How to Protect Your Business From Supply Chain Attacks

What Are Supply Chain Attacks?

Every organization is part of a supply chain. Every supplier, manufacturer, vendor, distributor, and service provider adds additional value to the final output. Clearly, no one can survive solely on its own without any third-party partners.

In one way or the other, organizations share certain risks with their supply chain partners. They either directly share access to their data with their partners, or indirectly have their internal IT systems somehow connected to their partners. For instance, a vendor would need direct access to a retailer’s databases to provide direct support to its end customers. Conversely, the vendor would likely use services provided by a third-party platform to build its website. In essence, every additional supply chain partner translates to an additional potential route for intrusion. Hence nobody is entirely safe from supply chain attacks.

A supply chain attack is also called a value chain attack or third-party attack. This is because the attacker poses damage to an organization by attacking another member in its value chain. According to a survey conducted by BlueVoyant, 80% of organizations have suffered a data breach in the past year where the intrusion came from a third party. In fact, it is especially common for attackers to target smaller organizations with weaker security measures to gain access to a larger organization in its value chain.

In this blog, we introduce some of the common routes of supply chain attacks, along with a responding mitigation strategy for each.

 

Common Routes of Supply Chain Attacks and How to Mitigate Them

1) Compromise of Third-Party Software

One of the most common supply chain attacks is when attackers exploit the vulnerabilities of third-party software programs used by the targeted organization. Such attacks are usually conducted before the software gets delivered to the organization, so that the attackers do not need to gain direct access to the organization’s internal network. Once the infected software reaches the organization, the malware that comes with the software would be released to infect other IT systems, allowing the attackers to pose further damage within the organization’s internal network.

The reason that attacks coming through third-party software are so common is because the party in charge of risk management is different from the party at risk. Moreover, since the attackers do not need to gain direct access to the targeted network, the organization itself cannot do much to manage its risks.

Prevention:

Even though third-party software programs are out of an organization’s control, the organization should at least list and track the details of all third-party software programs installed in its network, and make sure that only reputable software from trusted vendors is used.

 

2) Leakage of Login Credentials From Third Parties

Third-party partners are sometimes given the authorization to access an organization’s internal systems. However, there is no way to ensure that third-party partners would keep the login credentials safe. When these login credentials are compromised by malicious actors, they would be able to access sensitive information authorized to the partners. 

Another risk is that a data breach compromising the login credentials of an entirely unrelated third-party could still affect an organization. This is because many users tend to reuse their usernames and passwords across different services. A simple example would be that a data breach that compromised the login credentials of Twitter users would put Facebook accounts at risk too, as these compromised Twitter credentials could be used to launch a credential stuffing attack on Facebook.

Prevention:

To prevent login credentials from being mismanaged by third parties, or to prevent credential stuffing attacks, having a multi-factor authentication procedure for account verification is essential. Penta Security’s ISign+ is an appliance-type multi-factor authentication (MFA) system that allows for single sign-on (SSO), so that access to all business systems can be managed by a single set of credentials, making the authentication process both secure and convenient.

Another point to watch out for is to limit the data accessible by third parties via access management. In other words, an organization should only give third-party partners access to certain necessary materials. ISign+ also provides authorization for access management, making it one of the most comprehensive IAM (identity and access management) solutions available. To learn more about ISign+, click here.

 

3) Web Attacks on Third-Party Applications

Every organization relies on a number of web application services to operate. From website builders like WordPress to ecommerce platforms like Shopify and Magento, third-party web applications are convenient and easy to use. However, almost every web application is prone to vulnerabilities. Attackers can exploit these web vulnerabilities to launch attacks like cross-site scripting (XSS) and SQL injection (SQLi). When successfully conducted, these attacks would allow the attackers to gain access to the database servers, putting sensitive data at risk of damage and exfiltration.

Companies that operate ecommerce sites are especially at risk of web attacks because the customers’ payment card details are attractive targets for criminals. For instance, in September 2020, ecommerce platform Magento experienced a massive hack that affected more than 2,000 businesses using its platform. The attackers exploited a vulnerability to inject malicious scripts inside the platform’s source code to scan and exfiltrate all payment card details entered by the customers during checkout. 

Prevention:

To prevent web attacks, it is indeed essential to update the web apps to their latest versions. But doing so would not protect against zero-day vulnerabilities. Thus, the ultimate answer to protecting sensitive data from web attacks is to invest in a web application firewall (WAF). Penta Security’s WAPPLES is a logical WAF run by a rule-based detection engine, making it much more efficient than traditional signature-based detection systems. With the largest market share in Asia-Pacific, WAPPLES offers the best protection against web attacks that come through third-party applications. For more information on WAPPLES, click here.

 

Managing Supply Chain Risks

As the COVID-19 pandemic continues to keep businesses online, supply chain risks are at an all-time high because more and more businesses are relying on supply chain partners to enable remote access for their employees and customers. Ultimately, the common routes of supply chain attacks listed in this blog provide only a brief guide. It is important for every organization to make a list of their own supply chain risks and secure them with adequate measures accordingly.

 

Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: ISign+ 

Car, Energy, Factory, City Solutions: Penta IoT Security