Written By: Jonathan Arena, CISSP, ITIL, CSM
President & Founder of White Clay Technology
Why target one company when you can target one company with access to hundreds?
Attacks through your supply chain and other trusted vendors/suppliers are on the rise. There has been a 42% increase in the number of supply chain attacks over the past year and that number is rapidly increasing as cyber criminals have recognized the benefit of the “economies of scale” of hacking one company to gain access to many. They inflict maximum damage with minimal effort.
Anyone in your supply chain can be targeted. Really anyone that you do business with that has legitimate access into your data or corporate network can potentially be a gateway to a cyber attack against you.
These vendors can be (but are certainly not limited to):
– IT Service Providers
– Cloud, Hosting, & SaaS Providers
– Software Developers
– Marketing Firms
– Critical Infrastructure Monitoring
– Credit Card Providers / Point of Sale Merchant Services Vendors
Like most cyber attacks in recent memory, many supply chain hacks start with some form of social engineering such as phishing that enables the attacker to gain an initial foothold onto a network. This can be the supply chain vendor’s network or possibly one of their clients. Other methods such as vulnerable software, zero-day exploits and weak password protections are also commonly used.
From there, the cyber criminals like to explore their newly acquired access. Most cyber criminals are in a computer network for over 140 days before being discovered. This gives them plenty of time to learn what the business does, how it makes money, where the core files are and how they are going to exploit the business.
In the case of a supply chain hack these can be an accidental find on the part of the cyber criminals. In these cases, they typically compromise one of the clients in the supply chain network, then while poking around realize the supply chain interactions, then find a way to gain access into the supply chain network, and go from there.
Some Recent Examples of high profile breaches involving supply chains include:
Kaseya (2021): This is a tool used by IT managed service providers to log into your computers to perform maintenance and troubleshooting tasks. They, and their clients were the target of a large ransomware attack over the July 4 weekend this year.
Solarwinds (2020): At the very end of 2020, Solarwinds had announced that they were the victims of a cyber attack. Solarwinds monitors IT systems for large enterprises and government divisions. The significance of this cyber attack was the scope of the attack and who it impacted. The Solarwinds attack impacted numerous government divisions including the US Treasury & Department of Commerce, but also many Fortune 500 firms (several of which were publicly listed on their website up until this incident) and also FireEye, ironically one of the best cyber security remediation firms in the world.
Target (2014): Target & Home Depot both made the news due to a supply chain hack. The cyber criminals in this case gained access into their point of sale credit card systems by way of a small HVAC vendor of theirs and got away with almost 100 Million credit cards.
Understanding what your vendors do to protect your business is a must do step.
As a client, you must ask the questions that will ensure your protection. The first thing you need to do is identify who your vendors & suppliers are, and what access they have to your data and/or systems.
Data includes, without limitation, names, addresses, telephone numbers, e-mail addresses, social security numbers, credit card numbers, purchase information, product and service usage information, account information, credit information, demographic information, and any other personally identifiable information.
– Do you maintain a written information security program in compliance with all applicable laws and regulations to ensure the confidentiality, security & privacy of our data?
– Do you restrict access to only users with need to know access?
– Do you secure your passwords? Do you have unique accounts for all users? Do you use multi-factor authentication in all places?
– Do you encrypt your data at rest, and in transit on all devices with potential access to the data?
– Do you regularly update (patch) your computers, applications on the computers and all other network devices on a monthly interval?
– Do you run a vulnerability scan on your network to look for new risks on a regular basis?
– Do you have a written and practiced incident management plan?
– Does your vendor have a vendor risk assessment policy similar to this for any vendors they onboard?
– Do you have a breach notification process and plan in place, and do you constantly monitor for any attempted unauthorized access?
But…I’m the vendor. What do I do?
If YOU are the vendor, you need to ensure you are doing everything you can to protect your end clients data and access into their systems, lest YOUR breach becomes THEIR breach.
Like the insurance carriers, many larger vendors, like enterprise companies and government agencies are increasingly mandating their own requirements for their vendors to do business with them. If you don’t comply, they won’t do business with you.
Proactively taking these steps will immediately put you in a better position with your existing clients and future prospects.
Can you help?
Firms like White Clay Technology (https://www.whiteclaytechnology.com/) can perform a cyber security gap & risk assessment to identify your level of maturity and the next best steps for you to take to minimize your risk of becoming a casualty of a cyber attack, and provide confidence to your clients and prospects that you are taking the necessary steps to protect their systems and data.
For more information on White Clay Technology, please visit us at https://www.whiteclaytechnology.com
Jonathan Arena is a recognized technology & cyber security expert. He has spent 25 years in the managed service provider segment of the IT industry serving Fortune 500 clients and small business clients alike. He is the President & Founder of White Clay Technology and RealTechPros. Jonathan is also a Technology, Cyber Security & Data Privacy professor at Wilmington University in Delaware.
Jonathan has served on multiple academic boards including the Cyber Security boards for the University of Delaware, Rutgers University and Ithaca College, as well as the Wilmington University Technology Course Advisory Board.
Jonathan is CISSP, ITIL & CSM certified and he holds a bachelor’s degree from Wilmington University. Jonathan was named a “2016 Delaware Achiever & Innovator Under 40” by the Delaware Business Times.