Thursday, August 26th, 2021
Practical Recommendations For Supply Chain Security
Suppliers and vendors perform a critical role for most businesses today and securing the supply chain is a challenge for every single organisation, regardless of its size. Supply chain breaches still make headlines – most notably, the SolarWinds and the Kaseya breaches that have impacted thousands of businesses across the world. A supply chain attack can happen when a malicious intruder infiltrates your organisation through a third-party: a partner or supplier. The third party tools and processes we place our trust in pose one of the biggest cyber risks today. Here are some example of Cyber Supply Chain Risks that affect everyone:
- Third party service providers with physical or virtual access to information systems, software code, or IP
- Poor information security practices by lower-tier suppliers
- Software security vulnerabilities in supply chain management or supplier systems
- Counterfeit hardware
- Third party data storage or data aggregators
- Vendor Email Compromise
In the first quarter of this year, supply chain attacks had risen by 42% and these attacks are expected to multiply by 4 by the end of 2021. Even with the best security tools and processes in place, an organisation could be vulnerable to a supply chain attack. Ultimately a cyber-attack on one of your suppliers could result not only in the loss of your sensitive data, intellectual property, business strategy, or trade secrets; it can also cause an operational disruption to your organisation. Cyber criminals are well aware of this reality and in the case of targeted attacks, they spend a lot of their time and energy to find a vendor’s weak points so they can infiltrate and attack their target.
While the island hopping attack strategy is not a new one, it is becoming increasingly important as attackers find new ways to gain access to large organisations, and puts for example smaller businesses directly in their line of fire. Island Hopping involves attackers exploiting the weaknesses of typically small and medium businesses, in order to move laterally to target larger organisations. They can hop from organisation to organisation until they reach their target, but the ‘journey’ often starts by targeting the smaller organisations. It can be very difficult for security technologies to identify when attackers have compromised trusted contacts, which makes these types of attacks even more difficult to stop. Technology alone is not enough to protect against this: you need policies, processes and the right security mindset.
Software Supply Chain Attacks
Software supply chain attacks happen when hackers manipulate the code in third-party software components in order to compromise the ‘downstream’ applications that use them. This is a difficult type of attack to protect against and a daunting problem for many organisations, so how can we make sure that the tools we bring in don’t leave us exposed? The answer is: adopt a Zero Trust mindset and methodology when it comes to your vendors and partners. By auditing your suppliers, you need to make sure that they’ve adopted best practices in terms of their protection against software supply chain attacks, including:
- Increased security awareness among DevOps teams
- Incorporated security into the entire development process
- Comprehensive map of the dependences used by their applications
- Process for vulnerability disclosures
- Robust system for patching security bugs
- Access controls and least privilege models within their software development processes
- Software bills of materials (SBOMs) to track components and audit controls to keep software secure
Additionally, organisations need to understand that validation of supplier risk is an ongoing process, not a one-off exercise.
When Social Engineering Meets the Supply Chain
Another form of supply chain attacks that is gaining popularity is vendor email compromise. Vendor email compromise is form of email attack that involves cybercriminals leveraging stolen login credentials to infiltrate email accounts often belonging to finance or accounts receivable workers at a supplier. It all starts with a phishing email, and sadly, most of the targeted vendors are small-scale operations that provide materials or services to larger companies. Small companies are the perfect target; they have limited resources to protect themselves and because cyber-attacks on small businesses rarely make headlines, it’s easy for these businesses to be lulled into a false sense of security. The typical process of a VEC looks like this:
Stage 1: The first phishing wave targeting vendors: Attackers try to steal credentials through phishing campaigns, for example, targeting Office365 users. The pandemic has provided the ideal ‘setting’ for these attacks as more and more people are now easily falling victim to phishing attempts due to WFH models.
Stage 2. Take over. The credentials have been successfully harvested. Now what? In stage 2 attackers access the employees’ hacked accounts and look for significant vendors who could be impersonated. Then, they set up email rules to forward and redirect copies of all incoming emails to their own inboxes.
Stage 3. Reconnaissance. This is where scammers sit tight and go on “active waiting” mode. They analyse the emails, take note of dates so they know the timing, billing practices, the look of recognised official documents, or other information they can use for the success of the attack. Usually, victims have no way of knowing what’s going on and don’t notice any signs of email spying. These criminals are patient and they wait until the right moment.
Stage 4. Action. After a successful period information gathering, the criminals launch the VEC attack by crafting spear-phishing emails and sending them to the vendors’ customers. They mimic the way a vendor representative writes an email and may even copy their signature. Timing is crucial. In order to avoid suspicion, attackers send payment requests at the exact date that other past invoices were due at. This is all it takes to make a small company go out of business, but larger organisations are at risk too. One of the largest VEC scams took place in 2015, when IT company Ubiquiti filed a report to the U.S. Securities and Exchange Commission revealing it was the victim of a $46.7 million “business fraud.” The scammers impersonated employees at a third-party company and targeted Ubiquiti’s finance department.
How to mitigate the risk of supply chain attacks
Supply chain security is not an easy feat. Smarttech247 have outlined practical steps you can take to protect against supply chain risks:
1. Identify your most critical suppliers
You need to be able to triage the risk each supplier poses to your organisation in order to effectively mitigate that risk. We recommend creating a risk register containing a list of your suppliers and identifying key elements that will allow you to identify the criticality of each supplier; these elements can be the amount of access the supplier has to your corporate network, the amount of sensitive data they store on their networks, the criticality of the technology stack they may supply to you etc. Once you have identified your critical and risky suppliers, you need a process for managing them:
- Assign a process owner
- Establish KPIs / SLAs in terms of information security that should be regularly monitored
- We recommend creating a Supplier Security Requirements Policy that should outline your expectations in terms of the security requirements your suppliers must have in place.
- Regular audits are really important to verify the expected security measures. Go beyond boring Excel questionnaires and automated systems. Conduct audit meetings and verify evidence.
- Include security, privacy, document management, and compliance requirements in every RFP and supplier contract.
- Request regular penetration testing reports (if applicable) performed by independent auditors
2. Adopt a Zero Trust methodology and mindset
This means that you should implement defences based on the principle that your systems WILL be breached. When one starts from the premise that a breach is inevitable, it changes the decision matrix on next steps. The question becomes not just how to prevent a breach, but how to mitigate an attacker’s ability to exploit the information they have accessed and how to recover from the breach i.e an incident response plan. Focus on the gaps you have and assume someone is trying to exploit them.
From a Software Supply Chain Security, there are a few key factors to consider, including:
- Regularly review and audit the vendor’s SDLC (Software Development Lifecycle) policy – regardless of their size. Remember the SolarWinds fiasco? A lot of organisations are placing their trust on the big technology players to have ‘bulletproof’ systems and assume nothing will go wrong, but that trust has cost the business
- All vendor components and any open-source software must be pre-approved, supervised, and controlled.
- Updates or patches cannot be implemented until the vendor key contact has confirmed that no issues were identified in pre-production testing.
- Exercise tight control on any systems accessed by your vendors and data accessed by team members.
3. Limit access levels and permissions
The first step when it comes to protecting your data is to know exactly who has access to what. You should be able to tell at any point how interconnected you and your supplier actually are and what data and systems you share. In addition to this – you must monitor your suppliers network access at all times. For example, a particular supplier may need access to a certain file for one project – this access should be taken away once that project finishes. The less access your suppliers have to your data the better you can protect it.
4. Cyber Security Training
Cybersecurity is never just a technology problem, it’s a people, processes and knowledge problem. All employees, no matter if they’re working for you or for your supplier, should be able to identify the signs of a cyber attacks or a threat. Cyber security awareness training is crucial here. Every aspect related to security should be covered, such as common password mistakes, how to identify phishing attempts, business email compromise, types of malware, and what processes to follow if an attack does occur. Security systems won’t secure critical information and intellectual property unless employees throughout the supply chain use secure cybersecurity practices.
Don’t forget the supply chain is larger than just your suppliers, there are also your supplier’s suppliers. Keep in mind that cyber attackers are always hunting for vulnerabilities to compromise your business, thus every security hole (including the ones in your supply chain) must be closed.