The first two articles in our 3-part series covered what supply chains are, how they can impact an organization, and what supply chain attacks look like. Keep reading for our final article in the series on how to prevent a supply chain attack. You’ll learn how to protect your organization and avoid becoming the source of a supply chain attack.
If you missed the first part of this series, you can find it here. Part two is located here.
How do I protect against this?
We previously explored a few of the ways that a supply chain can make your organization vulnerable to attack. Next, we must look at how each of these attacks can be thwarted. After all, you want to protect your organization. You want to be more cyber secure!
Social Engineering
Start by building a strong security culture that is resilient against many different types of attacks. This relies on senior leadership embracing cyber security as a business enabler rather than a road block.
We’ve all heard of the gift card scam. An email that impersonates someone in a leadership role, often the C-suite, asks an employee to purchase gift cards. The ruse often relies on a non-corporate email address. Frequently it will state that they’re emailing from a personal account for some reason.
Senior leadership must lead by example – never communicate anything related to the business through personal email accounts. If your employees know that you would never email them from a Gmail address, they’ll know something is suspicious.
Some of the most difficult to defend against attacks involve tricking an employee. Train your employees to be vigilant. Encourage them to ask questions and report suspicious behaviour. This is the single most effective way to defeat these social engineering attacks or ruses.
Vulnerabilities, Hacking, and Technical Defenses
Vulnerabilities
There is always a vulnerability in software.
This might sound a bit paranoid, but it serves a very important baseline assumption. Any system can be vulnerable, and you must plan for a failure or breach. The old adage, “The only things in life that are certain are death and taxes.” needs an update – breaches are a certainty.
Design for Failure
Compromises and breaches happen to even the most diligent and well-defended organizations. All it takes is one inadvertent click. Your employees don’t need to be tricked. It only takes one accidental click to begin the compromise of a system. This doesn’t mean you shouldn’t train your people. You can’t assume the game is lost before stepping onto the field. If you approach the defense of your organization with the assumption that you will experience a breach, you can begin to better protect your assets.
By limiting the access of information to only those who need it, you can reduce the impact that a compromised employee account has on an organization.
Limit Access
Known as the Principle of Least Privilege, limiting access to the minimum needed to fulfill a role or purpose can dramatically reduce the impact of an attack.
Restrict where vendors can connect to your systems. Doing so limits the damage from a compromise to just the systems they need access to. If your HVAC vendor needs to remotely monitor the systems they installed, they must absolutely be able to access those systems. Ensure that if your vendor’s systems are compromised, an attacker will be unable damage the HVAC equipment at your facility. Their access should not permit changes, and if they must be able to make changes, only someone physically present should be able to exceed standard operating thresholds.
More important than a secure design of the management solution, you must protect your organization from an attacker within your vendor’s network. A common way to connect vendors that need to maintain equipment to that equipment is with a Virtual Private Network (VPN), connecting their internal network to your internal network. While this is the easiest solution to deploy, it has a critical flaw. VPNs have no built-in protection mechanisms. A VPN does not know if the information crossing it is safe or malicious. As VPN is simply a conduit between organizations.
Often, a firewall is used to limit what specific applications can be used to connect across a VPN. While it does reduce the exposure of your internal systems to this vendor, it does not sufficiently protect your organization. It is important to remember that any data can be an attack, and that all systems can be compromised. Without belabouring the point, stick with me for one more trip down the rabbit hole.
What If…
Imagine that the HVAC vendor’s equipment had a flaw in the software. Could that allow it to be exploited to provide full access to the computer or equipment? Now, through your vendor’s network, past your firewall, and into this equipment, an attacker has pivoted into your internal network and can do as they please. Prevent attacks by properly isolating the equipment the vendor has access to into a segment of your network that has no way to access the internal systems. After all, for what reason does the HVAC system need to access your internal corporate servers? Retail giant Target found this out the hard way in 2013.
By assuming that all data can be an attack, and that all systems can be compromised, you are able to design your systems to be resilient against these attacks. You can ensure that a breach becomes a minor annoyance rather than a complete, organization-wide incident that threatens the ongoing viability of the organization.
Wait, I’m in someone elses supply chain?
You may have realized by now that your organization is part of another company’s supply chain. Nearly every organization will be part of a supply chain – if we tied every customer/vendor relationship on the planet together, albeit through many links, we are all connected.
Let that sink in for a moment.
From the biggest multinational corporations to the solo entrepreneur, we are all connected. We are all part of a global supply chain that loops around the planet, links back into itself in places, and carries on endlessly. As much fun as it would be to play connect the dots to see how you connect back to the International Space Station’s supply chain, that isn’t the point.
Do Your Part
Remember, you want your suppliers to take measures to protect themselves by designing secure systems and implementing reliable controls to minimize the risk that they pose to you. You must place the same expectation on yourself and your organization. Secure system design is a must. Harden your organization’s assets and make your processes resilient against attack. Only ask for, and provide, as little access to your customers as you require to provide your products or services.
You will be part of many of your customers’ supply chains, and you certainly must take steps to ensure that you are protecting yourself from your customers. It is imperative that you ensure that your customers are protected from your systems.
Think like an attacker thinks – how can I gain the most access to complete my goals? It won’t matter whether they are financial, ideological, or political? An organization may supply many companies, some of which may have proponents and detractors that wish they would cease operations.
If you are a supplier to one or more of these companies, you may be targeted as a way to achieve access to the end target. It is incumbent upon you to consider not just your business, but the business of those you have relationships with, to understand where in the supply chain you exist and how that might place your organization in an attacker’s cross-hairs.
How can I not be a pivot point?
Protect your organization from becoming a pivot point to gain access to other organizations. By implementing a security-first approach to building your supply chain, you can protect your customers and suppliers.
First and foremost, you must empower and train your employees to spot attacks and understand they are an integral part of your organization’s defenses. Help them understand they are not defending with shield and spear, but they are sentries. More eyes looking for the enemy make it difficult for an attacker to perform their tricks and accomplish their missions.
With employees being ever vigilant, you can plan for the inevitable attacks that will come. Design your infrastructure with controls that limit the spread of damage. When an attacker successfully penetrates a system that is reachable from outside of your company’s network, by ensuring those systems already reside within a Demilitarized Zone (DMZ), you can prevent them from pivoting into your internal systems. Doing this stops the attackers from gaining further access and using your trusted systems to compromise one of your other suppliers, or one of your customers.
By limiting access to information, providing employees and suppliers with only the minimum amount of information and access required to complete their tasks, you can further segment your organization to limit the damage caused by a successful breach.
Combining these Principles of Least Privilege, eliminating external connections to internal resources, and empowering your users, you can build a strong security posture to prevent your organization from being part of a supply chain attack.
Work together!
How can you ensure your supply chain is as secure as possible?
Don’t assume contracts are the answer or that legal obligations will protect your organization. After all, if you are breached by an attacker coming from a supplier’s systems, their organization may be too damaged to continue, let alone provide for financial compensation.
It is also unwise to rely on those same contractual protections to defend you against legal actions that arise from an attack that originated in your systems. While you may expect that a contract protects you from lawsuits, your organization’s reputation may suffer irreparable harm.
Finally, don’t rely on insurance as a panacea. While comprehensive insurance policies will offer some support to recover from a breach, many insurance policies have exceptions. At the same time, insurance may cover some of the costs associated with the breach, such as credit monitoring for customers. Your organization’s insurance policy may cover the exact scenario you find yourself in, but without being able to illustrate due care and due diligence, you may find your coverage is void.
So how can you work to keep your supply chain safe and secure?
Take a collaborative approach to securing your supply chain. Work with your suppliers and customers to understand the needs that everyone has. If you do this, you will build a resilient supply chain that protects both sides of the relationship.
Ask questions of your suppliers and customers. Understand the needs and risks.
Don’t be afraid to ask “why”.
The supply chain is only as strong as its weakest link.
Focus on securing your supply chain to demonstrate to your customers and suppliers that you take cyber security seriously. By doing so, you can improve your supply chain leading to benefits throughout your organization. These changes will improve the overall security posture of your business.
Your supply chain is only as strong as its weakest link.