NEW FROM CSX
Are Cybercriminals Playing Leapfrog in Your Supply Chain?
By Ed Cabrera, CISA, CISSP
The Nexus | 13 June 2016
For more than 20 years, the latest technology advancements, globalization and the invention of the Internet have transformed business practices and efficiency—with supply chain management receiving substantial benefits. However, because of the interconnectivity that now exists, cybercriminals and their use of the Deep and Dark Web have also reaped the rewards. The sophistication levels of attacks and the hefty amount of data stolen continue to increase each year, regardless of motivation.
As businesses across all industries turn to highly networked and outsourced supply chain models, they are dramatically growing their attack surface, giving cybercriminals leverage and new avenues of compromise. Current supply chains are extremely dependent and complex, with simple supply chain risk management (SCRM) strategies falling short of comprehensive security, as seen with attacks on businesses and government entities seemingly becoming a norm.
With this, cybercriminals are finding new ways to target larger organizations by infiltrating third-party vendors who potentially have less security obstacles, allowing threat actors to “island hop,” also known as “leapfrogging,” from system to system to expose sensitive information and manipulate operational supply chains. Attackers typically use this method to gain access to their primary targets by leveraging access through third-party vendors, or by targeting a separate portion of a business and moving laterally within their target’s network.
As businesses across all industries turn to highly networked and outsourced supply chain models, they are dramatically growing their attack surface, giving cybercriminals leverage and new avenues of compromise.
The most notable supply chain attacks include the Target and Home Depot breaches, which highlight third-party access risk to enterprise infrastructure networks. Additionally, the US Office of Personnel Management (OPM) breach, in which more than 22 million employee data records were compromised, shows how threat actors breached the OPM’s information supply chain by island hopping through a third-party contractor’s credentials.
As of 2015, information and operational supply chain attacks increased significantly within all industries and sectors. This rise illustrates how threat actors are honing in on techniques such as island hopping and enhancing the sophistication level of their attacks against vulnerable links in the supply chain.
While the onslaught of cyberattacks increases, IT and security professionals within organizations need to begin addressing any risk posed by third-party vendors immediately by first looking at the security surrounding their data centers—the most important and core element of any system. Essentially, start from the inside and work outward to help ensure that sensitive information is secure. When on vacation, individuals do not leave valuables laying around a hotel room. They lock away prized heirlooms or jewelry in a fireproof safe. Then, they sharpen their efforts on the outer perimeter by locking their doors. Organizations must protect their data centers and then work outward to their networks and endpoints to ensure that the next layer of security is operational and successful in catching any initial attacks. By doing so, organizations can better protect their stored data even if their other safeguards fail.
In addition, some SCRM experts are starting to implement the concept of “supply chain resiliency.” This concept surpasses the need to manage all supply chain risk and includes how entities prepare and recover from any attack. To manage these risk factors, companies need to develop or improve their third-party risk management program. This includes the following 5 crucial steps:
- Organize third-party vendors with their internal counterpart (human resources, IT, legal and procurement).
- Categorize and rank third-party vendors based on risk.
- Assess third-party vendors’ security procedures.
- Set security expectations with third-party vendors through contract and contact.
- Constantly monitor crucial third-party performance and security
To protect your company from external threats, focus needs to be placed on the security of the whole supply chain. Managing all of the possible risk factors to the supply chain is critical, but it is just as important to proactively think of supply chain resiliency methods to understand how third-party vendors will handle and recover from potential attacks. As the classic cybersecurity saying goes, it is not if you will be part of an attack, but when. And the attack may come through a reliable, third-party vendor.
Ed Cabrera, CISA, CISSP
Is the vice president, Cybersecurity Strategy at Trend Micro and responsible for analyzing emerging cyberthreats to develop innovative and resilient enterprise risk management strategies for Fortune 500 clients and strategic partners. Previously, he served as the chief information security officer of the US Secret Service with experience leading information security as well as cyberinvestigative and protective programs.