When some customers of Domino’s Australia received suspicious emails from the pizza chain a few years ago, they sounded the alarm on a potential data breach on social media and called for the company to investigate the matter.
At the time, Domino’s Australia said its systems had not been compromised, and pinned the blame on a former supplier’s system that was said to have leaked customer information. Such supply chain vulnerabilities, whether they are the result of human error or cyber attacks, are real and growing.
According to a global study commissioned by CrowdStrike in 2018, two-thirds of 1,300 senior IT decision-makers and IT security professionals, including those in Australia, said their organisations had experienced a software supply chain attack. At the same time, 71% believed their organisation did not always hold external suppliers to the same security standards.
Supply chain risks are invisible to many organisations, which means they are often not prioritised from an IT security perspective. Part of that is because supply chain risk management is usually seen a procurement issue, according to Rob Dooley, ANZ director at VMware Carbon Black.
In fact, security considerations are often surfaced only at the last step in the selection process, Dooley said, calling for security teams to be involved in procurement decisions early on and to provide ongoing monitoring.
The weak links
The modification of hardware, or the installation of malicious firmware prior to delivery, can be a source of supply chain vulnerabilities. However, CrowdStrike’s security researcher in Asia-Pacific and Japan, Mark Goudie, said it does occasionally happen.
Ashwin Ram, a cyber security evangelist at Check Point, said manufacturers of internet of things (IoT) devices, in particular, often use off-the-shelf firmware, so vulnerabilities can be easily leveraged by attackers. The result could be disastrous, especially if it involves industrial control systems that power critical services.
Besides hardware, in-house developed software is another weak link in the supply chain. Open source libraries and pre-built containers may have been contaminated with malicious code designed to perform covert actions such as crypto-mining or to provide illicit access to systems. In an audit of over 1,200 applications, Synopsys found that 99% used open source components and 75% of them contained known vulnerabilities.
And because software libraries depend on other libraries, it’s important to review that entire chain, said Trend Micro’s ANZ technical lead Mick McCluney. The security vendor uses open source library researcher Snyk as a source of intelligence for its DevOps pipeline tools.
Check Point’s Ram said with a lot more attacks conducted via modified code, organisations should validate all the source code they use, and obtain threat intelligence from multiple sources. Code should be automatically checked for safety whenever it is downloaded or built, he warned.
Supply chain risks exist in services as well. Recognising this, the Australian Prudential Regulation Authority has published the CPS 234 standard that specifies steps regulated entities must take to mitigate supply chain risks.
For smaller firms, which don’t have the same clout as major banks when dealing with suppliers, a breach can be a potential business-ending threat, said Simon Howe, LogRhythm’s vice-president of sales in Asia-Pacific. These companies, he said, should check if their suppliers hold ISO 27000, NIST and Sans certifications as evidence of their security posture.
Still, compliance with standards does not guarantee security, said CrowdStrike’s Goudie, who advised organisations to consider what data a supplier processes or can access, which is where the real risk is.
That calls for sound data protection practices, such as categorising suppliers and treating each group appropriately based on the sensitivity of the data they can access. In general, the more sensitive the data, the more rigorous the reviews of suppliers should be, said Sean Duca, vice-president and regional chief security officer at Palo Alto Networks in Asia-Pacific and Japan.
Trend Micro’s McCluney suggested quarterly or half-yearly supplier reviews involving procurement, human resources, as well as IT and security, with remedial action prioritised accordingly. Such supplier lifecycle management processes, he added, will ensure that access rights are revoked, among other things, when an organisation stops buying from a supplier.
Regardless of the industry they are in, Duca called for organisations to provide suppliers with secure access to systems they need to manage – and block access to everything else. Jim Cook, ANZ regional director at Attivo Networks, said this is especially important as some systems still run on obsolete operating systems with known vulnerabilities.
But even if suppliers are granted minimum access and the network is segmented, there will still be opportunities to exploit infrastructure vulnerabilities, Cook warned, adding that a supplier’s security practices should be aligned with a host organisation’s policies. Ongoing compliance should also be deemed as a contractual obligation.
Guarding against infiltration tactics
Cyber criminals employ a variety of ways to penetrate a supplier’s systems. This may include business email compromise which involves interfering with emails – such as falsifying payment details on invoices – and using email as a stepping stone in a broader attack on an organisation or its customers.
Subverting the invoicing process is particularly lucrative, said McCluney, so the right control processes are important. For one, employees must not blindly trust the banking details on an invoice, especially if the details have changed.
Instead, McCluney said they should check with the supplier in a manner completely independent of the email. Similarly, any request for an urgent funds transfer purportedly by a senior executive should be treated with scepticism and not acted upon without solid confirmation.
Goudie said while business email compromise is real, the main problem may not be the initial incident, but the consequences of an attacker being able to replicate an entire mailbox outside of the organisation. Too often, security controls such as multi-factor authentication aren’t enabled until a major breach has occurred.
Check Point’s Ram said content disarm and reconstruction (CDR) can play a part in defending against malicious documents that appear to come from trusted sources. Rather than rely on detection, CDR technology assumes all content held in files are malicious and reconstructs content that is known to be safe.
Then, there’s also island-hopping where perpetrators use one organisation’s network to get into that of its partners. Chester Wisniewski, principal research scientist at Sophos, said as this is a largely automated process, prompt detection and response is key. Tools will stop 95% of such attacks, and only 1% or so are truly harmful, he warned.
“It’s a needle in the haystack problem, so you need tools to filter out the relevant and important data and present it as actionable information,” Wisniewski said. “Artificial intelligence alone isn’t up to the job, but it might take care of 98% of the signals leaving humans to interpret and deal with the remaining 2%.”
Besides employing automation to detect breaches, patch systems, as well as conducting tabletop exercises to test an organisation’s resilience against supply chain attacks, it may be worthwhile to consider managed security services, especially for those that don’t have in-house expertise.
Wisniewski said: “Managed security service providers have the technical and local expertise and insights needed to provide good service, the economies of scale to deliver it at an affordable price, and the backing of suppliers such as Sophos when necessary”.