Unfortunately, supply chain attacks are on the rise. The European Union Agency for Cybersecurity this year predicted a four-fold increase over the next year. This is because malicious actors have realized they can cause great damage to organizations that have a good security posture by coming in through their back door unnoticed.
The IT supply chain
In a general sense, a supply chain is a system of resources involved in supplying a product or service. When it comes to the technology used to deliver this product or service, businesses rely on third-party software vendors. This can be any kind of software that they don’t have control over, that is not developed in-house, but that they need to acquire and use to deliver their service or product to their customers or clients.
Threat actors have turned to targeting third party software vendors. When organizations install these third-party applications or run a software update or a patch for the third-party application, they grant permissions to the application. They give the application access to sensitive data and critical digital assets.
Rather than waste their time trying to infiltrate potentially lucrative organizations or government agencies that have a good security posture, cyber criminals have become smarter. By targeting third-party software vendors who don’t, or can’t, invest the same resources into cybersecurity as larger organizations, they are able to exploit the trust between an organization and a third-party vendor. By employing this strategy, called a supply chain attack, malicious actors can then infiltrate many organizations, extorting them all for what they are worth.
How supply chain attacks work
When an organization is installing a vendor’s software, it provides it with a trusted digital signature. This signature is like a stamp as the software is familiar to the organization. Little does it know that hiding within the vendor software is malicious code, previously injected by malicious actors without the knowledge of the vendor. Supply chain attacks are how malicious actors can gain access to otherwise secure organizations.
It could be an installation of vendor software or an update, but this legitimate process gains the malicious code access to restricted parts of the organization’s IT system. This is known as an attack vector. Later, and it could be weeks later, this bit of malicious code can be activated by malicious actors remotely.
Because this code has the same access privileges as the vendor’s software, it will have access to whatever data or whatever part of the IT infrastructure the vendor’s software does. The malicious actor, with access to the organization’s network and data, can perform various attacks such as a mass ransomware attack. The attack can be something even more sinister than this. Many malicious actors try to do their dirty work quietly, stealing without being noticed.
There are other ways malicious actors can infiltrate through the IT supply chain. One is through open-source code.
Open-source code is packaged computer programming code that is developed with the intention of distributing it for free. These code packages can be enhanced or modified or included and built upon so as not to have to reinvent the wheel.
Most applications today include some form of open-source code. Because open-source code is free, it doesn’t have much security around it. Malicious actors are already working hard to compromise open-source code.
The second way is via a foreign threat. In China, for example, the government has strict control over its citizens and companies. Since a lot of software originates from countries like China or other countries where software development is low-cost, this adds another layer of supply chain attack risk to organizations.
Protecting organizations from supply chain threats
The best way organizations can protect themselves from supply chain attacks and other cyber-attacks is to ensure every third-party vendor they use complies with strict cybersecurity standards.
Adherence should be checked regularly. Trusted vendors should be scrutinized based on the access their software needs and the data their software will have access to. The more sensitive the data, the more scrutiny required.
Each third-party assessment should be unique to the software being installed, and it should be conducted by a security expert. Third-party software that has not been checked should not be allowed to be installed.
Two-factor authentication should also be used by the vendor as this provides another hurdle malicious actors need to jump over to gain access.
Supply chain attacks are an escalating threat that can severely hurt a business’s reputation. Once attacked, some businesses never recover.
If you’d like to know more about risk management, security vulnerabilities, and the supply chain risk in your business, talk to the experts at Merit Technologies today.