Supply chain is a potent vector for damaging cyber attacks, ENISA warns
No matter how secure an organisation’s network is, it cannot keep hackers at bay as long as it continues to rely on supply chain vendors that apply inadequate security controls to their networks and devices, ENISA has warned.
The recent exploitation of critical security vunerabilities in IT software offered by the likes of Solarwinds and Kaseya and also the exploitation of vulnerabilities in the Microsoft Exchange system, affected thousands of organisations worldwide for no fault of their own.
In the aftermath of these exploitations, governments and cyber security firms quickly advised organisations to apply software patches as soon as possible to prevent hackers from invading their networks. Major software and IT solutions providers also patched their software quickly to mitigate the impact of cyber attacks.
These incidents brought to light the fact that the reliance of organisations on third parties for software or hardware solutions also makes them highly vulnerable to cyber attacks that exploit security weaknesses in widely-used products.
Recently, the European Union Agency for Cybersecurity (ENISA) said that supply chain attacks have become a major concern as the chain reaction triggered by one attack on a single supplier can compromise a network of providers. Considering that every major organisation relies on at least one external provider for their needs, is there a solution to this predicament?
ENISA says that supply chain attacks are becoming extremely popular with hackers targeting the suppliers’ code in about 66% of reported incidents and using malware in 62% of reported attacks to compromise supplier networks and devices. Third-party suppliers, especially smaller ones, usually don’t have the resources they need to deploy advanced security solutions and are comparatively more vulnerable to sophisticated hacking attempts.
What this implies is that “an organisation could be vulnerable to a supply chain attack even when its own defences are quite good”, ENISA says, adding that organisations can adequately guard against this threat by increasing their visibility into their suppliers’ security controls and data security practices.
“In order to compromise the targeted customers, attackers focused on the suppliers’ code in about 66% of the reported incidents. This shows that organisations should focus their efforts on validating third-party code and software before using them to ensure these were not tampered with or manipulated,” the watchdog said.
Following is a list of recommendations from ENISA for organisations that rely on supply chains:
- Identifying and documenting suppliers and service providers;
- Defining risk criteria for different types of suppliers and services such as supplier & customer dependencies, critical software dependencies, single points of failure;
- Monitoring of supply chain risks and threats;
- Managing suppliers over the whole lifecycle of a product or service, including procedures to handle end-of-life products or components;
- Classifying of assets and information shared with or accessible to suppliers, and defining relevant procedures for accessing and handling them.
According to Tim Mackey, principal security strategist at the Synopsys CyRC, ENISA’s report highlights an important shift in cyber criminals’ tactics – indirectly targeting victims through the software of their trusted third-party suppliers and service providers.
“With businesses becoming increasingly reliant on complex software supply chains, this is an important trend to follow, and one that should be factored into any cyber-risk management plans. The importance of this is underscored in the report which found that 2/3 of the software suppliers were unaware that they’d been compromised.
“Considering the importance of application security practices in most software companies, this lack of awareness points to a gap in process. A gap where threat models likely need revising to account for how software supply chains work and one where an objective review of security initiatives such as the taxonomy maintained by the BSIMM community,” he said.