A supply chain attack, also called a value-chain or third-party attack, occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data. With more vendors and service providers handling sensitive data than ever before, this has dramatically changed the attack surface of the average enterprise over the past few years.
Attackers hunt for unsecured network protocols, unprotected server infrastructures, and unsafe coding practices. They break in, change source codes, and hide malware in build and update processes. When technology is developed and published by trusted suppliers, these apps and updates are signed and approved.
56% of organizations have had a breach that was caused by one of their vendors.
35% of companies had a list of all the third parties they were sharing sensitive information with.
-- Source: Ponemon Institute 2018 survey
Supply chain attack examples
Supply chain attacks are a growing threat to developers and distributors of software. The goal is to access source codes, build processes, or upgrade systems by infecting legitimate malware into delivery devices. In 2014 Target had a massive breach. It started with stealing the credentials of Target‘s HVAC vendor, Fazio Mechanical Services. According to KresonSecurity, which first broke the story of the breach, the attackers infected the vendor with general purpose malware known as Citadel through an email phishing campaign.
In June 2015, the hack of the Office of Personnel Management (OPM) was a major wake-up call for the federal government, and a range of measures were initiated in its wake to strengthen the cybersecurity stance of the government. In the fall of 2015, the Government Accountability Office (GAO) conducted its first assessment under the Federal IT Acquisition Reform Act, which covers cybersecurity as well as other areas of IT. Out of 24 agencies, none received an A, two received Bs, five got Cs, 14 got Ds and three agencies — the Department of Education, the Department of Energy and NASA — received failing grades.
Then there were the Paradise Papers, over 13 million files detailing offshore tax avoidance by major corporations, politicians, and celebrities. The source? Like last year's Panama Papers, it was a law firm that was the weakest link.
Scope of supply chain attacks
A survey conducted by the Ponemon Institute, just 18 percent of companies say they knew whether those vendors shared that information with other suppliers in exchange. This is a problem because consumers don't know if it was the supplier of the product that lost the information, not the business itself.
Organizations are now paying more attention to third-party risk for these reasons. In December 2018, the Ponemon Institute Cyber Threat Report found that the second biggest security concern for 2019 among IT professionals with 64 percent of the count was abuse or unauthorized sharing of confidential data by third parties. Forty-one percent said in the past 24 months they had third-party accidents.
Next year, Europe will do the same, with its General Data Protection Regulation (GDPR), that applies to all companies that collect personal information from Europeans. GDPR fines are steep — up to 4 percent of total global revenues. Third-party risk regulations are still in their early stages, and many companies don't have a good handle on these risks, says Peter Galvin, VP of strategy and marketing at Thales e-Security. “Financial firms are used to these, and are much more prepared,” he added. “But many companies don't understand the risks, and you're going to see an increase in breaches, and you're going to see more legal action.”
Experts expect that more regulators will start requiring companies to do more about third-party risk than they do today. “It's been a continued trend that we've seen,” says Eric Dieterich, data privacy practice leader at Focal Point Data Risk, LLC.
Hidden in the hardware and software supply chain
Nearly every business outsources their software and hardware needs. Due to a surge in the open source market, no one is creating all of their software from scratch. This approach may come with a considerable risk. Each computer purchased, each software installed must be reviewed and monitored for potential security threats, and all updates must be up-to-date.
In April, researchers at Flashpoint Intelligence said criminals were stepping up attacks against the popular open source Magento ecommerce platform, brute-forcing passwords in order to parse credit card records and install malware focused on cryptomining.
The researchers found at least 1,000 compromised Magento admin panels and said interest in the platform itself has continued unabated since 2016 on the dark web. Powerfront CMS and OpenCart also have a noted interest.
Not only is the company's own data at risk, but if the faulty software or hardware component is embedded in a product, it can lead to more security issues down the line. Widespread damage can be caused by a computer chip infected with a backdoor protection, a camera without good encryption, or a bad code element. The Heartbleed bug, for example, affected millions of websites and mobile devices as well as software by many major vendors including Oracle, VMware and Cisco. Most organizations have quality standards that must be adhered to by suppliers. Cisco is using the same approach for security.
Professional services firms may be even less secure
The weakest link in your system can become a major security flaw. Supply chain attacks are becoming more common and growing in complexity and intensity. By understanding the nature of the threats organizations can build a plan to secure around it.
Deep Root Analytics, a small marketing firm used by the Republican National Committee, leaked the personal data of 200 million voters, it was reported that they had accidentally put the data on a publicly accessible server.
Poorly secured S3 systems bit Verizon in the rear not once but two times last year with a pair of high-profile data exposures. The Verizon breach, which affected six million customer records, was triggered by Nice Systems, a customer service software company. Nice Systems placed log information from customer service calls on a publicly accessible S3 server. Before Verizon the benefit of the doubt for the actions of a partner, another S3 incident a few months later hit even closer to home. This time, an engineer within Verizon set up a rogue--and insecure--S3 account that contained a mother-lode of proprietary technical information
At Synoval, we realize that in cybersecurity change is constant, but we are driven by a steadfast goal - to make businesses around the world more secure.