Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

1/19/2018
10:30 AM
Liviu Arsene
Liviu Arsene
Commentary
Connect Directly
Twitter
Google+
LinkedIn
RSS
E-Mail vvv
50%
50%

Understanding Supply Chain Cyber Attacks

While the attack surface has increased exponentially because of the cloud and everything-as-a-service providers, there are still ways in which host companies can harden supply chain security.

Today's cybersecurity landscape has changed dramatically due to digitalization and interconnectivity. While the benefits of each push businesses toward adoption, security risks associated with interconnectivity between networks and systems raise major concerns. Everything-as-a-service removes traditional security borders and opens the door to new cyber attacks that organizations might not be prepared to recognize or even deal with.

Moving resources into the hands of the final consumer now involves creating systems that handle, distribute, and process goods using a complex network of suppliers and services. These supply chains are what cybercriminals try to exploit, as third-party suppliers usually have some level of access to their customer's network. This, coupled with an advancing software stack that's integrated with critical internal infrastructures, increases the attack surface that threat actors can exploit to breach perimeter defenses.

Trust Is Often Exploited
The relationship between humans and technology is far from perfect. Cloud technologies can themselves be unpredictable in that they may interact with each other in unforeseen ways. When you add the human factor, which is inherently unpredictable, it raises security concerns that can be impossible to predict.

The cloud has become an integral part of digital businesses, but the lack of proper authorization, accountability, and authentication in the cloud enables security threats that we've come to know as supply chain attacks. This increased adoption of cloud services must push organizations to constantly reassess external audit programs and due diligence processes. This practice of regular re-evaluation must go through constant iterations to identify potential security blind spots while decreasing incident response times.

Unfortunately, for the past few years we've seen a series of supply chain attacks that have led to millions of customers having personal and private data exposed because of blind spots inherent in current supply chain security. The Target incident in which 41 million customer records were exposed has become a case study for supply chain attacks that leverage third-party access into critical infrastructures.

Arguably, the biggest recent supply chain blunder is the GoldenEye ransomware incident that involved a tainted update to a popular accounting platform used by many companies. Compromising an update server with a legitimate piece of software, the malware spread across organizations using the accounting platform.

Supply chain attacks have even targeted the average user when a tampered version of a popular Apple Xcode IDE application development framework was injected with malicious code. App developers using the tainted framework unknowingly created applications bundled with malware that could not only steal personal and private data from users but also allow for complete remote control of devices. Dubbed XcodeGhost, this supply chain attack scenario demonstrates that threat actors can even breach organizations by targeting developers.

Because complex infrastructures are sometimes difficult to maintain by IT operations, the use of automated tools that can be deployed remotely throughout the infrastructure can be vital in ensuring a productive supply chain. Unfortunately, these tools — although legitimate — can also be leveraged as attack vectors into organizations, bypassing standard security procedures. CCleaner, a popular free tool for optimizing system performance, was tampered with by cybercriminals and injected with malware that targeted technology and telecommunications companies. Because IT operations widely deploy the tool within infrastructures, it's estimated that 2.27 million systems could have been affected by the backdoor capabilities of the injected malware.

Managing Supply Chain Risks
Host organizations now face having to adapt security procedures to include not just internal infrastructures, but also vendors, customers, and even partners. While internal IT and security departments might have strong security practices for thwarting a wide range of direct attacks, third-party collaborators might not adhere to the same culture. Consequently, programs for vetting vendors need to be in place before fully integrating them into internal infrastructures.

Building a vendor management program is ideal and should start with defining an organization's most important vendors. Building the program around a risk-based approach ensures that vendors are constantly evaluated and assessed, and their policies are consistent with the host organization.

Besides requiring vendors to provide timely notification of any internal security incident, periodic security reports should be included in the collaboration guidelines to regularly ascertain their security status. Because security is a dynamic and ongoing process, these procedures should be constantly updated and audited in accordance with best practices and the host company's security requirements.

Constantly reviewing technology, people, and processes — both internally and from suppliers — filters out easily exploitable supply chain attacks that could prove devastating for the host organization and the supplier. This procedure should encompass everything from employees joining the organization, to new technologies being integrated with existing systems and internal process regarding security incident responses, as well as the implementation of security best practices.

The Security Perimeter Is Borderless
No longer are strong perimeter defenses enough; security teams must consider that digitalization has taken down all network borders. And while the attack surface has increased exponentially because of it, there are still ways in which host companies can harden supply chain security even if it only involves the establishment of new procedures.

The borderless security perimeter that's a natural consequence of infrastructure-as-a-service shows that security models must change to cope with the new threat landscape. As previously mentioned, ongoing assessment processes are vital in building and maintaining a strong security posture, and it's only one of the security controls necessary to harden defenses. Cybercrime is committed in the digital arena; for that reason, organizations must have strict authorization, authentication, and accounting mechanisms for securing critical data and controlling who has access to it.

However, the deployment of security controls specifically designed for physical, virtual, locally deployed, or in-the-cloud infrastructures is also important. It's crucial for digital businesses and large organizations to implement a layered security approach customized to their risk profile, if they are to fully and successfully leverage the benefits of everything-as-a-service.

Related Content:

Liviu Arsene is a senior e-threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
jessica15241351171634410065
50%
50%
jessica15241351171634410065,
User Rank: Apprentice
8/21/2018 | 6:29:26 AM
Blockchain is the only solution for Supply Chain Cyber Security
Supply chain security issues are far too complicated to tackle with passwords, access cards, and software suites alone.

 The supply chain and logistics industry has undergone rapid transformation over the past two decades, to tackle the growing challenges of supply chain security management, especially for larger, more complex supply chains.

 While most of these new technologies are still in the 'experimental' stage, there's one that the industry is betting on for betterment — and that's supply chain blockchain. Blockchains can secure, validate, and guarantee the quality and accuracy of data just fine once it's in the system. They cannot, however, give you the same guarantee for data that's entered into the system to begin with.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...