No business owner wants to discover that their organization has suffered a supply chain attack. These cyber attacks target organizations by compromising weak links in the supply chain. These chains are complex and include vendors, suppliers, subcontracts, that are involved in the process of creating a product or providing a service. This system requires efficient means of communicating and transporting physical and electronic material between parties. The more parties involved, or links in the chain, the more risk.
The Danger of a Supply Chain Attack
After compromising a weak link in the supply chain, a cyber criminal can leverage the streamlined communication between a business and its vendors. The bad actor may use the position to steal sensitive data, carry out a Denial of Service (DoS) attack, or introduce malware disguised as a software update. Such attacks can be difficult to detect, since they often circumvent other data security measures by masquerading as a trusted vendor. One weak supply chain link could provide a criminal access to multiple clients, leading to thousands of potential victims.
Cyber-based supply chain attacks can be classified as a form of island hopping attack.
Supply chain attacks have been some of the most publicized and damaging cyber events of the last half decade. Attacks can lead to loss of money, data, and intellectual property, and can cause mass amounts of chaos in many affected entities at once. The National Institute of Standards and Technology provides an outline of how supply chain attacks compromise software.
SolarWinds
When considering supply chain attacks, it is almost impossible to ignore the SolarWinds incident of 2020. It started when the cybersecurity company FireEye discovered it was the victim of an attack by a group it titled UNC2452 (later suspected to be Cozy Bear). While investigating, FireEye realized that a nation-state level attacker had trojanized a SolarWinds Orion business update to gain access to massive numbers of clients. Victims were scattered across at least 19 countries and included businesses in various sectors and multiple governmental agencies from as early as May of 2020, months before the breach was noticed. In a January 2021 joint statement, the United States’ FBI, CISA, ODNI, and NSA stated there were as many as 18,000 clients of SolarWind affected by the initial attack by a Russian-affiliated group of cybercriminals, though not every client faced compromising follow-up activity.
Protecting Your Organization
The SolarWinds attack has cast a long shadow as it comes to data security and supply chain safety. Additional hacks like the 3CX cryptocurrency attacks continue to show the importance of viewing nation-state level supply chain attacks as a present threat. Protecting digital assets is just as important as protecting physical ones, and the assumption of security can be risky.
Strengthening their entire supply chain allows organizations to be nimble, flexible, and able to compete without unnecessary risks that can compromise clients, customers, and employees.
Start with these tips to assess the strength of your organization’s supply chain.
- Know the Supply Chain. Map the routes materials take throughout the supply chain, and note each party that has access to each part of the production process. Understand the capabilities of all software and hardware used to communicate along the line as well.
- Assess the threat. Every new party who has access to data expands the attack surface criminals can probe. Consider removing parts of the chain that are not adding enough value to offset the risk they introduce. The National Cyber Security Centre provides an example of a Supply Chain Threat Assessment.
- Evaluate vendors and partners. Make sure that each party has a robust defensive posture and meets all necessary data security standards. Read more about assessing vendors’ security.
- Manage the data lifecycle. Verify that the organization’s data is destroyed by all external parties after contracts are ended or projects are completed (in alignment with applicable data retention laws).
- Audit who has access to data and software. Be aware of what parties have control of proprietary data. Limit who can view information, update software, and remove digital material from sites.
- Implement a Least Privilege Model. Only let organizations and individuals who need information to have access, and only the minimum access needed to complete their tasks. Least Privilege should be implemented for internal employees as well as outside vendors.
- Provide Tools and Training in Data Security. Create a strong cybersecurity culture within the organization, and utilize tools such as Multi-Factor Authentication, Two Party Integrity, and Endpoint Security software solutions like DriveStrike.
- Create a plan in the event of a cyberattack. Verify that there are secured backups, a Cybersecurity Incident Team, and a means to Locate and Remotely Wipe endpoints in the event of a disaster. Have an Incident Response Plan in place to outline these procedures.
Ultimately, it is each organization’s responsibility to ensure its supply chain is secure. Taking steps to enhance one’s defensive posture and ensure supply chain partners do the same is an important aspect of doing business in the 21st Century. That means companies must understand their supply chain, the route their data takes through it, and the culture and procedures of all parties involved. Be proactive and begin fortifying your data against a supply chain attack today!