A supply chain attack is a particular type of cyber attack that seeks to gain access to protected information or damage an organisation by targeting less-secure elements in the supply chain, such as third-party vendors or software. These attacks often lead to huge losses and reputational damage for the victims.
In an interview with CSA, Daniel Chu, Director of Systems Engineering at ExtraHop Networks, explained that for many organisations, some of the mission-critical, revenue-generating services that they handle have underlying IP systems that face higher vulnerabilities. “All it takes is one breach or an obscure, vulnerable third-party for the entire network to be compromised. The information that businesses handle on networks and across supply chains is growing at an alarming speed. Businesses understand the importance of securing their systems and data but many lack the resources and the understanding of their software supply chain to do so effectively,” said Daniel.
The SolarWinds attack that occurred in recent months became top news because of the scale of the attack and how it impacted customers that include government agencies. Not only that but it also involved an infrastructure monitoring software that was itself privileged within the network and not segmented off from critical resources. The incident demonstrated how software that resides within the perimeter, once compromised, becomes an open door for outsiders to do what they want within the networks.
In the case of supply chain compromise, where cybercriminals enter the network via an exploit in trusted software, Daniel warned that whatever tools that are used for monitoring at the perimeter are rendered useless. “Even things like log files and agents don’t reliably detect supply chain compromise if the attackers are adept enough at finding and evading those controls,” he added, stating that in order to find malicious activity stemming from supply chain compromise, you need to understand network behaviour and be able to detect deviations that indicate a problem.
“By looking at your critical assets, database, active directory and infrastructure, businesses can understand if there are any malicious actions that exist within the network,” Daniel explained.
When It Comes to Fortifying Your Supply Chain, the Time To Start Is Now
When it comes to security, there are always challenges. Daniel mentioned that the biggest challenge for the supply chain is that attacks on them are instigated by cybercriminals who tend to leverage new techniques and tools that are hard to detect. Often, IT teams are not equipped with the right tools and skills to detect these threats. Therefore, scaling the security team to respond to alerts and thus minimise detection time continues to be a challenge, especially with the shortage of skilled cybersecurity professionals globally.
On this issue, Daniel said, “These attackers often use stolen credentials from legitimate suppliers or trojanised updates to trusted third-party software. With these credentials, attackers can gain access into the organisation’s IT infrastructure, making it difficult to identify these network anomalies until it is too late.”
To make matters worse, rapid digitalisation and connectivity advancements mean that organisations urgently have to identify their “invisible perimeter” in order to protect themselves from potential breaches. What does the invisible perimeter refer to? In the words of Daniel, “It’s that it doesn’t really exist, at least not in the sense of building a wall around a corporate network.”
The migration of workloads to the cloud and exponential increases in device connectivity – including many unmanaged devices – have rendered the perimeter extremely porous at best. Vendors need to be vigilant when dealing with confidential information such as bank account details and employees’ information. He added that businesses should ensure that security is not seen as a cost centre but an essential asset for the organisation.
Businesses worldwide need to realise how they can better prepare themselves for future attacks and why it is crucial to start early. According to Daniel, the SolarWinds hack shows what happens when bad actors focus on finding unprotected threat surfaces and exploit them for data using stolen privileged access credentials. Having real-time access to this information via a tool with intuitive usability and workflows helps security operations follow an attacker’s tracks to quickly remediate vulnerabilities and help auditors forensically determine the extent of damage to an organisation.
The Importance of Getting Every Stakeholder on Board
Over the years, we have seen a growing awareness of the need to protect consumer data and GDPR, CCPA, and other regulations took years to implement to secure PII data. According to Deloitte, businesses that are able to reassure consumers that their data is protected will see greater current and future success.
As cybercriminals become more creative in how they retrieve confidential data such as phone numbers, addresses, and emails, however, users themselves also play an important role in fortifying the supply chain even further. Daniel shared some tips for consumers to protect their data:
Start smart: Use strong passwords and don’t use the same password for multiple logins. Password managers like 1Password and LastPass make it possible to easily generate long, random passwords and store them for easy login from any device.
Double down: Two-factor authentication (2FA) is a must whenever and wherever possible. Banks, social media accounts, electronic health records and many other organisations now offer or require 2FA. If it’s available, consumers should use it.
Be selective: Make sure the organisations with which you’re doing business are smart on security. Any website that doesn’t use HTTPS for credential authentication is basically giving your information away to the internet for free. That is why Google Chrome and other browsers now often warn consumers when they’re about to visit a site without encryption. Heed those warnings, folks!
Be sceptical: Over four per cent of phishing scams, whether through email or increasingly text, are successful. If something seems off –– the send address looks wrong, or it’s asking you to click a link to change your password or update your credit card information, DON’T. Those links often go to spoofed sites designed to steal your credentials. Always, always visit the website directly to make updates. If you’re told to call a number, go look up the number from the bank or institution and call that number.
All in all, businesses should work with their stakeholders, be it, consumers, investors, or employees, to protect confidential data with suitable measures. By implementing the right strategy to support each stakeholder on how they can better protect their data, Daniel believes that businesses can shift their focus to creating a better customer experience during difficult times.