What Is A Supply Chain Cybersecurity Attack?
Officials from the US Commerce and Energy Departments confirmed that a Cybersecurity breach has occurred although the latter said it has no evidence of intrusions into its nuclear weapons management networks “so far”. Numerous other federal agencies have acknowledged that they are inspecting for fallout.
These reports said that hackers broke into the Treasury and Commerce departments as part of a monthslong cyberespionage campaign. Just a few days before, prominent cybersecurity firm, FireEye, reported that their own company hacking tools got stolen and data were compromised after an attack that “bore the hallmarks of a Russian tradecraft” were found in their networks.
With the attack taking place in a server software called Solarwinds used by thousands of major corporations and organizations, including Fortune 500 companies, these organizations will now be scrambling up to patch up their networks.
With the rising public awareness on cybersecurity, attackers tend to take the path where there is least resistance — third party providers.
The Supply Chain Attack
What took place is an example of a highly sophisticated, targeted, and manual supply chain attack where cyberattackers infiltrate a system through a third-party provider, and attack the weakest link of a security network. This kind of attack can occur in any industry, stretching from the financial sector to government sector.
Exploiting vulnerabilities in the supply chain network is a supply chain attack’s main feature. It targets to damage the company through a continuous infiltration process and hacking that are designed to cause disruptions and outages.
Many third party software companies are cloud based and they are not in an orbit alone. Many provide integration with other software via web services, like email with email providers, enriching data from external systems, vendors, subcontractors, legal, logistics, insurance, payroll processing, marketing, customers, payment services, banks, and IOT (Internet of Things) devices. Any external software you integrate with poses a risk to your own system, and it could be yours which is the weak link, endangering your vendors and business partners.
With the rising public awareness on cybersecurity, attackers tend to take the path where there is least resistance — third party providers. According to a survey report conducted by Opinion Matters for BlueVoyant, 80% of organizations have had a breach caused by their vendors.
Remember the CCleaner incident owned by Avast a security company itself? CCleaner is a computer cleanup tool which was compromised by hackers for months. The software updates users were downloading, had been tainted with malware backdoor. Meaning it was injected by malware which exposed millions of computers. This is an example of a digital supply chain attack where trusted software is infected by malicious code.
In 2018, Nicole Eagan, the CEO of cybersecurity company Darktrace, told attendees at an event in London how cybercriminals hacked an unnamed casino through its Internet-connected thermometer in an aquarium in the lobby of the casino. According to what Eagan claimed, the hackers exploited a vulnerability in the thermostat to get a foothold in the network. Once there, they managed to access the high-roller database of gamblers and “then pulled it back across the network, out the thermostat, and up to the cloud.” This is an example of a supply chain IOT attack.
Preventing Supply Chain Attacks
Since a supply chain attack relies on attacking a target company’s weakest external link, the first thing you can do is limit your use of unnecessary third-party software. If you have to use third party software, make sure you audit your partner security controls before integrating them into your infrastructure. If you have highly sensitive and confidential data, encrypt it.
Be mindful of the security of your external vendors and partners. Remember that your systems are or will be integrated with these external parties (ie., retail is connected to vendors/suppliers to replenish goods, and banks and payment applications to pay and get paid from clients and to vendors. All these systems are interconnected via web services) as any weak link among them can also affect and expose your company. Always ask your vendors and partners about their security policy and when was the last time they audited their security controls and performed penetration testing. Don’t just send them a list of questionnaires, ask them for a recent comprehensive third party report or security certification.
If a third party vendor sends you a patch, ask questions about, read the release notes for the new patch, go through comprehensive testing before you install it. Don’t trust what they send you until you get your test results and understand what the patch is for. Segment your applications and data, and only allow access to systems and required subsystems — don’t give them your house keys. In some cases, point your monitors to the traffic they are generating in your system and create alerts for unknown activities.
Conduct a cyber risk assessment with the help of a professional security firm that can conduct an accurate assessment and provide responsive and targeted solutions to patch up your security management, controls, and network into something sustainable and reliable.
Croyten, a software and IT consulting company, does exactly this. Using our true and tried agile methodology and frameworks, our security services are designed to address all these cybersecurity issues and more. We also assist in modernizing business applications so they can function properly and accordingly to trending and emerging business needs. Our security and DevOps team will work in parallel to ensure that your critical application infrastructure is taking advantage of all the available security controls and monitors available on the cloud.