The rise in supply chain attacks over recent years is a clear sign that organisations need to consider them a serious threat. The European Union Agency for Cybersecurity this year predicted a four-fold increase over the next year.
These days, endpoint security like stringent password protection, multi-factor authentication and virus scanning, is not enough. Organisation’s must go a step beyond this to protect their digital assets, namely because malicious actors have become smarter. A cyber-attack can permanently damage a business which is why steps must be taken to protect before an attack happens.
Supply chain attacks – what are they?
Threat actors know that it is hard work trying to hack into large organisations and government agencies with state-of-the-art cyber security. Instead, they have turned their attention to exploiting the trust these organisations have with their third-party software vendors.
Every organisation has a supply chain. That is, they have their trusted vendors or supply partners that they rely on to deliver products and services to their customers and clients. An organisation will work hard to establish these kinds of relationships in their supply chain. Malicious actors know this, so rather than attack their ultimate victim organisation head on, they sneakily enter via their trusted supply chain.
How do supply chain attacks work?
Malicious actors will hack into third-party software vendors because they are easier to infiltrate. They do not have the same cyber security in place than, say, a government agency. Or a large bank.
The attack vector, which is the path in which a supply chain attack occurs, is very clever. Cyber criminals will go unnoticed, embedding malicious code within a third-party vendor software release, or a software update, or even a security patch. Because the software vendor is trusted to the organisation, permission is granted to install. The malicious code will gain access and make its way into the IT system of the organisation, having access to all the parts of the IT network the trusted software has access to.
It may lay dormant for weeks, going unnoticed, but by this time it is present within all the third-party vendor’s clients. Essentially the cyber criminals have attacked many large organisations with a single effort. Threat actors can then launch this malicious code remotely to attack the IT systems it has infected. It can roam the network, attempting to exploit whatever it can, such as sensitive customer information. It can attempt to launch a variety of attacks such as a ransomware attack to achieve whatever mission it set out to accomplish.
A recent example of this is SolarWinds. Last year Russian hackers (later established to be working for Russia’s foreign intelligence agency) infiltrated the software firm SolarWinds, embedding code into their project management tool Orion. 18,000 networks use Orion. These cyber criminals made their way deep into US federal agencies including NASA, the State Department, the Department of Defense, and the Department of Justice.
Security experts believe it could be decades before the true damage of this attack will be known. They don’t know what information was stolen and they are certain that some of the malicious code is still present and may be used to launch other attacks in the future.
The best way to prevent supply chain attacks
Implementing strong supply chain security is the best way to armour organisations from supply chain attacks. With the aid of cyber security experts, supply chain risk must be managed on an ongoing basis by investigating all third-party software vendors an organisation relies on.
Security experts know what to look for in compliance with strict cyber security standards. Is there software developed overseas? There may extra risks involved when the software is developed in low-cost countries with authoritarian governments like China.
Querying vendors on their application development and if they use open-source code. Most software today contains some sort of open-source code as most of it is free. The software development lifecycle is accelerated by using open-source code. However, because the security around it isn’t very strong, malicious actors try to embed malicious code within it which can pose an extra risk.
All software vendors should be checked and only those that meet stringent criteria should be allowed to execute on an IT network. Even execution of a patch or an update should be monitored closely by a security expert to ensure it is running as expected and to and to look for anything peculiar. An application whitelist should be created for approved applications so that no other applications can run on the IT network. The application whistling should be tested by a security expert also.
Cyber security risk management and the management of security vulnerabilities must be part of any business. Talk to the security experts at Lindentech today to see how they can help.