Attacks on the supply chain are becoming increasingly more common over the past year. How do these attacks impact organizations and yourself? Supply chains are just as vulnerable to attacks as other companies and organizations. Like many organizations, people are the most common way for attackers to gain access, so employees need to remain mindful of email attachments from unknown sources and remain careful regarding whom they share their credentials. Now hackers are also making their way into devices and networks by attacking software and hardware specifically related to supply chains.
A supply chain attack consists of a cyberattack that targets companies through the vulnerabilities in their supply chain. The supply chain attack is not limited to a specific industry and has been known to target any vulnerable sector, government, financial, or energy sectors. These vulnerable sectors generally use a third-party vendor with inadequate security practices. A cyber attack on a third-party vendor is a more likely attack vector due to the vendors requiring access to crucial data to integrate with an organization’s internal systems. Simply, if the vendor is compromised, then there is a shared chunk of data from the organization that has now become compromised. As vendors typically service several clients, a single supply chain attack can often result in multiple organizations suffering.
By compromising a single vendor or supplier, the attacker can turn any application, software, and physical equipment into trojan horses and release it into the vendor’s distribution system. From there they can create a launchpad into the networks of the supplier’s customers, which could be easily run into the hundreds or even thousands of clients.
Types of supply chain attacks
Software supply chain attacks often target either the source code, build process of the vendor software, or any update mechanisms. The following are the most common vectors that can be used to compromise a victim with:
- Application installers
- Third-party software updates
- Malware installed on connected devices such as cameras, smartphones, external hard drives, etc.
Who are vulnerable to supply chain attacks?
Like what was previously stated, the supply chain attack is not limited to any industry or sector. Any company that produces software or hardware for other companies is a prospective target. Nations-backed actors can have deep resources and the requisite skills to infiltrate even the most well-secured organizations. Even security vendors are not free from being targeted by these attacks.
What can we do?
What can you, as an organization do? There are regulatory frameworks like for those in the healthcare or financial sectors offer. These frameworks provide third-party risk testing and standards that vendors would need to follow. For example, within Payment Card Industry (PCI), there is a software quality assurance (SQA) element to test the standard of the mobile payment section. There are also some common general frameworks like Capability Maturity Model (CMM), Common Criteria, System and Organization Controls (SOC), and International Organization for Standardization (ISO) 9001. The possible solution to supply chain attacks may not be as much of a technological but rather an organizational solution. Government agencies and companies need to be cautious when selecting their software and hardware suppliers, evaluating them, and holding them to a certain criterion. Organizations, concerning cybersecurity, should seek to control and limit their supply chains to establish reliability.
One thing that organizations should not do is stop deploying patches. Even now, supply chain attacks are rarer than attacks against known vulnerabilities. The risk of a security update or an unpatched vulnerability that has not been executed thoroughly, to a great extent exceeds the risk of the attack. Instead of delaying patches, organizations must ask their third-party suppliers what kind of procedure they have in place to guard their software from unforeseen attacks. Organizations need to examine their software vendors, especially those with software that has high-level access to company data.
For more similar articles, visit https://blog.excellimatrix.com/
You can also reach us out on Facebook, & LinkedIn or Contact us.