Breaking The Chain: Are You The Unintended Victim Of A Supply Chain Attack?
This blog was originally published by Lookout here.
Written by Hank Schless, Senior Manager, Security Solutions, Lookout.
We’ve heard a lot about “supply chains” of various industries over the past couple of years, and the cybersecurity sector is no exception. When Colonial Pipeline was compromised by ransomware, it affected the physical supply of gasoline to consumers. On the software side, malware distributed through a SolarWinds update and vulnerabilities discovered in Apache’s Log4J created rippling effects for organizations around the world.
The alarming part of any software supply chain attack is the domino effect it has. To better understand these attacks and how organizations can better protect themselves, I invited Vodafone security experts Andy Deacon and Verity Carter-Johnson to the Lookout podcast. In the episode, we defined what a supply chain is, what the intended and unintended consequences are and what legal ramifications exist for those who fall victim. To give you a preview, here are a couple of takeaways from our conversation:
At a high level, a software supply chain attack is when a threat actor compromises a piece of software that then trickles down to customers or other software that depends on it.
In the case of SolarWinds, malware was added to one of its product’s updates, which was then pushed out to the company’s customers and created backdoors. Log4j, one of the most widely-used logging libraries, affected an uncountable number of software and companies that use them when highly exploitable vulnerabilities were found.
And because these compromises occur as indirect results of a breach or vulnerability, the exposure can last for years after the initial event before getting discovered. As Andy mentioned during our conversation, even if you diligently update the software to the patched version, there’s a chance that you may have already been breached. Unless you look in the right places or stumbled upon indicators of compromise in log files or command lines, it’s nearly impossible to know whether an attacker accessed your infrastructure.
In the episode, Verity reminded us that it’s no longer enough to know whether you’ve been affected by an attack. There are also significant legal and financial consequences on the line as a result of increased governmental scrutiny over cyber breaches.
For example, in January 2022, to mitigate the effects of Log4j on consumer data, the Federal Trade Commission (FTC) asked affected companies to quickly remediate the vulnerabilities or face severe penalties. Such actions can often take the form of significant fines as seen in 2019 when Equifax paid $700 million to settle with the FTC.
These consequences can be especially devastating to smaller businesses, who have fewer resources to handle security events and are increasingly caught in the crosshairs of software supply chain attacks. But given that legal fines can be scaled up based on revenue, the financial burden can be a huge issue for any organization regardless of size.
When it comes to protecting your organization against supply chain attacks, both Verity and Andy agreed that adhering to basic best security practices for your employees, devices and vendors are a good starting point.
Ensure your employees understand how to protect themselves with a couple simple steps such as setting passwords with symbols and numbers and turning on multi-factor authentication. In addition, ensure that you have dedicated security solutions in place for all your endpoints. This is especially important since employees are increasingly using unmanaged devices and working from locations you don’t have control over.
Another important precaution is to evaluate deals and contracts you have with third parties. Whether it's the software you purchase or the deals you have with large enterprises and government organizations, they could make you an inadvertent target of a supply chain attack.
You also need to evaluate the security posture of your own organization. The National Cyber Security Center has great resources for small businesses on how you should respond to known security vulnerabilities.
There were many more insights I got from my conversation with Andy and Verity, so please make sure you listen to the episode.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.