Supply chain attacks were up 78% in 20191. Research by cyber-security company CrowdStrike, found that two-thirds of businesses had suffered a supply chain software attack during 20182. It’s a trend that looks set to continue during 2020. After all, why attack a well-protected target directly when you can bypass its security altogether?
What is a supply chain attack?
As the name suggests, a supply chain attack damages an organisation, sector or entire industry by targeting the less secure elements of its supply chain. Typically, these are small businesses that provide products and services to larger firms. The bigger the organisation or industry then the more complex its supply chain is likely to be. Unfortunately, many organisations have a very limited overview of their supply chains. It’s this lack of visibility that makes the supply chain so attractive to attackers.
Dragonfly attacks the energy sector
Recently, cyber-espionage group Dragonfly was able to compromise third party software to attack big companies. The group was able to insert malware into industrial control systems (ICS). When customers downloaded the ICS software, they inadvertently infected themselves. Being hidden inside authentic software made the malware hard to detect, and enabled the hackers to take control of systems remotely3.
Customer service chatbot exploited to steal credit cards
In 2018, Ticketmaster, an international ticket sales company, suffered a security breach that affected 40,000 UK customers4. However, it later emerged that Ticketmaster was just one of over 800 ecommerce websites attacked by a credit card skimming gang known as Magecart5. Later, it transpired that a third party component, used by numerous websites to provide customer support, had been compromised6.
Supply chain attack prevention
So, how do you protect your organisation from supply chain attacks? It might seem obvious, but our first suggestion is you choose your suppliers and partners carefully. Doing a little detective work now might save you a heap of trouble later. Next, set minimum security requirements in your contracts.
If you are an organisation that shares data with third parties for whatever reason, it is particularly important you get all security arrangements and responsibilities down in writing to ensure GDPR compliance. Remember, if a vendor is not GDPR compliant then neither are you. Let vendors know their security obligations right at the start of the procurement process.
Rigorous vendor assessment
Naturally, you will want to judge vendors fairly and consistently. Whatever your minimum security requirements, they should all be set out in a standard vendor assessment document. You will also want to see your potential vendor’s incident response plan. After all, if they are prepared to respond quickly and efficiently to an attack then you might not have to. Finally, you can run a pen test (penetration test) on your vendor’s IT systems to ensure their security precautions are adequate7.
Large organisations tend to have complex supply chains, and so have to accept increased exposure to risk and act accordingly. However, small and medium-sized firms can often reduce the risk of a supply chain attack by simply limiting the number of vendors they deal with (known as an avoidance strategy). Similarly, organisations can reduce their levels of risk by placing strict access controls on what a vendor can and cannot do inside their network.
Costing the Earth
The now infamous NotPetya ransomware attack of 2017 started with an extremely popular Ukrainian accounting software called M.E.Doc. Hackers were able to access the company’s update servers and plant their ransomware. When M.E.Doc users updated their software, they unwittingly also installed the malware, which quickly spread from business to business. It’s estimated that NotPetya cost the global economy $10 billion, making it the costliest supply chain attack ever8.
To minimise the risks from supply chain software, you can limit the number of applications you use. Most supply chain attacks originate from widely distributed “freeware” or “trialware” applications. Unfortunately, when you install a freeware application often other unwanted programs download in the background. Typically, these Potentially Unwanted Programs (PUPs) are designed for marketing and advertising purposes. Usually, PUPs are just a nuisance, but occasionally they are much more sinister and damaging. The simplest way to prevent users downloading freeware is to restrict their account privileges. Web content filtering can also stop users visiting websites known to pose a high risk of malware.
Vigilance is an important part of cyber security. You must ensure that your organisation’s IT policies and procedures are robust enough to identify and prevent supply chain attacks. Have a clear picture of all IT assets within your network, where data resides and who has access to it. Understand what systems are vulnerable, where threats are likely to come from, and impose suitable security measures. You might want to segregate vendor access from the rest of your systems, for example.
Vendor management and monitoring
Monitor your systems to identify any changes or suspicious activity on your network. Patch your systems for known vulnerabilities and back everything up to the Cloud. Educate your staff about cyber security and data protection. Test the resilience of your security precautions. And, finally, keep an eye on the media. Be aware of the changing threat landscape and monitor your vendors’ activity. After all, vendors and third parties caused 60% of UK company data breaches last year9.
The UK’s National Cyber Security Centre (NCSC) proposes 12 principles of supply chain control and oversight to help mitigate the threat of attack10. Visit the NCSC website to learn more.
Download this article as a PDF.