We’ve heard a lot about “supply chains” of various industries over the past couple of years, and the cybersecurity sector is no exception. When Colonial Pipeline was compromised by ransomware, it affected the physical supply of gasoline to consumers. On the software side, malware distributed through a SolarWinds update and vulnerabilities discovered in Apache’s Log4J created rippling effects for organizations around the world.
The alarming part of any software supply chain attack is the domino effect it has. To better understand these attacks and how organizations can better protect themselves, I invited Vodafone security experts Andy Deacon and Verity Carter-Johnson to the Lookout podcast. In the episode, we defined what a supply chain is, what the intended and unintended consequences are and what legal ramifications exist for those who fall victim. To give you a preview, here are a couple of takeaways from our conversation:
What is a software supply chain attack?
At a high level, a software supply chain attack is when a threat actor compromises a piece of software that then trickles down to customers or other software that depends on it.
In the case of SolarWinds, malware was added to one of its product’s updates, which was then pushed out to the company’s customers and created backdoors. Log4j, one of the most widely-used logging libraries, affected an uncountable number of software and companies that use them when highly exploitable vulnerabilities were found.
And because these compromises occur as indirect results of a breach or vulnerability, the exposure can last for years after the initial event before getting discovered. As Andy mentioned during our conversation, even if you diligently update the software to the patched version, there’s a chance that you may have already been breached. Unless you look in the right places or stumbled upon indicators of compromise in log files or command lines, it’s nearly impossible to know whether an attacker accessed your infrastructure.
Supply chain attacks can have huge financial ramifications
In the episode, Verity reminded us that it’s no longer enough to know whether you’ve been affected by an attack. There are also significant legal and financial consequences on the line as a result of increased governmental scrutiny over cyber breaches.
For example, in January 2022, to mitigate the effects of Log4j on consumer data, the Federal Trade Commission (FTC) asked affected companies to quickly remediate the vulnerabilities or face severe penalties. Such actions can often take the form of significant fines as seen in 2019 when Equifax paid $700 million to settle with the FTC.
These consequences can be especially devastating to smaller businesses, who have fewer resources to handle security events and are increasingly caught in the crosshair of software supply chain attacks. But given that legal fines can be scaled up based on revenue, the financial burden can be a huge issue for any organization regardless of size.
How protect yourself from supply chain attacks
When it comes to protecting your organization against supply chain attacks, both Verity and Andy agreed that adhering to basic best security practices for your employees, devices and vendors are a good starting point.
Education and dedicated security solutions
Ensure your employees understand how to protect themselves with a couple simple steps such as setting passwords with symbols and numbers and turning on multi-factor authentication. In addition, ensure that you have dedicated security solutions in place for all your endpoints. This is especially important since employees are increasingly using unmanaged devices and working from locations you don’t have control over.
Evaluate security postures of your own organization and third parties
Another important precaution is to evaluate deals and contracts you have with third parties. Whether it's the software you purchase or the deals you have with large enterprises and government organizations, they could make you an inadvertent target of a supply chain attack.
You also need to evaluate the security posture of your own organization. The National Cyber Security Center has great resources for small businesses on how you should respond to known security vulnerabilities.
There were many more insights I got from my conversation with Andy and Verity so please make sure you listen to the episode.
If you would like to learn more about how to monitor connected apps for suspicious activities while also being able to remediate, alert and revoke access of malicious activities, you should consider the Lookout SASE solution. To get started on your SASE journey, download a complimentary copy of the 2021 Gartner Strategic Roadmap for SASE Convergence.