How to Protect Enterprises Against the Growing Menace of Supply Chain Attacks

As enterprises take strict measures to protect their core and perimeter, hackers are looking to find a backdoor. Vulnerabilities on your IT supply chain can be exploited to circumvent the regular security protocols, checks, and balances you would otherwise use to block out unauthorized access. ResearchOpens a new window suggests that supply chain attacks are a growing menace for enterprises, with 92% of U.S. CISOs having experienced one in the last twelve months. 

Even if you clamp down on access controls, data exchange, and risk exposure within the enterprise, it can be challenging to maintain the same level of vigilance across your larger supply chain ecosystem, what with the constantly growing number of IT suppliers and accelerated pace of digital transformation. 

That’s why it is so important to assess your landscape for supply chain vulnerabilities and adopt prevention measures. 

Understanding the 3 Key Types of Supply Chain Attacks

Supply chain attacks can take place in three ways. First, vulnerabilities might lie in the hardware components you use, and the manufacturer inadvertently overlooks a product flaw. A good example is the Super Micro incident from 2018 when the California-based OEM with plants in China allegedly allowed rogue microchips to interfere with the manufacturing of computer server motherboards. 

Second, you can have vulnerabilities creep in through firmware updates. Typically, updates are pushed via a manufacturer’s servers or website, signed using digital certificates. Someone could modify the official firmware and compromise the server to upload malicious files. That’s exactly what happened when Asus rolled out a firmware patch through its Live Update Utility in 2019, infecting nearly a million devices with a trojan. 

Finally, the software provided by third-party partners could contain vulnerabilities – a massive risk in a SaaS-dominated world. The hacker attacks the compiler responsible for creating an executable from the third-party software program, injecting malware into the executable. The recent SolarWinds attack is an example of this type, where a compromised build server was monitoring the compilation process. When it detected a certain condition, it automatically replaced some of the original source code with malicious code.

Learn More: SafeBreach Unveils the Latest Critical Vulnerability to Stop Supply-Chain Attacks 

6 Ways to Prevent Supply Chain Attacks

What makes supply chain attacks so insidious is that they originate from a trusted provider, who might be unaware of vulnerabilities or their compromised state. Also, one provider will serve multiple enterprises, thereby increasing the total risk vector. 

Let’s look at some of the steps you could take to preempt and prevent supply chain attacks. 

1. Investigate every link on the supply chain

The IT supply-chain can pass through several stakeholders before reaching from the manufacturer to the end-user, be it for hardware or software. An OEM, for instance, might import components from a wide cross-section of suppliers, who, in turn, outsource manufacturing to different global locations. The same applies to software vendors, who employ consultants, remote teams and often use open-source code. Trace your product components back to the multiple links of the supply chain and investigate vulnerabilities at every link. 

2. Adopt iterative testing practices 

Vendor/product testing and assessment should not be a one-off process. Test every new batch, update, fix, or version of the product that your supplier provides as per stringent security review principles. Create a sandboxed test environment that parallels your actual production environment so you can trial-run every iteration of the product in a real-world scenario, ensuring that it is not compromised in any way. This also ensures that the impact of a compromise, if any, is limited to a sandbox. 

3. Carefully inspect the product bill of materials 

When dealing with third-party providers, it is important to know what ingredients are in the cake. A hardware company’s physical bill of materials can reveal if anything extra has been added to cover up a potential vulnerability or hide a potentially rogue component. All software (including firmware) must be inspected at the source code level, even if it seems like a rigorous and time-consuming process. For government agencies, source code security reviews is a must-have as a supply chain attack could bring citizen services to a standstill and threaten national security. If the source code is not available, you can decompile the executables to check for malicious routines.

4.  Follow least access privileges 

While some level of access and data exchange is inevitable, your third-party provider doesn’t need to know the exact security protocols or process structures at your company. Provide only those who need system access with privileged accounts, and that too on a time-bound basis. Remember, unlimited access privileges might allow hackers to take over partner accounts and thereby obtain entry into your systems. Also, you won’t receive alerts on suspicious access requests if you don’t follow least-privilege practices. 

5. Onboard only standards-compliant vendors 

There are industry-wide regulations that require technology vendors to undergo regular security audits and furnish a compliance certificate. For example, ISO27001 certification means the vendor is compliant with industry-specific data privacy regulations like HIPAA or PCI DSS. SOC2 compliance ensures that the vendor has put adequate efforts into building logical and physical information security controls to meet your expectations. The same standards-based compliance parameters should apply to every stakeholder on your supply chain, from your managed services provider to software vendor and OEM. 

6. Adopt a “security by design” philosophy 

Measures like standards-based compliance and supply chain assessment focus on security by default. They try to ensure that the vendor is equipped to provide secure products and services as part of your SLA benchmarks. But security by design entails that you assess a product’s functionalities from a security standpoint, ensuring that there has been no trade-off in favor of a better UX. For example, let’s say I install a Wi-Fi repeater, which presents a seemingly secure set of configurations. But if I can manually type in the admin page URL and control the device directly, without requiring a password, it means that the product’s design isn’t mindful of security considerations. 

Learn More: SolarWinds Hackers Exploited Weak Access Policies to Infiltrate the Network 

Constant Vigilance is Everything

Ultimately, there is only so much you can do to prevent supply chain attacks from happening. The oversight is still in the hands of the OEM, supplier, software vendor, managed services, or any other stakeholder on your supply chain. Even if the source code is clean, a malicious compiler can be used to inject malware into the executable. Even signed binaries may not be enough as malicious code can be legitimately signed. It’s only through constant vigilance that you can detect supply chain vulnerabilities at their early stages and prevent an attack from wreaking havoc. 

Use pentesting or ethical hacking to find hidden vulnerabilities. Work with cybersecurity researchers to stay updated on security flaws/compromise risks among large vendors. And continuously monitor system behavior to immediately flag and sandbox any anomalous entity. 

Do you agree that supply chain attacks pose a major threat for enterprises today? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!