As fast as cybersecurity evolves, forward-thinking malicious actors are unfortunately keeping up, developing increasingly insidious ways of gaining access to organisations’ systems and compromising their operations from the inside.
Supply chain attacks are not a new threat to cybersecurity, but they are a rapidly growing concern. Rather than attempting to infiltrate organisations and businesses via phishing targets one by one, cybercriminals can gain access to sensitive data and assets in one fell swoop.
What are supply chain attacks?
A supply chain is a system of resources providing a product or service – here, it refers to software or hardware. Generally, when it comes to this technology, most organisations rely on third-party vendors – either they don’t have control over the product or service, or it isn’t produced in-house, but they need it to deliver their own business. Cloud computing companies are a massive example of this.
Supply chain attacks are a particularly crafty form of cyberattack in which malicious actors take advantage of the trust and partnership between the organisation and third-party vendor. Rather than try to infiltrate the company through the old tried-and-tried method of suspicious email links, attackers focus on slipping malicious code or components into the software or hardware provided by the outside partner.
This malicious code lies dormant and hidden until the trusted application is installed or updated. A digital signature verifies the software is authentic to the vendor, and when permission is granted to all networked parties, the malicious code is set up to delve into restricted and sensitive data and assets across all the vendor’s clients.
In a recent study, the European Union Agency for Cybersecurity, ENISA, estimated 66% of attacks focus on the supplier’s code and 62% exploit the trust of customers in their supplier. By inserting just one malicious code into a piece of software, attackers can be placed to steal from or ransom dozens, or even hundreds, of the vendor’s clients.
One of the biggest supply chain attacks recently was early last year against about 18,000 customers of networking tools vendor SolarWinds. The malicious actors – believed to be Cozy Bear of Russia – gained access to US government and other systems through a compromised update to SolarWinds’ Orion software.
Security rating firm BitSight estimated that the SolarWinds supply chain attack would cost cyber insurance companies up to $90 million, as the government agencies involved had not invested in cyber insurance. However, commercial software isn’t the only target of supply chain attacks; malicious actors are also using this method to target open-source software projects.
Sonatype’s 2020 State of the Software Supply Chain Report stated 90% of all applications contain open-source code, and 11% have known vulnerabilities. The issue with open-source code is that most of it is free, which means the security surrounding it is not strong. Malicious actors then exploit this and embed it with their own malicious code, which then affects anyone who adopts the open-source code.
Protecting your organisation from supply chain attacks
While no fool-proof methods exist to be certain of supply chain attack invulnerability, all businesses and organisations can take steps to mitigate the risk of cyberattack.
Check adherence regularly
Even trusted third-party vendors should be scrutinised on the reg, based on their software or hardware access needs, and what data they will have access to once installed or updated. Your vendors should be prioritising security – if they do not have defences in place to keep their network or products secure, it leaves not only them but all their customers vulnerable.
Limit your data access
The less people who can access your data, the slimmer the chance of infiltration. An audit is one way to determine who has access and what they can do with your data.
Educate your employees
Quite simply, the more up to date your staff is with security aspects such as company policy or social engineering attack methods, the more aware they will be of potential risks.
Use honeytokens
Tripwire-like alerts that warn of malicious threats lurking among sensitive data. Highly recommended by ENISA, honeytokens act as decoy sensitive IT resources, and when cybercriminals attempt to exploit them, the attempt will alert you to the malicious activity.
Implement an Identity Access Management (IAM)
you’ll be able to manage multiple-access privileged accounts from a single interface.
Protect yourself with the experts…
The risk is very real; ENISA estimated that four times more supply chain attacks will be carried out in 2021 compared to 2020. Protecting your business against potential cybercrime threat should be one of your top priorities – but tricky to handle alone while you’re also concerned with actually running your business.
Consult with the IT security experts at NetworkIQ today to discover more about risk management and how they can help to protect your organisation against security vulnerabilities.