To prevent the next big supply chain hack third-party risk managers must learn more about the application security programs of their vendors and their own enterprises.
If you’re following the SolarWinds saga, and who in risk management and security isn’t, you’ve certainly heard the term “supply chain hack” or “supply chain attack.” Although it can also refer to attempts to disrupt physical systems of supply, in the SolarWinds case, a supply chain hack is a cyber-attack that targets vulnerabilities in the information systems supply chain of an organization.
Security experts have for years warned of supply chain hacks. The most sophisticated of these attacks require patience and extraordinary skill, and so are typically perpetrated by advanced persistent threat actors (APTs), i.e., nation states. The SolarWinds attack has been attributed to Cozy Bear, a cyber unit of the Russian security service, SVR.
If these threats have been known for years, what makes SolarWinds so different? First of all is the sheer scale of the attack — the number of targeted organizations is astounding. In the case of SolarWinds, the attack targeted multiple organizations in government and the private sector and affected as many as 18,000 organizations worldwide. Governmental and military organizations in the U.S. and other countries appear to be primary targets. Life sciences firms working on Covid-19 vaccines also appear to have been targeted.
Second, the attack was at the heart of IT infrastructure, the SolarWinds Orion software which manages and monitors organizations’ networks and applications. From there, attackers were able to branch out and create other means of access to business systems and perhaps even to operational systems. There is evidence that many unclassified governmental email systems were compromised, enabling the attackers to monitor the thinking of senior policy makers.
Third, the failure of application security hygiene at SolarWinds left the door open to the very platform that the company uses to develop updates to its Orion software. This enabled attackers to create trojanized Orion updates which in turn SolarWinds distributed to its customers.
While it is very difficult to detect supply chain hacks, not looking for them is not a solution. Furthermore, most enterprises do not have an integrated application security program that cuts across third-party, custom, legacy, mobile, customer-facing, and other applications.
With application security already a low priority in most enterprises, things get worse. In application development teams, it is not uncommon for developers and software engineers to use simple passwords and even shared passwords for the team. Developers habitually focus on reliability and performance of an application with security, at best, a third priority. In many development teams, coordination with IT security professionals is not robust.
At the customer end of the supply chain, the key metric is time to patch. Having a robust patch management system is a valid security measure since many patches include fixes for known vulnerabilities. However, SolarWinds is not the first supply chain hack to take advantage of software updates, for example NotPetya and FLAME, and, in supply chain attacks, focusing on time to patch plays to the benefit of the attackers.
There is another side though to patch management and other information systems and applications management hygiene: Should your enterprise be compromised by a supply chain attack, having updated systems, keeping your systems and applications up to date makes it harder for threat actors to gain access to information or to compromise other systems.
It is up to third-party risk managers to take steps to mitigate the risk of supply chain attacks. With the SolarWinds attack, they should find their IT security colleagues more than willing to collaborate. However, keep in mind that security professionals will also be trying to address the vulnerabilities in your enterprise. They will be looking for new techniques and security solutions to detect highly adept APT hackers that can lay in wait for months before acting. Traditional tools like data leakage protection and network security monitoring are not as effective against APTs that have patience and can cover their tracks.
For third-party risk managers there are three priorities:
Share with Your Friends:
