There’s a shift happening in the world of cybercrime. This shift is towards using indirect attacks where hackers use compromised data, such as login credentials from individuals or smaller companies within a supply chain, to then access companies higher up the chain and ultimately infiltrate mass numbers of user accounts and their Personally Identifying Information (PII) therein. You can describe this attack as using a ‘stepping stone’ principle, hopping from an easier target, to breach a more lucrative company.
Supply chain continuity as well as data security can also be adversely affected by a cyber-attack. Supply chains rely on the seamless and timely movement of information between the actors and any interruption to this flow can have serious effects that ripple across the chain. In fact research by Accenture, quoted by the world Economic Forum in their report ‘Building Resilience in Supply Chains’, has stated that any disruption to the supply chain can affect a company’s share price by as much as 7%. The natural eco-system of sharing between parties within a supply chain is why the chain is so much at risk. A report by the National Security Response Team, looked at how this environment of sharing creates disruptive routes into the supply chain for hackers.
Supply chains create an extended network, many parts of which may lie outside the control of the other parts. Hackers will look to that supply chain, work out the weakest parts of it, the easy targets and go for those.
Attack Vectors into the Supply Chain
These attacks will often take advantage of human behavior and utilize social engineering to engineer their entrance into your organization. Spear phishing attacks, where individuals within an organization, such as system administrators are targeted by a hacker are often used as the vector into the supply chain. The recent attacks on the U.S. Federal Office of Personnel Management (OPM) that is estimated to have affected around 18 million individuals records, is likely to have been caused when security credentials of a contractor, KeyPoint, were stolen.
Compromised credentials are a favorite of supply chain hacks. If a trusted supply chain vendor has access to any network resources, then a compromise at that vendor could potentially steal those credentials and get access to your network.
Watering hole type attacks are also being used to infiltrate the supply chain. Vendor portals, for example, can be used to insert malware and steal key credentials.
The naturally extended network of a supply chain, where suppliers need to have privileged access to, for example, VPN’s and other communicating channels, opens up routes into the chain and its participants.
Leveraging software exploits in vendor-client communication tools is also used often as a chosen attack vector on a supply chain actor.
Examples of Breaches through a Supply Chain
The following examples are just a small snapshot showing how third party suppliers are being used to get at massive amounts of data from the larger supplier in the chain.
RSA: One of the earliest known attacks against a supply chain vendor. In this attack RSA SecureID token generators, used by the military and others as secure login credentials, were compromised when the secret algorithm used to generate the one-time codes were deciphered. This resulted in Lockheed Martin, who used the token generators, being hacked.
Target: 100 million customers had their target accounts breached. This breach resulted in the loss of personal and financial data. It is believed that the breach originated in the supply chain, with a firm that supplied heating and ventilation (HVAC) to Target nationwide. The breach was initiated through a phishing email to the HVAC vendor who had, as a trusted supplier, network credentials issued by Target
Goodwill Industries: A third party vendor was the entry into Goodwill Industries, resulting in nearly 870,000 lost debit and credit card details.
Home Depot: Had the same supply chain breach issue as Goodwill Industries, a third party vendor’s login credential were stolen and used to access Home Depot’s network, resulting in around 56 million credit and debit card details being stolen.
Security firm, Symantec, have also examined the possibility of a systematic attack, which utilizes the supply chain, termed the ‘Elderwood Platform’. This is a highly technical outfit that targets the defense supply chain and any of the associated wider businesses and subsidiaries that work within that chain, using them to ultimately get to highly sensitive information and intellectual property of defense manufacturers.
Closing the Chain to Hackers
There is obviously an issue here, the weakest link in any chain will cause that chain to break and that’s exactly what is happening. We need to start to form a protective layer around the chain – build strength from within. Organizations should be setting requirements for a security ‘sharing eco-system’ as part of their supply chain purchasing process. The chain should comprise of a dual level hierarchy incorporating disclosure requirements across all vendors as part of this eco-system’s commercial agreement – as well as collaborative environment between the participants which will enable constant correlation and relevancy check. This will bring the technology and commercial models together, working for everyone’s benefit.
This eco-system will be effective in communicating security events between members; it will act like a security collective, all working towards the good of the extended partnerships. As certain vendors within the chain will be more highly targeted, a dedicated feed of security events will help to increase detection rates and preparedness to ensure that rapid response rates are optimized. The supply chain is already part of a natural eco-system, the extension of this to add a security layer is now a pressing and urgent requirement of all supply chains to stop hackers finding that weakest link and breaking the whole chain.
Latest posts by Kobi Freedman (see all)
- Data Sharing Technology Revolutionizes Healthcare - March 14, 2016
- Data Sharing Gets a Ride: How Popular Ride-Sharing Apps Influence Policy On Sharing - March 1, 2016
- Data Ownership Questions Answered by Decentralized P2P Platforms - February 18, 2016