Virtually every organisation in the world, whether in the public or private sector, depends on third-party software in their supply chain, making it critical to business operations and an attractive target for cyber criminals.
One of the biggest global attacks was the now-infamous NotPetya campaign, which began with an extremely effective supply chain attack focused in Ukraine. In another example locally in Australia, a national security contractor was breached and the attackers stole large amounts of the defence supplier's data including sensitive information about Australia's warplanes and navy ships.
The supply chain is increasingly becoming a target for cyber-attacks, as a weak link in the supply chain can give criminals access to the larger organisation. There are several ways a supply chain can be attacked, through theft of a vendor’s credentials or malware compromise of software that the organisation uses.
Software supply chain attacks are challenging because the vulnerabilities in many of these software programs are difficult to detect. Most organisations use legitimate software that updates automatically and silently — making it difficult to verify and see what activity is occurring. The attackers are exploiting software and trust that existed well before the vulnerability is identified or the attack takes place, making it difficult to nail down the problem or figure out how it occurred.
As a baseline, below are actionable practices and tips that businesses should take into consideration as they shape their supply chain risk mitigation strategy.
Limit access
The first step to protect the supply chain is to identify all of the suppliers, partners, customers, or other organisational entities that your business relies upon and catalogue how they interact with your data, technology and infrastructure. Once you understand the extent to which third-party organisations require and maintain communication with your infrastructure, you must establish strict requirements and limit access.
The importance of IT hygiene
Applying a “hygiene first” approach to security architecture will give you full visibility into your IT environment and help you address blind spots in your architecture. IT hygiene provides visibility into your environment while giving you the means to address security risks before they become issues. When evaluating your environment’s security, an effective IT hygiene solution should focus on three key areas:
- The “who”: Who is working on your network and what can they do? The theft of administrative privileges means attackers can silently infiltrate your network and elevate permissions for further access.
- The “what”: What applications are being run and what is the security risk? Unpatched applications and operating systems, particularly in BYOD business environments, can be leveraged by attackers. Often, users forget to update their applications consistently, which can create vulnerabilities in your architecture.
- The “where”: Where are the unprotected systems? A chain is only as strong as its weakest link. Having unprotected systems in your environment can create a backdoor for attackers, offering them unguarded access to your data.
Once you identify these, you can find the security solution that provides comprehensive threat prevention, detection and response and satisfies your organization’s security requirements.
Threat intelligence
Threat intelligence needs to be part of every conversation to do with supply chain threats. Threat intelligence can help provide information about attacks and in particular, provide indicators of compromise that an organisation can use to hunt for potential issues and also use them to correlate across their SIEM implementations.
As organisations become more interconnected and dependent on each other, it is critical that they understand exactly who is involved in their supply chain process. Implementing proactive, extensive and validated IT security solutions and establishing clear and limited access guidelines for supply chain vendors are a company's greatest defense against cyber-attack.