It is easy to think that cyber-attacks are likely to come from outsiders unconnected to the business, but how much do you know about the security of your digital supply chain?

Software Supply Chain Risks

Businesses use many different third-party software tools as part of their day-to-day transactions and for organisations in the public sector, for example, the software, systems, and networks used may be closely tied to main suppliers with bespoke software solutions. Software supply chains are part of the wider information and communications technology (ICT) supply chain framework of an organisation which, in itself, is a network of retailers, distributors, and suppliers, all of whom are links in a chain of sale, delivery and production of software and managed services (and hardware), all of which are at risk.  As highlighted in a recent NIST (US) white paper, software is at risk of malicious or inadvertent introduction of vulnerabilities at each of the design, development and production, distribution, acquisition and deployment, maintenance, and disposal phases of the ICT Supply Chain Lifecycle.  Privileged access (such as accepting third-party software defaults without investigating further), allowing additional accessibility vectors, and third-party software that requires frequent communication with the vendor to update it can represent real threats to business/organisational security.

As defences have improved against the more common areas that are known to be susceptible to cyber-attacks (and therefore have become well-defended by organisations), cyber-criminals have turned their attention to more vulnerable areas with easier access – the software supply chain.  This is a difficult area for businesses to monitor and defend against as much of it appears to be based mostly on the trust of vendors and the more third-party software a business uses (from different sources) and the more links in the chain there are, the more risks there are.

How?

An example of how a supply chain could exploited is that of hackers writing malicious code or introducing a malicious component into a company’s trusted software (or hardware), which in turn can enable them to hijack a whole system and turn any updates that the company sends out into trojan horses (malware).  This, in turn, can allow the criminals to have complete control over a supplier’s customer networks, which could ultimately affect thousands of victims.

Survey

Some of the challenges that companies face in tackling the issue are highlighted in a BlueVoyant survey from 2020 which showed that 80 percent of Chief Information Officers and Information Security Officers (CIOs and CISOs) said they had experienced a breach originating with a third-party vendor in the past year.  Also, the survey revealed that four out of five organisations had experienced a cyber-security breach precipitated by a third-party vendor, almost one-third of security professionals (29%) said they had no way of knowing if a cyber risk emerged in a third-party vendor, fewer than a quarter (22.5%) said they actively monitor their entire supply chain, and almost one third (32%) said they only typically reassess and report a vendor’s cybersecurity risk position twice a year or less frequently.

Examples

High profile examples of supply chain attacks include:

– SolarWinds. In 2020, US-based IT management company SolarWinds Corp was infiltrated by a foreign threat actor who compromised the company’s build servers and used its update process to infiltrate customer networks. The attacker added malicious code into the company’s software system. This led to SolarWinds unwittingly sending out software updates to its customers that included hacked code. This was one of the biggest and most sophisticated hacks ever, thought to have compromised up to 18,000 SolarWinds customers that used the company’s Orion network monitoring software.

– In 2017, there were suspicions that in the US, Kaspersky antivirus was being used by a foreign intelligence service for spying.  This led to U.S. government customers having to remove Kaspersky’s products from networks and them being disallowed from acquiring future products from that vendor.

– Also in 2017, the NotPetya (ransomware) attack saw a malicious data encryption tool inserted into a legitimate piece of software that was used by most of Ukraine’s financial and government institutions. This resulted in the malware spreading via trusted networks, rather than over the internet, thereby bypassing the processes put in place to prevent ransomware attacks.

Reducing The Risk of Software Supply Chain Attacks

Although the situation is a challenging one for many businesses and organisations, there are measures that can be taken to reduce the risk of attacks, breaches and other security and network issues caused via the software supply chain.  These include:

– Implementing a formal risk management program to assess all third-party suppliers against a set of criteria relating to whether third parties really need to access an organisation’s data or systems, and how business-critical they are to organisational processes. This can help CISOs and CIOs to identify and prioritise suppliers who pose the highest risk and need the most scrutiny and controls.

– Putting a patching policy and regime in place that ensures software updates are implemented as soon as possible to prevent criminals from exploiting old loopholes.  This could also involve testing (in a controlled environment) any updates related to security before rolling them out across the company network.

– Adopting a zero-trust approach and architecture means that rather than simply granting unrestricted access based on trust, verification is always required, thereby stopping the fast escalation of problems caused by a supply chain attack.

– Using more holistic, forward-thinking, and data-driven strategies can help businesses/organisations to be better informed about security readiness of any vendor partners.

– Sticking to proven security strategies such as investing in security programs, conducting regular risk assessments, and prioritising issues highlighted by the assessments, devising a plan, hiring the right staff, and using trusted, evidence-based tools can all help to mitigate the risks.

What Does This Mean For Your Business?

Previous, high-profile attacks such as SolarWinds have highlighted the interconnected vulnerabilities of business software/digital supply chains. Businesses face the challenges of being able to first get an overall view of where the potential risks/threats could come from (an audit and regular risk assessments) and of implementing an approach (e.g. zero tolerance), tools and procedures that mitigate those risks in a cost-effective and operationally friendly way. Interference by criminals that can lead to successful supply chain attacks has been shown to occur at any point from the development of software, through distribution, right through to disposal. This means that all businesses and organisations, private and public sector need to take a close interest in the security profile of their suppliers as well as their own organisations.