Sunday, 15 January 2023

Supply chain security threats

At one time, the only worry organizations had about their supply chain was a mixture of physical attacks, damage in transit, or the supplier going out of business. While those, and associated threats haven’t gone away, the focus now is on cyber threats because hackers are using ‘back doors’ in the digital supply chain to attack other companies.

Hackers are breaking into the servers of smaller supplier companies and using that as a route to access the larger organizations downstream that are receiving products from the smaller company. Clearly, this kind of attack takes place over an extended period of time and is quite sophisticated.

Part of the problem is that suppliers and businesses often work closely together, which means their computer networks are closely linked giving access to each other’s systems in order to share data as quickly as possible between the two (or more) organizations. And that’s why there was such a dramatic rise is supply chain attacks in 2022.

There are plenty of examples of these kinds of attack. I’m sure most people remember the SolarWinds attack in 2020, where the Sunburst back door was injected into the Orion IT update tool that was downloaded by thousands of customers. In 2021, Mimecast was attacked. Hackers compromised a security certificate used to authenticate Mimecast’s services on Microsoft 365 Exchange Web Services. Also in 2021, Alex Birsan, a security researcher accessed Apple, Microsoft, Tesla, and Uber networks. He exploited dependencies that applications use to provide services to end-users. Using these dependencies, he sent counterfeit (but harmless) data packets to high-profile users.

As those examples show, supply chain attacks can be performed using different techniques. Hackers try to compromise software coming from an organization. They are looking to steal certificates that would otherwise vouch for a company’s products. They install malware on hardware devices that are then connected to their targets’ devices. And hackers may add malicious code to the firmware on devices.

Are organizations worried about their supply chains being attacked by hackers? The answer is seemingly not! The UK’s National Cyber Security Centre reports that the DCMS 2022 Security Breaches Survey found that as few as just over one in ten businesses review the risks posed by their immediate suppliers (13%), and the proportion for the wider supply chain is half that figure (7%).

So, what can you do about your supply chain security? Firstly, it’s important to recognize that it is not simply an IT issue. Everyone who is involved in the supply chain process needs to understand the importance of data security. All the usual security training – such as watching for phishing attacks, not opening untrusted PDFs, etc – needs to be refreshed. And, of course, it’s not just members of staff at your own company, but also people working for your organization’s suppliers that need training. In addition, it’s important that C-level staff recognize the importance and the immediacy of the problem, and buy-in to the idea of resolving it.

One problem many organizations experience is shadow IT. This isn’t a problem with mainframes, but often other departments may use cloud services that aren’t known to IT. The results of these cloud services can end up being routed into mainframes along with any malware that might be attached. This is more often a problem upstream with suppliers, and it is a way that suppliers’ IT systems can be hacked.

Using zero trust architecture is a great start (if sites aren’t doing so already). Basically, you assume that you are under attack and trust no-one. If any user is doing anything unusual, then an alert should be sent to the security team. If anyone is logging in from an unusual location (like a distant country), an alert should be sent. The security team needs to be able to lockout the user if necessary and quarantine any data or applications that have been accessed.

Network traffic needs to be monitored to see whether a surprising amount of data is being transferred at usually quiet times. This could be a sign that customer data has been copied and is being sent to the hackers for them to use or sell on.

Insider threats are as much a worry for supply chain attacks as they are for any other kind of data breach.

Make sure your data is being backed up and that backups are not being modified by the hackers. This is a common technique to stop organizations from restoring encrypted data from backups.

Keep a whitelist of applications that are allowed to run, and which ones are allowed to modify infrastructure-level files, eg parmlib. Hackers make changes to infrastructure, and this can often go unnoticed unless integrity monitoring software is installed and used on the mainframe.

Use security software to really lockdown access to sensitive data. Too often, when new people start working at an organization, they are given duplicate access to a colleague doing a similar job. As they move through the organization, additional security access levels are too often simply added on to what they have already. This can lead to some people having quite a range of access that they don’t need. This is a risk and needs to be reviewed.

It's possible to model the entire supply chain using digital twin software, which can then be used to simulate different risk scenarios to the supply chain, and these risks can be remediated.

Recent research shows that supply chain cyber attacks are on the increase, but too few organizations are seemingly yet aware of the issue and taking steps to reduce their risk of attack. If you’re one of those organizations, then 2023 is the year to take appropriate steps to ensure that your company is still in business in 2024!

 

No comments: