Protecting Your Business From A Supply Chain Attack

A common go-to strategy that a cyber criminal uses to gain access to a corporate network is a simple phishing exercise. That’s because with minimal effort or resources, they can target thousands of end-users who work within your supply chain, which offers a good chance of success.

When criminals have gained access to one of your suppliers’ networks, they typically try to access other devices and aim to obtain key login credentials that will provide them access to even more valuable internal systems. Their ultimate goal is to access a machine or system from which source code can be modified.

And from this point, your supplier is at the mercy of the hackers, and soon so will your organisation!

However, through understanding how criminals operate, it is possible to protect your organisation’s supply chain from cyber attacks.

What Is Motivating The Rise In Supply Chain Attacks?

According to the European Union Agency For Cybersecurity (ENISA), the number of supply chain attacks last year almost quadrupled, no doubt kick-started by the infamous SolarWinds breach that went on to impact tens of thousands of government and private organisations. Microsoft President, Brad Smith, even referred to the SolarWinds breach as the “largest and most sophisticated cyberattack the world has ever seen.” It certainly appears to have opened the floodgates for other threat actors to try their hand. But what is motivating such attacks, and does that have any bearing on how they are evolving? 

Let’s put ourselves into the shoes of a threat actor. Are we going to look at the supply chain first and then take an opportunistic approach to carrying out an attack, or do we choose a high-value target and work backward through the supply chain to find a weak link? Unfortunately for businesses, most cybercriminals don’t discriminate between these two approaches. They will use either strategy to hit their mark or uncover a vulnerability they know could open the door to countless further attacks. 

Advanced persistent threats (APTs) are unique in that they are usually quite organised and will have a very specific target in mind that they will seek to infiltrate over long periods of time, often lying dormant or quietly siphoning off data until they strike or leave unnoticed. APTs usually have motives that extend beyond mere financial gain, such as the politically motivated Colonial Pipeline attack in 2021.

These are the kinds of supply chain attacks that government organisations and public entities need to be mindful of.

For regular businesses, however, opportunistic software supply chain attacks are far more common. Cybercriminals will often focus their attention on large software providers whose products underpin critical business infrastructure or support the development or delivery of products, derailing businesses and spiralling them into chaos.  

The Tightrope Of Third-party Risk

Today’s digital landscape is almost entirely predicated on the concept of outsourcing. It’s impossible for one business to excel at every single function it needs in order to thrive and compete in the modern world, so things naturally get outsourced. Today’s supply chain is therefore less like a “chain” in the traditional sense, and more like an interconnected web of software that keeps things ticking over for businesses. These dependencies on third parties, while necessary, are the reason so many businesses are finding themselves vulnerable. Perhaps it’s time for businesses to “reframe” the relationships they have with software suppliers to be more security-centric. 

It’s important that businesses maintain an element of independence and separation from their supplier partners. Regardless of how close an organisation’s commercial relationship may be with its suppliers, it should nevertheless always “assume zero trust” by only giving partners access to what they need in order to carry out their function. By enacting “least privilege”, businesses are ensuring that even if their suppliers are breached, the damage to them will at least be limited. It’s like the difference between keeping fire doors closed or leaving them wide open. Give third parties the access they need to certain rooms, but don’t take the doors off the hinges otherwise any fires that occur will undoubtedly spread. 

Broadening Attack Surfaces

Attack surfaces are not only larger than ever before, but they’re expanding at a rate that’s unprecedented. As more businesses allow more endpoints on their network, from employees’ personal devices to security cameras and other “smart” technologies, the opportunities for attackers to infiltrate a supply chain are increasing. This has, of course, been exacerbated by the pandemic and hybrid working, forcing businesses to revaluate their security posture and put tighter control policies in place that account for remote working. But while a business may take those steps, the companies along its supply chain might not.

This is where third-party risk management (TPRM), which should be a crucial component of any risk management solution, really comes into play. 

It’s very difficult for organisations to audit every touchpoint along the supply chain journey from, say, an accountant in one company to somebody processing an order in the next, each using their own devices at home or in the office. But this is where supply chain assessments come in, ensuring that each organisation along the supply chain complies with basic security standards that reflect those of the business in question. In short, security maturity must be assured across the board. 

Craig Moores is Risk Advisory, Senior Director at SureCloud

You Might Also Read: 

Multiple Location Supermarket Suffers Supply Chain Attack:

 

« Phishers Use Ukraine Invasion To Solicit Cryptocurrency
Hackers Breach Multifactor Authentication »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ExaGrid Systems

ExaGrid Systems

ExaGrid Systems is relied on by thousands of customers to solve their backup problems, effectively and permanently. ExaGrid's disk based, scale-out GR

Titus

Titus

Titus is a global leader in enterprise-grade data protection solutions.

Siepel

Siepel

Siepel manufactures high quality shielded rooms and anechoic chambers dedicated to TEMPEST, NEMP & HIRF.

Quadrant Information Security

Quadrant Information Security

Quadrant Information Security is a consulting firm committed to supporting organizations in all vertical markets and protecting their sensitive data.

Independent Security Evaluators (ISE)

Independent Security Evaluators (ISE)

ISE is an independent security consulting firm headquartered in Baltimore, Maryland dedicated to securing high value assets for global enterprises and performing groundbreaking security research.

Department of Energy - Cybersecurity, Energy Security, and Emergency Response (CESER)

Department of Energy - Cybersecurity, Energy Security, and Emergency Response (CESER)

The Office of Cybersecurity, Energy Security, and Emergency Response (CESER) addresses the emerging threats of tomorrow while protecting the reliable flow of energy to Americans today.

GuardRails

GuardRails

GuardRails provides continuous security feedback that empowers developers to find, fix, and prevent vulnerabilities.

Cube 5

Cube 5

The Cube 5 incubator, located at the Horst Görtz Institute for IT Security (HGI), supports IT security startups and people interested in starting a business in IT security.

Kindus

Kindus

Kindus is an IT security, assurance and cyber security risk management consultancy.

Cutting Edge Technologies (CE Tech)

Cutting Edge Technologies (CE Tech)

CE Tech is a Next Generation Technology Partner providing advanced technology infrastructure solutions through partnerships with leading technology providers.

1Kosmos

1Kosmos

1Kosmos provide Digital Identity and Passwordless Authentication for workforce and customers. Powered by advanced biometrics and blockchain technology.

Venustech

Venustech

Venustech is a leading provider of network security products, trusted security management platforms, specialized security services and solutions.

VP Techno Labs®

VP Techno Labs®

VP Techno Labs is specialized in all types of application penetration testing, business disaster recovery planning & data recovery, malware removal, incident response, fraud detection & prevention.

DH2i Company

DH2i Company

DH2i is a leading provider of multi-platform Software Defined Perimeter and Smart Availability software enabling customers to create an entire IT infrastructure that is always-secure and always-on.

Otto

Otto

Stop Client-Side Attacks. Plug otto into your application security suite and protect your supply chain.

CyberHub

CyberHub

CyberHub is an educational platform that offers professional courses and knowledge sharing through articles and videos to help students discover their potential in cybersecurity.