Cybercriminals are a clever bunch when it comes to attacking their targets. Previously it used to be easy to target a particular company .. find out its vulnerable assets (people or technology), create a customized attack, and initiate. More times than less, the attack would be successful, and another notch on the cybercriminal's belt would be added.
However, times have changed, and boards have become increasingly cyber-savvy. Multi-million dollar budgets are being approved to ensure cybercriminals cannot breach a company’s defenses. This is why attacks have now moved onto another weak layer which is the supply chain.
Why the supply chain is a dangerous blind spot
For most companies, supply chains are the lifeline between them and their suppliers, which involves the flow of goods, services, or even software. The software supply chain for a standard company will have multiple dependencies and platforms which are not controlled by them and are purchased from external partners.
Any disruption or compromise of this supply chain has a domino effect on the entire business, which is something cybercriminals are well aware of.
We have already seen several major attacks, such as the following:
SolarWinds is one of the most significant cybersecurity breaches of the 21st century. It was devastating as it was not a single company that was breached but because it caused a broader ripple effect that impacted thousands of companies, including the U.S. government. The attack's impact makes it one of the largest ever recorded, covering thousands of organizations.
CCleaner in 2017 was a popular cleanup tool for Windows compromised by attackers. By using this supply chain attack, cybercriminals were able to infect CClearn’s users with malware, once again showing just how effective this attack is.
In 2017, a ransomware named NotPetya compromised a Ukrainian company to spread malware to its customers.
These attacks show no sign of slowing down anytime soon, with recent reports showing that cyberattacks on the software supply chain will only increase in 2023.
Cybercriminals love supply chain attacks for two reasons
Suppliers are not as well protected as their customers and are much more susceptible to cyberattacks
Suppliers generally serve more than one customer, which is why the blast radius of the attack can be much bigger, allowing criminals to compromise multiple environments simultaneously.
Supply chain risk management is the answer.
Supply chains can be a tricky beast to secure, given that companies do not control the security posture of their suppliers. However, that does not mean this risk cannot be mitigated, and the best way to do this is via a dedicated supplier cyber risk management program.
At a broad level, the following steps should be carried out:
Identify your critical suppliers, i.e., those whose security posture has a direct impact on your environment. Carry out a detailed risk assessment to identify what risks are present. Does the supplier have remote access, provide a critical software library, etc?
Implement countermeasures to mitigate these risks
Create a supper security risk questionnaire which should be formally signed off before onboarding any new suppliers.
Carry out this periodically and not as a one-off exercise.
The good news is that these activities do not have to be carried out forms scratch and many best practice frameworks are present. NIST has released its standard for creating a Cyber security supply chain risk management program which provides excellent guidance on critical practices to be followed. It should be used as a starting point for companies serious about implementing a robust risk management program that can be customized and fit into your practices.
Supply chain attacks are here to stay, and every company, regardless of size, should assess the risk in their environment to see how exposed they are before an attack happens. Make sure this is part of your cybersecurity strategy going forward.
Comments