Supply Chain Cyber Security: What Are the Risks?
And how your business partners may be the weakest link in your organization’s security
As organizations and their partners are increasingly becoming interconnected, cyber security risks can endanger all parties involved. And even when your business is protected by sophisticated security tools, you may never be certain your suppliers also have the same methods of protection in place. This is why should never ignore any potential supply chain cyber security risks when it comes to protecting your company and sensitive information. A study conducted by Ponemon Institute has proven that 59% of companies were affected by a cyberattack through third-parties, so it’s clear that this aspect of your business must not be neglected. Keep in mind that cyber attackers are always hunting for vulnerabilities to compromise your business, thus every security hole (including the ones in your supply chain) must be closed. Here is an essential question you should ask yourself before partnering up with a vendor: After closing this partnership, will my supply chain cyber security keep pace?
The supply chain cyber security risks
First of all, what exactly does supply chain cyber security refer to? Here is how the Infosec Institute explains the concept:
Cyber security in the supply chain is a subset of supply chain security and is focused on the management of cyber security requirements for information technology systems, software, and networks, which are driven by threats such as cyber-terrorism, malware, data theft and the Advanced Persistent Threat (APT).
Basically, a supply chain attack happens when someone infiltrates your organization through a third-party: a partner or provider. Even though controlling this aspect may seem highly difficult at first glance, the good news is that there are some ways in which you can protect your business. First of all, you should identify how your supply-chain partners may (unintentionally) compromise your business to be able to understand how to protect yourself. But I’ll cover the steps you should take to safeguard your company from supply chain cyber security attacks in more detail later on.
Examples of supply chain cyber security attacks
Now, let’s take a look at some examples of supply chain cyber security attacks that we saw in the past.
The Superfish adware (2014)
Imagine you’ve ordered brand new laptops for your entire team. Everyone’s excited to toss their old machines and start fresh. But after several months, you discover these new laptops used by your employees have some dubious software pre-installed that put your organization’s security at risk. From August 2014 through early 2015, Lenovo sold laptops bundled with the Superfish software, which was used to insert ads into Google search results. Superfish intercepted HTTP(S) traffic using a self-signed root certificate, that was stored in the local certificate store, which provided a security concern. For example, when some would visit https://www.bankofamerica.com/, they would discover that the certificate wasn’t signed by VeriSign as expected, but rather by Superfish. Image source: arstechnica.com, initially posted on Twitter by security researcher Chris Palmer The same certificate signed by Superfish appeared when you would access other HTTPS websites and it seems that in fact, all TLS-protected websites had been affected. This way, attackers could use the key to certify fake HTTPS websites that masqueraded as legitimate websites. In this case, machines that had the Superfish root certificate installed were not able to detect which websites were actually a fraud. Generally, adware that affects HTTPS connections may make users vulnerable to Man-in-the-Middle attacks.
The Target data breach (2014)
Back in 2014, the Target data breach took place because one of the company’s vendors was compromised. In short, here is what happened. An employee of Fazio Mechanical, a refrigeration contractor, opened a phishing email, which allowed Citadel, a variant of the Zeus banking trojan, to be installed on the vendor’s endpoints. Later on, the attackers managed to harvest login credentials from Fazio’s employees. The company did not have an anti-malware solution in place at that time that offered real-time protection and could prevent and stop this kind of threat and as a result, they became a victim. Next, the attackers figured out which portal would be a good entry point for them to access Target’s internal network. Target never specifically mentioned which system was used, but security experts thought Ariba to be the main candidate. It was speculated that attackers abused a vulnerability in the web application (maybe an SQL injection, XSS, or a zero-day) to enter a system, escalate privileges and then take over the internal systems. Afterward, the attackers gained control of Target’s servers. And again, it’s unclear how they managed to do that, but specialists indicated that servers might have been affected by an SQL-injection attack. As the last step, cybercriminals took over Target’s POS systems. The malware that infected them is called Trojan.POSRAM. How does this type of malware work? In short, the “RAM-scraping” portion of the POS malware steals card information from the POS-devices’ memory when cards are swiped. After the attack, Target aimed to improve its security posture and as they show on their website, they took several steps, such as enhancing their monitoring and logging, reviewing and limiting vendor access, reducing privileges for certain accounts, and training its employees to use more secure passwords.
Domino’s Pizza Australia data breach (2017)
The Domino’s Pizza Australia data breach also seems to have happened within the supply chain. The pizza delivery company was notified of the breach by its own customers, who discovered their data on online spam lists. According to the company, the incident took place because of a flaw in their online rating system provided by an online supplier (the company claimed that no one gained unauthorized access to their internal systems).
How to keep your organization safe from supply chain cyber security attacks
Supply chain organizations often fall victim to supply chain cyber security incidents since in most cases, they are simply unaware of potential threats and don’t have the proper protection measures in place. Attackers are well aware of this reality and spend a lot of their time and energy to find a vendor’s weak points so they can infiltrate and at a later time, get their hands on the bigger fish: your own organization. So, here is how you can protect your business from potential supply chain cyber security risks.
#1. Always vet your vendors before starting any partnership
According to the Ponemon report, you do have the power to reduce the incident of a breach by 20%. More precisely, all it takes is to evaluate the security and privacy policies of all your suppliers and the likelihood of a data breach will decrease from 66% to 46%. Easier said than done, right? To help you get started, below I’ve listed a few suggestions on how to assess your vendors before closing a partnership:
- Ask them to do a security self-assessment (what security tools they are using, what privileged access management policy they have in place, are they keeping up with their patches and updates, etc.)
- Perform audits on your provider and run your own penetration tests on them.
- If needed, you may even advise your vendor to acquire cyber insurance.
In short, make sure your vendors are transparent and let you understand exactly how they secure their organization and that they are always open to suggestions and improvements.
#2. Continuously monitor data access
The first step when it comes to protecting your data is to know exactly who has access to what, from both your side and your vendors’. You should be able to tell at any point how interconnected you and your supplier actually are and what data and systems you share. The Ponemon Institute survey pointed out that only 35% of companies created lists that contained all the third parties with whom they were sharing sensitive information. Try not to be one of them! Remember the Target incident mentioned above, when the attackers stole the credentials from the vendor to gain access to Target’s customer data? Well, this scenario could happen anytime under the proper circumstances, so be certain you are prepared to deal with it.
#3. Train your team and know for sure your vendors educate their own employees too
I can’t stress enough the importance of cyber security training. All employees, no matter if they’re working for you or for your vendor, should be able to identify the signs of cyber-attacks and threats. So, cyber security awareness training is crucial and it certainly makes up a strong layer of defense for both your organization and your vendor. Every aspect related to security should be covered, such as common password mistakes, how to identify phishing and spear-phishing attempts, what is business email compromise (BEC) and vendor email compromise (VEC), how to identify types of malware, and what processes to follow if they are ever faced with any of these threats or notice anything suspicious going on inside the organization.
#4. Safeguard your organization using multiple layers of protection
Of course, securing your endpoints and networks is an essential step to prevent attacks. But other aspects, like having good patch management in place, properly managing admin rights in your organization, and securing email from different angles (preventing spam and more advanced email threats) are equally important. Thus, make sure you chose a suitable IT security partner to work with.
Heimdal™ Privileged Access Management
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
Organizations of all sizes, as well as their vendors and partners, can easily become victims of supply chain cybersecurity attacks if they don’t apply at least some basic protection measures. It’s crucial that all companies understand the risks that can live inside their supply chain and foster a culture of organization-vendor cross-collaboration to be able to prevent and minimize the risks.