cybersecurity teams to be fully prepared with a product portfolio ready to detect and respond effectively across both IT and OT networks.

Critifence

Critifence

Critifence provides unique Cyber Security solutions designed for Critical Infrastructure, SCADA and Industrial Control Systems.

National Cyber Security Centre (NCSC) - Ireland

National Cyber Security Centre (NCSC) - Ireland

The National Cyber Security Centre (NCSC) is the operational side of the Department of Communications in regard to network and information security in the Republic of Ireland.

Ministry of Transport & Communications (MOTC) - Qatar

Ministry of Transport & Communications (MOTC) - Qatar

The Ministry of Transport & Communications Cyber Security Division works to ensure that online threats in Qatar are monitored and risks are contained.

Africa Cybersecurity and Digital Rights Organisation (ACDRO)

Africa Cybersecurity and Digital Rights Organisation (ACDRO)

ACDRO is a non-governmental Organisation pioneering Digital Rights and promoting cybersecurity awareness within the digital environment in Africa.

Nova Leah

Nova Leah

Nova Leah helps connected medical device manufacturers meet cybersecurity compliance requirements throughout the entire product lifecycle.

BotRx

BotRx

BotRx is the only AI-enabled, automated fraud protection technology that allows fast & easy deployment - continually keeping invisible bad bots and agents at bay, so you can rest easy.

Nihon Cyber Defense

Nihon Cyber Defense

Nihon Cyber Defence’s mission is to provide robust solutions, services and support to governments, corporates and organisations in order to protect them from all forms of cyber warfare.

Palantir

Palantir

Palantir software empowers entire organizations to answer complex questions quickly by bringing the right data to the people who need it.

KeyData Associates

KeyData Associates

KeyData is a recognized leader in cybersecurity services specializing in Identity and Access Management (IAM), Customer Identity & Access Management (CIAM) and Privileged Access Management (PAM).

Vantage Point Security

Vantage Point Security

Vantage Point are specialists in penetration testing and application security with a focus on the industries undergoing rapid digital transformation.

Teleport

Teleport

Teleport is a remote-first technology company. We enable engineers to quickly access any computing resource anywhere on the planet.