Supply-chain weak links are the entry point du jour for bad actors. CERT-UK suggests ways to lessen your organization's threat risk.
Defending against cyberattacks is a complex, thankless, and never-ending job. The past year in cybersecurity has shown just how complex defending a company's digital assets has become.
One area under intense scrutiny is supply-chain security, and for a good reason. Many if not all of last year's successful data breaches began with attackers compromising a portion of the victim company's supply chain. That fact was not lost on members of CERT-UK who, after researching the subject, published their findings in the paper Cyber-security risks in the supply chain (PDF). "For any modern organization, physical supply-chain management already presents numerous complex challenges in understanding exposure to risk," mentions the paper's introduction. "The added complexity of cybersecurity risks only amplifies this, regardless of their position within a supply chain."
What is a supply chain?
If there is one thing lacking in the paper it is a definition of supply chain. For our purposes, let's use this Investopedia definition: "The network created amongst different companies producing, handling and/or distributing a specific product. Specifically, the supply chain encompasses the steps it takes to get goods or services from the supplier to the customer."
Investopedia cautions not to confuse supply chain with logistics. "In general, logistics refers to the distribution process within the company, whereas the supply chain includes multiple companies such as suppliers, manufacturers, and the retailers."
Physical vs. digital components of the supply chain
The paper then states most organizations have the physical portion of the company's supply chain under control -- risks are identified and removed or reduced by the responsible manager. However, when a process has both physical and digital components, the cybersecurity portion is often overlooked. The authors suggest this creates a false sense of security. Even though a company's cyber defenses may be the best in the industry, they are vulnerable due to one or more weak links in the supply chain.
The weakest link is always the one attacked
Somewhat stating the obvious, the paper suggests that attackers will patiently probe a company's supply chain looking for the weakest link. That said, the paper also points out something not so obvious: Smaller companies are the most likely to have less than adequate cybersecurity. Verizon's 2014 Data Breach Investigation Report (PDF) notes that an inordinate number of smaller businesses within a supply chain fall victim to cyberattacks. A case in point is the HVAC company used as the entry point for Target's data breach.
Supply-chain compromise examples
One of the most interesting topics covered by the paper was the discussion of several real-life examples.
Add a trojan to Industrial Control System (ICS) software
A cyber-espionage group compromised web servers that clients used to obtain ICS software. In so doing the attackers were able to replace legitimate software files with ones containing malware, which were ultimately downloaded by client companies.
The paper explains that compromised software is very difficult to detect if it has been altered at the source, as the target company has no reason to suspect its legitimacy.
Compromise legitimate sites via a website developer
Attackers were able to distribute malware to thousands of unsuspecting people. The attacker's first step was to compromise a design agency's website-building software. The attackers then installed a redirect script that sent victims to malicious websites owned by the attackers. At that time, malware was downloaded and installed on the victim's computers while they were browsing what they thought was the official website.
Economy of effort being the advantage of this attack, the paper mentions, "Rather than compromising a number of legitimate sites individually, the attack targeted the core script of a website template designed by the creative and digital agency."
Suggestions to reduce the effect from a compromised supply chain
The amount of control a company has over its supply chain is dependent of the company's clout; therefore, a large enterprise will have more sway than a startup. The CERT-UK authors offer the following suggestions that should help lessen an organization's risk from supply-chain exploitation, help create ways to share threat intelligence, and pave the way for a coordinated response.
- Follow your procurement processes with an emphasis on cybersecurity risks.
- Conduct thorough due diligence for new suppliers, accounting for their cybersecurity competence.
- Consider contractual clauses focused on security, stipulating responsibility for any compromise or data breach and contractually mandate that security clauses apply to sub-contractor(s) in the supply chain.
- Challenge your suppliers to practice and develop collaborative processes for reacting to compromises or data breaches.
- Conduct regular information-assurance sessions to identify weak links.
The paper's authors offer this final bit of advice, "While there are multiple technical solutions and a number of common standards that can help to mitigate these risks, improving relationships amongst members of the supply chain is also important for improving cyber-security within the supply chain."
- Security and Privacy: New Challenges (ZDNet/TechRepublic special feature)
- How analytics can improve supply chain agility (ZDNet)
- Anatomy of the Target data breach: Missed opportunities and lessons learned (ZDNet)
- Using the cloud to reduce your global risk
Disclaimer: TechRepublic and ZDNet are CBS Interactive properties.