The SolarWinds breach that was uncovered at the end of 2020 left organizations around the globe wondering about the security of their own supply chains – and how to mitigate risks around working with third-party providers.
Just what is a supply chain attack? There is a lot of confusion over the specifics of supply chain and how these attacks work. Simply put, rather than infiltrating an organization directly, attackers instead exploit the access that trusted third-party suppliers have in order to access the company’s environment and conduct malicious activity.
“There are three ways these can impact your organization,” says Chester Wisniewski, principal research scientist at Sophos. “The first is through the code you take in. It can have security flaws that can be exploited. The second is through the software you consume, which can be booby-trapped, so to speak. Most attacks have been accomplished through this means. The third way is through a trusted third-party that has access to your credentials. You may grant a third-party access to your network. But if someone abuses those credentials, they get access, too.”
Third-party Connections: Risky but Essential
These days, just about every organization is reliant on some form of third-party supplier or software. The Sophos report Minimizing the Risk of Supply Chain finds, on average, small- and mid-sized organizations report having at least three suppliers who connect to their systems. Allowing these suppliers to connect to a network allows in-house staff to focus on other tasks, and it’s common practice for most organizations to manage their IT infrastructure. But it is this very practice that introduces the risk of supply chain attacks.
Unfortunately, supply chain attacks are extremely difficult to both defend against and detect, says Wisniewski. “A lot of this is reading tea leaves. How do I choose what presents the least risk?”
Wisniewski suggests some best practices, including evaluating the internal software updates from the vendors you work with.
“Are the security fixes pointed out in updates? That gives you an idea of how open they are about their security,” he says. “Is there a good cadence of things coming out? You can also ask vendors about their procedures.”
Best Practices to Guard Against Supply Chain Exploits
Wisniewski says a Zero Trust approach addresses many of the security concerns around supply chain attacks – not necessarily to prevent them, but to contain the spread of malware and “massively limit the amount of damage” that can occur.
Sophos offers these suggestions to reduce risk and potentially prevent an attack from significantly impacting your business:
- Shift from a reactive to a proactive approach to cybersecurity
- Monitor for early signs of compromise
- Audit your supply chain
- Assess the security posture of your suppliers and business partners
- Constantly review your own IT security operations hygiene
Learn more about guarding against supply chain attacks in the Sophos report.