James Steidl - Fotolia
How Australian firms can defend against supply chain attacks
Supply chain security risks can wreak havoc if measures are not taken to deter cyber attackers from exploiting a supplier’s security gaps to target another firm
When some customers of Domino’s Australia received suspicious emails from the pizza chain a few years ago, they sounded the alarm on a potential data breach on social media and called for the company to investigate the matter.
At the time, Domino’s Australia said its systems had not been compromised, and pinned the blame on a former supplier’s system that was said to have leaked customer information. Such supply chain vulnerabilities, whether the result of human error or cyber attacks, are real and growing.
According to a global study commissioned by CrowdStrike in 2018, two-thirds of 1,300 senior IT decision-makers and IT security professionals, including those in Australia, said their organisations had experienced a software supply chain attack. At the same time, 71% believed their organisation did not always hold external suppliers to the same security standards.
Supply chain risks are invisible to many organisations, which means they are often not prioritised from an IT security perspective. That is partly because supply chain risk management is usually seen a procurement issue, according to Rob Dooley, ANZ director at VMware Carbon Black.
In fact, security considerations are often surfaced only at the last step in the selection process, said Dooley, who called for security teams to be involved in procurement decisions early on and to provide ongoing monitoring.
The modification of hardware, or the installation of malicious firmware before delivery, can be a source of supply chain vulnerabilities. However, CrowdStrike’s security researcher in Asia-Pacific and Japan, Mark Goudie, said it does occasionally happen.
Ashwin Ram, a cyber security evangelist at Check Point, said manufacturers of internet of things (IoT) devices, in particular, often use off-the-shelf firmware, so vulnerabilities can easily be leveraged by attackers. The result could be disastrous, especially if it involves industrial control systems that power critical services.
Besides hardware, in-house-developed software is another weak link in the supply chain. Open source libraries and pre-built containers may have been contaminated with malicious code designed to perform covert actions such as cryptomining or to provide illicit access to systems. In an audit of more than 1,200 applications, Synopsys found that 99% used open source components and 75% of them contained known vulnerabilities.
And because software libraries depend on other libraries, it is important to review that entire chain, said Mick McCluney, ANZ technical lead at Trend Micro. The security supplier uses open source library researcher Snyk as a source of intelligence for its DevOps pipeline tools.
Check Point’s Ram said that with a lot more attacks conducted via modified code, organisations should validate all the source code they use, and obtain threat intelligence from multiple sources. Code should be automatically checked for safety whenever it is downloaded or built, he warned.
Supply chain risks exist in services as well. Recognising this, the Australian Prudential Regulation Authority has published the CPS 234 standard, which specifies steps that regulated entities must take to mitigate supply chain risks.
For smaller firms, which do not have the same clout as major banks when dealing with suppliers, a breach can be a potential business-ending threat, said Simon Howe, LogRhythm’s vice-president of sales in Asia-Pacific. These companies, he said, should check whether their suppliers hold ISO 27000, NIST and Sans certifications as evidence of their security posture.
However, compliance with standards does not guarantee security, said CrowdStrike’s Goudie, who advised organisations to consider what data a supplier processes or can access, which is where the real risk lies.
That calls for sound data protection practices, such as categorising suppliers and treating each group appropriately based on the sensitivity of the data they can access. In general, the more sensitive the data, the more rigorous the reviews of suppliers should be, said Sean Duca, vice-president and regional chief security officer at Palo Alto Networks in Asia-Pacific and Japan.
Trend Micro’s McCluney suggested quarterly or half-yearly supplier reviews involving procurement, human resources, as well as IT and security, with remedial action prioritised accordingly. Such supplier lifecycle management processes will ensure that access rights are revoked, among other things, when an organisation stops buying from a supplier, he said.
Regardless of the industry they are in, Duca called for organisations to provide suppliers with secure access to systems they need to manage – and block access to everything else. Jim Cook, ANZ regional director at Attivo Networks, said this is especially important as some systems still run on obsolete operating systems with known vulnerabilities.
Read more about cyber security in Australia
- The Australian Cyber Security Centre offers guidance for critical infrastructure operators to guard against cyber attacks which have already hit the healthcare sector.
- Australian organisations can address data protection challenges by creating roles such as a data governance lead, classifying data and improving employee awareness of cyber hygiene.
- VMware’s Carbon Black is planning to open a new datacentre in Australia in the first half of 2020 to support local firms bounded by regulatory and data residency requirements.
- Australia’s Royal Melbourne Institute of Technology has teamed up with Amazon Web Services to launch a Cloud Innovation Centre to solve cyber security challenges.
But even if suppliers are granted minimum access and the network is segmented, there will still be opportunities to exploit infrastructure vulnerabilities, Cook warned, adding that a supplier’s security practices should be aligned with a host organisation’s policies. Ongoing compliance should also be deemed as a contractual obligation.
Cyber criminals employ a variety of ways to penetrate a supplier’s systems. This may include business email compromise, which involves interfering with emails – such as falsifying payment details on invoices – and using email as a stepping stone in a broader attack on an organisation or its customers.
Subverting the invoicing process is particularly lucrative, said McCluney, so the right control processes are important. For one, employees must not blindly trust the banking details on an invoice, especially if the details have changed.
Instead, McCluney said they should check with the supplier in a manner completely independent of the email. Similarly, any request for an urgent funds transfer purportedly from a senior executive should be treated with scepticism and not acted upon without solid confirmation.
Goudie said that while business email compromise is real, the main problem may not be the initial incident, but the consequences of an attacker being able to replicate an entire mailbox outside the organisation. Too often, security controls such as multifactor authentication are not enabled until a major breach has occurred.
Check Point’s Ram said content disarm and reconstruction (CDR) can play a part in defending against malicious documents that appear to come from trusted sources. Rather than rely on detection, CDR technology assumes that all content held in files are malicious and reconstructs content that is known to be safe.
Then, there is also island-hopping, where perpetrators use one organisation’s network to get into that of its partners. Chester Wisniewski, principal research scientist at Sophos, said that because this is a largely automated process, prompt detection and response is key. Tools will stop 95% of such attacks, and only 1% or so are truly harmful, he said.
“It’s a needle-in-a-haystack problem, so you need tools to filter out the relevant and important data and present it as actionable information,” said Wisniewski. “Artificial intelligence alone isn’t up to the job, but it might take care of 98% of the signals, leaving humans to interpret and deal with the remaining 2%.”
Besides employing automation to detect breaches, patch systems and conduct tabletop exercises to test an organisation’s resilience against supply chain attacks, it may be worthwhile to consider managed security services, especially for those that do not have in-house expertise.
Wisniewski added: “Managed security service providers have the technical and local expertise and insights needed to provide good service, the economies of scale to deliver it at an affordable price, and the backing of suppliers such as Sophos when necessary.”