Are You the Weak Link in a Supply Chain Attack?

Are you the weak link that could lead to a massive cybersecurity breach that could lead to millions of dollars in fines for a company?

Are you the weak link that could lead to a massive cybersecurity breach that could lead to millions of dollars in fines for a company?

Doesn’t seem to be a real possibility, right?

But the truth is, each of us has the potential to be a gateway to major breaches for our employers, our customers, clients, and suppliers.

Or you may not be the direct link - it could be something you trusted to be safe, only it wasn’t.

In fact the weak link that leads to a compromised security system may not originate from you. It could be as a result of a supply chain attack from your third-party partners and suppliers.

Here’s how to plan for it and what you can do now to protect yourself and your business.

Understanding your digital supply chain

As a business owner, your company is a part of a supply chain.

What is a Supply Chain?

If you operate in the B2B space, you’re a part of the supply chain for the companies that engage you for your products or services. Companies that provide you with your inputs are part of the supply chain to your business.

So, as you can see, it’s all an interlinked interaction of various supply chains supporting different businesses and customers. That means from large companies to smaller entities, we are all linked to each other, even vital organisations.

Now, at the highest level, systems are quite likely to be heavily defended. But, as you go further down in the supply chain, the security systems might not be as intricate as smaller companies may not realise how they’re linked to critical businesses and therefore don’t have – or can’t afford – as robust security systems.

This leaves them – us as individuals – open to supply chain attacks, because there are risks hidden inside your hardware and software supply chain.

What is a supply chain attack?

As primary targets engage more sophisticated cyber security coutermeasures, hackers have resorted to supply chain attacks to breach their boundary.

Those updates you automatically install from your trusted suppliers? They can be compromised without the supplier knowing until weeks after.

For example, in the US in 2017, Target has indicated a massive breach with millions of customers’ personal data compromised. But the hack did not occur directly through them. It was via their HVAC supplier, a third-party vendor to their operations.

A more recent supply chain example involved the US Department of Homeland Security. The DHS was breached when a code was embedded in updates of its third-party software provided by SolarWinds Corp.

As you can pick up from the example above, a supply chain attack is a situation whereby hackers gain access to compromise a target by exploiting a related third-party. So, the hackers use the third-party system to distribute malicious code along a trusted line to the actual target user.

So, SolarWinds Corp, wasn’t the target. They were the conduits to the ultimate goal.

For a similar situation closer to home consider the Shylock banking trojan which compromised Website Builders used by web developers and digital agencies. The hackers installed a redirect script on the legitimate websites through the website builders and redirected online visitors to a malicious domain where the Shylock malware was then installed on the systems of the persons viewing the websites.

Diagram Illustrating a Website Builder Supply Chain Attack

(Image source)

Examples of supply chain attacks

Here are three common ways in which supply chain attacks are carried out:

1. Injecting malicious code into third-party code libraries

Most applications contain a code library and other components created by a third party. Hackers can insert malicious code into these third-party components which are then used for other applications by unsuspecting developers. (Consider the Website Builder supply chain attack above).

2. Hijacking software or server updates

As seen in the SolarWinds incident, the malicious code was inserted during routine updates from a trusted source. So, if update files are transmitted via an insecure channel, then they can be replaced with one that includes the malicious code.

3. Inserting malicious code into legitimate applications

This is where the software is compromised before it is released to the intended customers. Hackers will place malicious code before the application is completed.

The National Cyber Security Centre goes further into details about types of supply chain attacks to be aware of.

The reason these attacks work so well is that the third-party vendor is a trusted source. So, it’s easier for malicious software to bypass end-point protection in the process.

This then leads to the question …

How secure are your own communication systems?

A supply chain of attack can happen at any level and at any point in a supply chain.

Possible Point of Attack in a Supply Chain

(Image source)

This means you could be potentially compromised, as can your customers.

Hackers will use your point in the supply chain to go upstream or downstream in their quest to access their real target. And in doing so, your data will be compromised.

So, how can they get in?

Take your communication tools, for example. You might think that because the message platforms offer end-to-end encryption that your data is safe. But did you know that hackers can still scrape enough data to harm you?

There’s still a lot of information to be gained from the package of data that passes through if it carries, for example, your phone number and GPS location. Plus, where that information is stored on someone else’s server, hackers have all the time in the world to compromise it, and they don’t need to break into your Communications Provider - they ‘simply’ need to compromise a public library that is used in the build process.

A reason for concern

As the pandemic has forced more businesses to adopt digital measures and supply chains become digitalised to improve operational efficiencies, the potential for hacks increases.

And not just for your data, but for the data that you have access to because of whom your clients are.

As you engage in business communication across a variety of platforms, the possibilities increase for one or more of those channels to be compromised.

And on your personal devices, the other platforms you use for your personal activities could end up compromising your business activities.

Take, for example, social sharing networks and social media platforms. They promise end-to-end encryption of messages. But the packet data through which those messages are transmitted do leave information that can be compromised and the servers on which your messages are stored can be hacked.

Mitigating third-party supply chain cybersecurity risks in your business

The digital supply chain – especially where hardware and software are concerned – is susceptible to various cyber threats.

And many CISOs and IT managers have confessed to sacrificing cybersecurity to facilitate remote working. But with the regulations in place for data breaches, and potential fines of up to 4% of your business’s gross income, it’s not something to be taken lightly.

Meanwhile as many employees are in fact working remotely from their private devices, they may not have adequate systems in place to safeguard your company.

Now that you’ve had time to get your teams back up and running, it’s time to get back to taking care of the security side of things.

Because while you may be a small business in the supply chain of major corporations, you don’t want it said that your company is where a breach originated. Think about the reputational damage this could cause.

So, to get started, we suggest looking at how your company facilitates business communication.

None of us is too insignificant in a supply chain to not be of use to a hacker - and we certainly don’t want to be the weakest point so the focus of a hacker’s attention.

So, one popular trend for breaching systems is by hackers pretending to be a vendor or part of the company - called a social or phishing breach. If an email appears to be from a familiar name, you may not look too closely at the email origination. So, you need to verify that communication is coming from the expected party.

In instances like these, a safe and secure business communication system does come in handy. (Think Semafore by Attomus which not only encrypts communication data from end-to-end, but also protects your packet data in the transfer process.)

Can you eliminate the risks of supply chain attacks?

It’s difficult to eliminate the risks of supply chain attacks because the software or hardware in which they’d travel isn’t under your control.

But there are a few things you can do to help protect yourself as best as possible.

First of all, insist on certain security protocols with businesses in your supply chain. Take what security precautions you can.

You should protect your personal computers so that you don’t become the unwitting entry point for a supply chain attack. This can include installing quality security software that you keep up to date. You should also consistently back up your data and systems in case you fall victim to an attack, particularly a ransom attack, so you can move your systems back in time to before the compromise.

Also consider installing an advanced detection solution to try and identify and eliminate these types of attacks (HIDS/NIDS) anbd invest in secure communication channels for your business.

If you’d like to learn more about using Semafore for secure business communication and the other solutions you can use to protect yourself, get in touch. We’d be happy to walk you through them, assess your needs, and outline solutions that are best suited for your business and threat level.

Fancy reading something else - what takes your fancy?