Posted 25 August, 2021 at 14:56
An often forgotten element of Cyber security is within a company’s supply chain. The threat has been around for awhile now but is starting to become much more prevalent targeting your suppliers as a means to get to you. Manufacturers for instance, often use what is known as ‘just in time supply’, ie they have an electronic connection to their key suppliers who are connected up to the company’s inventory, and automatically resupply when an item runs low. It’s efficient and prevents the holding of unnecessary stock. But it can, if not done correctly, drive a coach and horses through your security.
In short, a supply chain attack is a cyber-attack that seeks to damage an organisation by targeting less-secure elements in the supply chain.
The goal of such an attack is to grab whatever you have that is of value to the attacker, so it can include infecting legitimate applications in order to distribute malware, access your IPR (designs, plans, source code, build processes etc etc), or inventory theft, inserting false invoicing into your system etc. In fact, if you can think of something that might damage your company, you can bet that the cyber criminals have already thought of it.
Many of you may have heard of The SolarWinds Orion data breach. This is a product that is in wide use by network engineers, and in fact, I’ve used it myself as it’s a great way of mapping a network that I’m looking at from a security perspective. This breach not only demonstrated the devastating potential of supply chain attacks, but it also exposed concerning vulnerabilities in conventional defence methods that make such attacks possible. For example it can show all the points from which your supply chain connects to your network, or in reverse, where you connect to your customers networks.
So why would SMEs be of interest to these Cyber criminals? Is the return on investment sufficiently high to warrant their efforts>? In short, yes. SMEs are at greatest risk from cyber security threats simply because they generally can’t afford expensive Cyber Security Staff or solutions and rely instead on technology often recommended and installed by those who, in turn, do not fully understand the threats, vulnerabilities and risks, inherent in this. Their vulnerability in turn poses a danger to the major corporations that they do business with.
SMEs are often in the somewhat unique position of having disproportionate access to important information. They are often mission critical suppliers that produce niche products. They are protected by governmental regulations and requirements. However, as stated above, they generally have the weakest cybersecurity arrangements in terms of size, resources and expertise.
There are of course things that you can do to protect yourself and your clients. There are a number of technical defences that you can implement. The problem generally remains that SMEs have a tight budget and no internal resource to combat this issue. Therefore the advice and guidance they require is often lacking.
The first thing cyberattackers do after breaching a defence is move laterally throughout the ecosystem in search of privileged accounts. This is because privileged accounts are the only accounts that can access sensitive resources. When a privileged account is found, sensitive data access is attempted. This predictable attack sequence is known as the Privileged Pathway - it's the common attack trajectory followed by most cybercriminals. The trick is to disrupt an attacker’s progression along this pathway so that breach attempts, and therefore supply chain attacks, can be prevented.
That said, I have always been a great advocate that the biggest ‘quick win’ any company can achieve, at minimum cost, is staff awareness. Staff are the primary gateways to malicious code injections because they're usually tricked into permitting cybercriminals access into a system.
The most common form of trickery is scam emails (or phishing attacks). These emails seem like they're sent from trustworthy colleagues but upon interacting with them, malicious codes are activated and internal login details are stolen, which in turn could grant criminals access to a system, initiating the hunt for higher privileged accounts.
To prevent such incidents, all staff need to be educated about common cyberattack methods so that they can identify and report breach attempts, rather than falling victim to them.
There is so much more to this subject, and it is a matter for each company to assess how much of a problem they think this is to them. Understanding the threats to the business, how vulnerable you are to those threats, and therefore what risks you are taking, and how severe they are, is key to every element of Cyber Security. SMEs remain vulnerable because they rarely have any in house resource to understand those risks, and take the right actions to mitigate those risks. Solutions need to be Affordable, Appropriate and Accreditable, the H2 triple A service.