Analysis: As with US retailer Target, however much you spend on your own cyber security, your suppliers and distributors could let you down.
After shelling out thousands or millions on cyber security for your enterprise, it might be dismaying to find that your organisation could still be vulnerable to a major breach – and it wouldn’t even be your fault.
The threat posed to organisations, however prepared they are for cyber attacks, by their supply chains is a serious one and needs to be given serious consideration.
The textbook case study for this type of attack is Target, the US retailer which was hacked in 2013, where 40 million customer details were leaked and Target paid out $10 million to the victims.
Target admitted in 2014 that the intrusion into the systems came after network credentials were stolen from a third-party vendor. It was later revealed that the vendor was a refrigeration, heating and air-conditioning subcontractor.
The ‘supply chain’ in this context does not just apply to manufacturers, where a supply chain might mean the raw materials that feed into the final product. More broadly, the supply chain comprises all the third party organisations that allow a company to do their business. This includes, for example, utilities suppliers, accountancy and law firms or logistics companies.
Cisco’s UK and Ireland security head, Terry Greer-King, explains the threat:
“A couple of years ago medium-sized organisations would not think attackers would go for them,” he says.
“What we’ve seen is attacks on the supply chain. SMBs that supply larger organisations can be a weak link in the chain. The harsh reality is that small organisations don’t have so many resources they can deploy.”
In the case of the Target breach, the subcontractor had obviously been given access to Target’s network before being hacked itself. Whatever cyber defences Target had in place around its own systems were rendered null and void by what was essentially an insider threat.
As David Emm, Principal Security Researcher at Kaspersky Lab, explains, it is easy for the small businesses to assume they are not a target. But they “typically don’t have the in-house expertise that a large enterprise can call on, which makes them susceptible to the attacks within the supply chain.”
Emm adds that they may be less aware that they are in danger of attacks.
Stephen Gates, chief research intelligence analyst at NSFOCUS, says that a device in the supply chain could be compromised by hackers and used as an access point to the network.
“Once access is gained to the upstream organisation’s network from an entity in the supply chain, hackers controlling the original machine can use it to move laterally in an organization. That machine can be used to gather intelligence, plant malware, or even steal data.”
So what can be done to mitigate the risk? An initial step is to make sure that access to secure systems is not given out unnecessarily.
Gavin Bradbury, Senior Vice President, Global Marketing at NTT Security, says that companies need to be more “savvy and proactive”.
He says: “There are still too many businesses giving third parties unnecessary access to their corporate systems, and determined attackers will use these suppliers to gain an initial foothold in the target system.”
For example, not every supplier or distributor needs access to the network to be able to do the job. Organisations should create processes for assessing how much access should be given to a third party.
“The best method is to ensure no one person can ever access any critical systems or data without consensus approvals from a quorum of peers or supervisors at all points,” says Andersen Cheng, CEO, Post-Quantum.
Gates at NFOCUS, says that every device requiring access to another organisation’s network in the supply chain, must be treated as ‘untrusted’.
For the organisations that are given access, David Kennerley, director of threat research at Webroot emphasises the importance of a collaborative approach to cyber security, working with suppliers to ensure that they are secure.
This could include introducing auditing process for potential suppliers to determine the strength of their compliance with certain cyber security standards.
Kennerley says “an information sharing agreement to report security breaches would greatly improve security.”
For Kaspersky’s David Emm, education is key, due to the large role played by social engineering.
“While many businesses understand the need to patch digital assets (by applying security updates), they often fail to take adequate steps to ‘patch’ their human resources.”
Gemalto CTO Jason Hart recommends a technological approach, focused on the data.
He argues that organisations need to build encryption into every stage of the supply chain with an “end-to-end solution that means the data is protected from start to finish”. The focus should then be on strong management of the encryption keys.
Whatever protections a business ends up putting in place, though, the first step should be making sure that supply chain security is on the agenda. The Target breach shows that this is far from a hypothetical threat.