listen to this article:
Organizations today have put in place several cybersecurity technologies that aim to protect the organization from outside threats. However, cybercriminals over the past few years have been using sophisticated attacks that counter incident responses. These attacks are mainly aimed at supply chains, and they don’t only target a single company but lots of networks connected via the supply chain.
According to a report by the Identity Theft Resource Center (ITRC), there was a 42 percent rise in the number of supply chain attacks in the first quarter of 2021 compared to Q4 2020. This led to a 564 percent increase in the number of individuals impacted (51 million in Q1 2021 compared to 8 million in Q4 2020), and this data is only from publicly reported breaches in the US.
The increase in the number of attacks and the intricacy of supply chain attacks require organizations to wake up to the threat properly and avoid falling victim. In this blog, we explore some best practices businesses should use to prevent supply chain attacks.
What is a Supply Chain Attack?
A supply chain attack is a case where to breach an organization, attackers target a vendor who works with that organization and gets in via them. The best way to understand a supply chain attack is to see what it looks like in the physical world. A direct physical attack on a bank would be to break through the front door with machine guns. In contrast, a supply chain type of attack would be to infiltrate the armored-car company and just drive off with all the collected cash.
How do Supply Chain Attacks Work?
Supply chain attacks often work by breaking the code-signing process. To understand this, assume that an attacker can steal the code-signing key of a popular accounting software company. The attacker could then construct an update that looks legitimate but includes malware and then push it to the world. Any customer of the accounting software company who updates their software now has malware installed on their machines and can be taken over by the attacker.
That said, it is still crucial to always update all software immediately. Security flaws that are fixed via updates often become major targets for attackers as most people are slow to update.
Examples of Supply Chain Attacks
There have been several high-profile supply channel attacks that worked in this exact way. One example is the malicious firmware pushed to customers worldwide to update ASUS computers with malicious software in 2019. After a routine check for the signatures, the targeted machines then installed the malicious update, giving the hackers a backdoor that they could use to carry out more attacks. Kaspersky estimates that the attack affected 500,000 Windows machines.
In 2020, hackers working for the Russian Intelligence Service, SVR, hacked into SolarWinds Orion IT management software. The nation-state attack was hugely successful as it provided access to almost 18,000 networks around the world that used Orion. Targets infiltrated included US federal organizations such as The US Department of Defense, The US Department of State, The Department of Justice, and NASA.
Following yet another attack, this time on the Colonial Pipeline, President Biden signed a cybersecurity executive order to strengthen the government’s cybersecurity posture. The order sets new minimum security standards for all companies that want to sell software to federal agencies. The same level of security is also necessary in the private sector, and organizations need to put in place structures that can help deal with the epidemic of supply chain attacks.
What is the Impact of a Supply Chain Attack on Your Business?
When a hacker compromises a company’s code-signing certificates, the ultimate targets are the business partners and customers. The malicious code installed through the update immediately calls the attacker’s servers, which then send a complete payload. This now gives the attacker control over your network.
Attackers can then decide to infiltrate your network and raise privileges to steal data or even encrypt the entire system and delete your backups. Either way, such a compromise will end up affecting your business processes, and you will be required to pay a ransom. Apart from that, the security incident can affect public sentiment about your organization, and damage to a brand has a very real impact on financial performance.
What Can Businesses Do to Prevent Supply Chain Attacks?
Every business, whether small or large, must assume its supply chain is a point of weakness, in other words a zero-trust environment. Below are some of the best practices that they can implement to keep their business and customers protected.
Build security assurances into vendor agreements
While third-party vendors are not employees of your organization, they are the weakest link when it comes to supply chain attacks. This means that you need to go beyond the “checklist approach” and hold them to high levels of accountability.
Depending on the nature of the relationship, the organization can require that potential suppliers show that their cybersecurity strategy is equipped to detect, respond, mitigate, and recover from breaches. Since code-signing is the most critical process, the vendor can also be required to show that they have a secure code signing system that protects keys against theft and prevents misuse.
Prevent a single point of failure
To prevent a supply chain attack from crippling the entire business, you can set up a security architecture that does not completely fail when a single component fails. An example would be using two firewalls; if one fails due to an attack, the other one remains active.
Such an architecture can be made possible by deploying a unified key management solution that promotes synthesis rather than fragmentation. The organization will then not be forced to choose one solution over another, ensuring that security is provided via distribution, decentralization, and diversification.
Apply vendor access controls
Since third-party vendors introduce a new attack surface, every organization needs to identify all third parties that interact with the organization’s systems. Software can be sorted in terms of the level of control, and all vendors can be mapped according to all the data that they access.
The organization can then set up an Identity and Access Management (IAM) solution that authenticates all users and restricts them to the data they need using a zero-trust model. All the data in storage should also be encrypted using the Advanced Encryption Standard (AES) algorithm, and all data and access control keys secured using a key management cryptographic system.
Limit users’ ability to install shadow IT
Shadow IT is basically software used within the organization, but the IT security department has not approved it. Such software hasn’t undergone security checks, and the vendors pose yet another attack surface that has not been mapped into the organization’s mitigation plans.
To do away with the security risks posed, educate users on the risks of such software as well as how they can maximize approved applications. From there, you can enforce strong code integrity policies to allow only authorized apps to run. Access to all verified applications should then be managed using a single pane of glass and all operations related to the infrastructure logged.
Form an incident response plan
Having an incident response plan is crucial in minimizing the risks posed by supply chain attacks. While creating one, consider all the key areas in the supply chain in terms of the risk level and impact. All your suppliers should also have an incident response plan to ensure they can respond quickly and help mitigate potential risks to your business.
On top of the above, have a backup plan that is protected from any attacks that can occur in the main system. You can ensure its security by setting up a cryptographic system that encrypts all data in transit and storage. All keys used should then be protected through a security policy like quorum authorization.
Always Assume A Breach
The supply chain is easily exploitable by malicious actors, and it is quite attractive as it offers economies of scale. Instead of hoping that a breach won’t happen, organizations should take proactive measures to manage the risks. This can be accomplished through both independent and collaborative efforts, as discussed above.
However, the organization should also ensure that it is not the weakest link in the ecosystem. All data, software, and devices should be managed or monitored within a centralized management system and protected with a secure cryptographic infrastructure. You should then carry out regular audits to help identify any vulnerabilities.