In recent years, cyber security has seen a significant shift: trust, once steadfast, has dwindled. Initially, outsiders posed the only threat, but with expanding applications, even insiders lost trust.
The rise of insecure supply chains brought further distrust, prompting interest in zero trust. Managing external hackers, rogue insiders, and insecure supply chains presents challenges, with the latter proving especially difficult to remedy.
Supply chain attacks: service providers
At some point, cyber criminals noticed that organisations had become increasingly reliant on third parties. This was partly by design – outsourcing non-core functions was seen as financially efficient – but also the result of the spread of WAN networking which allowed services to be delivered remotely.
An early example of where this led was the infamous data breach affecting US retailer Target in 2013. Somehow, the attackers managed to steal the credentials used by a third-party heating and refrigeration service provider to access Target’s network, giving them a legitimate staging post from which to move deeper into its network.
The lesson? Just because you’ve secured your user identities doesn’t mean your partners have to. This was a shock, but everyone resolved to stop taking third-party security on trust and moved on. Then things took another lurch downwards when in 2017 a Windows utility called CCleaner had malware inserted into it which was to be distributed to two million users.
Not a big deal for non-users perhaps but a proof-of-concept that software supply chains were now a target. For attackers, however, this was another light bulb moment which explains why there have been several huge supply chain attacks of a similar ilk since then, including more recently:
- Malicious code was slipped into the SolarWinds Orion network monitoring tool used by countless thousands of companies around the world. Estimates of the number of companies affected range into the thousands, making this the most widespread single-incident compromise in history. Ironically, a possible contributor to the breach could have been the company’s own foreign supply chain.
- A variation was the 2023 attack on customers of the MOVEit file transfer platform believed to have compromised to varying degrees, the data of up to several thousand organisations.
- Repeated attacks on SSO provider Okta which resulted in October 2021 in the compromise of support files relating to 134 of its customers. This led to attacks targeting major infrastructure providers Cloudflare, BeyondTrust, and 1Password.
A common feature of these incidents is that most of the providers involved were not well known despite their software or services being widely used by businesses. That’s how supply chains work; today’s organisations depend on many suppliers like these and don’t stop to think about their security until something goes wrong. This crystallises the problem of modern business. It’s easy to say ‘Don’t trust your suppliers’ but that’s to open the door to a much more complicated world where nothing can be assumed, and constant vigilance becomes necessary.
Development supply chains
Today’s software is constructed by development teams from multiple components, many written by third parties. A project might contain anything from a few dozen to hundreds of these dependencies. Any one of these can have vulnerability criminals discover how to target, including by manipulating repositories on public sites such as GitHub. Organisations are wide open to this. On the one hand, they don’t always know or remember which components they used in which programs. But even if they did, fixing the problem can be complex, assuming a fix is even available.
Can anything be done?
Clearly, organisations can no longer trust partners in the way they might have done in the past. One example of where this is leading is the way some organisations now assess the security of their partners before doing business with them, especially if they are technology suppliers. We covered this theme in a 2022 article on Shadow Compliance, which explored how organisations increasingly conduct paid but covert security checks on the public-facing side of a partner’s web presence. This is a particular concern for SMEs, which are the first targets of suspicion.
One mitigation is to risk-assess suppliers and partners more actively rather than taking what they say on trust, compiling a software inventory so they know what’s inside their applications. However, many now believe organisations should go much further than this. If they can’t be sure about the vulnerabilities in third parties, the best insurance is to design their own network security to take account of that.
This takes us back to the principles of zero trust, which sounds simple enough until you realise that this requires organisations to stop trusting anything, including their own resources. In practice, this means mandating multi-factor authentication across all accounts, locking down all privileges, and segmenting the network to make lateral movement more difficult.
From a risk management point of view, this is reasonable. Due diligence on partners and their more distant supply chains will only get you so far. In the end, organisations must prepare to be surprised by their own vulnerabilities. If you’re an SME, it is always best to get ahead of this issue and try to see your own network the way someone else might see it. Is there something you’d rather ignore because it’s difficult to patch, for example, an out-of-date OS controlling a key piece of equipment? In security terms, your customers’ supply chain starts with that machine and how it might be exploited by attackers. Today’s networks are full of back doors of which external supply chains are the hardest to counter. But it is always an organisation’s own internal weaknesses which enable attacks.
