Supply chain attacks are quickly becoming a leading threat to many industries. Recent headlines of data breaches and the increasing sophistication in cyber-attacks are not only worrisome but downright frightening. Unfortunately, the problem isn't going away. In today's digital world, the use of third-party services is here to stay, as it allows organizations to remain efficient and cut costs. But with those contracts comes a fragile price: access to your organization's private data.
A supply chain attack is arguably the worst type of cyber-attack to happen because it's much more difficult to detect and offers hackers a high level of access. A primary attack strategy exploits vulnerabilities in a third-party vendor's security practice, often linked to cutting corners on cybersecurity measures. These attacks can happen in numerous, unexpected forms, from third-party software updates to targeted malware. Once access is gained, it unveils sensitive data for multiples clients, victimizing hundreds to thousands of unaware individuals.
The amount of high-profile attacks hitting the news has prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue guidance on how organizations can defend themselves. This article will look at what steps you can take to prevent your reputable organization from turning into a cautionary headline.
A Glance at the Headlines
The recent SolarWinds data breach has been called one of the most significant attacks in history due to its magnitude and severity. In 2020, hackers broke into the software company's Orion system and injected malicious code via a software update. The trick granted them access to the private data of up to 18,000 users who had installed the software update. More shockingly, customers of the platform included the State Department, the Pentagon, Fortune 500 companies, and all five branches of the U.S. military, to name a few. Russian hacking group Nobelium is deemed responsible for the attack.
Earlier this year, aviation IT giant SITA revealed it was breached in a coordinated supply chain attack that affected multiple airlines and hundreds of thousands of passengers globally. According to the organization, it serves 90% of the world's airlines, which results in over 2,500 customers. It handles online services, from reservations to frequent flyer miles. Since February, numerous airlines have come forward saying they were affected, with the most significant being Air India which disclosed the data of 4.5 million passengers was stolen in the attack.
In July, cybercriminal masterminds targeted the software company Kaseya. The ransomware attack, led by REvil Ransomware Gang, paralyzed the networks of around 2,000 companies worldwide.
The overall impact of these high-profile incidents — and all supply chain attacks — could take years to unfold. And it's an eye-opening reminder that no organization, no matter how big or small, is immune to a supply chain attack or any other type of cyber-attack. Organizations need to take stricter measures to vet the vendors they select and implement their own best practices. Taking cybersecurity seriously and acknowledging that a threat is only a click away are the first steps towards protection.
A Look at CISA Guidelines
As mentioned earlier, the CISA recently issued guidance on how software customers and vendors can prevent supply chain attacks. The CISA acknowledged that many organizations are uniquely vulnerable because many third-party software products require privileged access and require frequent communication between a vendor's network and the vendor's software product located on customer networks. However, implementing best practices can improve an organization's ability to prevent, mitigate, and respond to an attack.
The CISA looked at ways an organization could take actions to avoid acquiring malicious or vulnerable software, mitigate deployed malicious or vulnerable software, and increase resilience for a successful exploit. It recommended using the National Institute of Standards and Technology's (NIST) Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to prevent malicious software content or vulnerabilities from entering the cyber supply chain. It also encouraged software vendors to implement and follow a software development life cycle (SDLC) in their organizational strategy.
Other suggestions include:
- Defining set criteria for software security checks
- Supplying software that meets security requirements and mitigates risk
- Verifying third-party software complies with security requirements
- Reusing existing, well-secured software to reduce the risk of vulnerabilities
- Following secure coding practices
- Performing in-house and third-party code review, analysis, and testing
- Using properly configured compilation and build processes
- Configuring software, so it's secure by default at the time of installation
- Providing a mechanism for verifying software release integrity to help assure customers they haven't acquired tampered software
While there is no magical solution to the problem, taking these steps and revisiting your cybersecurity practices regularly will help lessen your organization's chances of becoming a victim.
Ray Gandy is a Director and Leader of the IT Risk & Assurance Practice in New England. He can be reached at firstname.lastname@example.org or 617.671.0722.
Copyright © 2021 CBIZ & MHM (Mayer Hoffman McCann P.C.). All rights reserved. CBIZ and MHM are separate and independent legal entities that work together to serve clients. CBIZ is a leading provider of tax and consulting services. MHM is an independent CPA firm providing audit and other attest services. This article is protected by U.S. and international copyright laws and treaties. Use of the material contained herein without the express written consent of the firms is prohibited by law. Material contained in this alert is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their business.