[BreachExchange] Understanding Supply Chain Cyber Attacks

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jan 19 20:03:35 EST 2018


While the attack surface has increased exponentially because of the cloud
and everything-as-a-service providers, there are still ways in which host
companies can harden supply chain security.

Today's cybersecurity landscape has changed dramatically due to
digitalization and interconnectivity. While the benefits of each push
businesses toward adoption, security risks associated with
interconnectivity between networks and systems raise major concerns.
Everything-as-a-service removes traditional security borders and opens the
door to new cyber attacks that organizations might not be prepared to
recognize or even deal with.

Moving resources into the hands of the final consumer now involves creating
systems that handle, distribute, and process goods using a complex network
of suppliers and services. These supply chains are what cybercriminals try
to exploit, as third-party suppliers usually have some level of access to
their customer's network. This, coupled with an advancing software stack
that's integrated with critical internal infrastructures, increases the
attack surface that threat actors can exploit to breach perimeter defenses.

Trust Is Often Exploited
The relationship between humans and technology is far from perfect. Cloud
technologies can themselves be unpredictable in that they may interact with
each other in unforeseen ways. When you add the human factor, which is
inherently unpredictable, it raises security concerns that can be
impossible to predict.

The cloud has become an integral part of digital businesses, but the lack
of proper authorization, accountability, and authentication in the cloud
enables security threats that we've come to know as supply chain attacks.
This increased adoption of cloud services must push organizations to
constantly reassess external audit programs and due diligence processes.
This practice of regular re-evaluation must go through constant iterations
to identify potential security blind spots while decreasing incident
response times.

Unfortunately, for the past few years we've seen a series of supply chain
attacks that have led to millions of customers having personal and private
data exposed because of blind spots inherent in current supply chain
security. The Target incident in which 41 million customer records were
exposed has become a case study for supply chain attacks that leverage
third-party access into critical infrastructures.

Arguably, the biggest recent supply chain blunder is the GoldenEye
ransomware incident that involved a tainted update to a popular accounting
platform used by many companies. Compromising an update server with a
legitimate piece of software, the malware spread across organizations using
the accounting platform.

Supply chain attacks have even targeted the average user when a tampered
version of a popular Apple Xcode IDE application development framework was
injected with malicious code. App developers using the tainted framework
unknowingly created applications bundled with malware that could not only
steal personal and private data from users but also allow for complete
remote control of devices. Dubbed XcodeGhost, this supply chain attack
scenario demonstrates that threat actors can even breach organizations by
targeting developers.

Because complex infrastructures are sometimes difficult to maintain by IT
operations, the use of automated tools that can be deployed remotely
throughout the infrastructure can be vital in ensuring a productive supply
chain. Unfortunately, these tools — although legitimate — can also be
leveraged as attack vectors into organizations, bypassing standard security
procedures. CCleaner, a popular free tool for optimizing system
performance, was tampered with by cybercriminals and injected with malware
that targeted technology and telecommunications companies. Because IT
operations widely deploy the tool within infrastructures, it's estimated
that 2.27 million systems could have been affected by the backdoor
capabilities of the injected malware.

Managing Supply Chain Risks
Host organizations now face having to adapt security procedures to include
not just internal infrastructures, but also vendors, customers, and even
partners. While internal IT and security departments might have strong
security practices for thwarting a wide range of direct attacks,
third-party collaborators might not adhere to the same culture.
Consequently, programs for vetting vendors need to be in place before fully
integrating them into internal infrastructures.

Building a vendor management program is ideal and should start with
defining an organization's most important vendors. Building the program
around a risk-based approach ensures that vendors are constantly evaluated
and assessed, and their policies are consistent with the host organization.

Besides requiring vendors to provide timely notification of any internal
security incident, periodic security reports should be included in the
collaboration guidelines to regularly ascertain their security status.
Because security is a dynamic and ongoing process, these procedures should
be constantly updated and audited in accordance with best practices and the
host company's security requirements.

Constantly reviewing technology, people, and processes — both internally
and from suppliers — filters out easily exploitable supply chain attacks
that could prove devastating for the host organization and the supplier.
This procedure should encompass everything from employees joining the
organization, to new technologies being integrated with existing systems
and internal process regarding security incident responses, as well as the
implementation of security best practices.

The Security Perimeter Is Borderless
No longer are strong perimeter defenses enough; security teams must
consider that digitalization has taken down all network borders. And while
the attack surface has increased exponentially because of it, there are
still ways in which host companies can harden supply chain security even if
it only involves the establishment of new procedures.

The borderless security perimeter that's a natural consequence of
infrastructure-as-a-service shows that security models must change to cope
with the new threat landscape. As previously mentioned, ongoing assessment
processes are vital in building and maintaining a strong security posture,
and it's only one of the security controls necessary to harden defenses.
Cybercrime is committed in the digital arena; for that reason,
organizations must have strict authorization, authentication, and
accounting mechanisms for securing critical data and controlling who has
access to it.

However, the deployment of security controls specifically designed for
physical, virtual, locally deployed, or in-the-cloud infrastructures is
also important. It's crucial for digital businesses and large organizations
to implement a layered security approach customized to their risk profile,
if they are to fully and successfully leverage the benefits of
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180119/2024ce66/attachment.html>

More information about the BreachExchange mailing list