Supply chain cybersecurity risks continue to cause concern for companies of all sizes in 2023. These risks are more prominent than ever partly because complex IT ecosystems make it hard to maintain visibility over and even define a supply chain. Furthermore, ongoing digital transformation initiatives increase reliance on apps and code from third parties (e.g., open source projects and commercial SaaS apps). This article takes a look at some key supply chain threats worth keeping your eye on along with tips for robust supply chain security in 2023.
Many supply chain attacks originate when threat actors exploit weaknesses in the software supply chain of an organization. A zero-day flaw in the Java logging library Apache Log4j exemplified this risk when it immediately put thousands of companies that used the library at major risk of a breach.
Supply chain threats take various forms, but open source risks are on the rise as more companies depend on their ready-made functionalities when working on fast-paced development projects. Whether it’s from malicious or insecure code that is concealed in widely-used open source libraries/frameworks, or inadequate security in open source projects, it’s crucial to be aware of this threat. Communicate to developers the importance of adequately vetting which open source projects they choose.
A vital cog in today’s seamless application ecosystem is the application programming interfaces (APIs) that companies use to allow different apps to speak to each other. Many companies depend on these APIs, whether from payment processing systems tied to their websites or other crucial apps that their key business activities depend on.
APIs are also prone to security risks, and these risks represent a supply chain threat when APIs developed by other companies give hackers an opportunity to attack your business or access your data. One survey from 2022 found 41 percent of organizations suffered API incidents in the previous 12 months.
Outside of cybersecurity, island hopping is a fun way to spend a vacation. But its more sinister meaning in cybersecurity relates to a type of supply chain threat. In an island hopping attack, the adversary targets vulnerable third-party and fourth-party partners to exploit an often larger company’s cyber defenses.
The distinguishing feature of island hopping is how adversaries jump between multiple links in the supply chain until they are able to compromise their target. These types of attacks exploit the complex, interwoven nature of digital supply chains.
The trusted relationships between businesses and their various partners and suppliers are also targets for threat actors. Exploiting this trust with the objective of committing fraud is a time-worn tactic, but it’s not going away any time soon. In fact, as social engineering tactics become more refined and pinpointed on specific individuals, this threat may worsen.
Spear phishing tactics are particularly effective in exploiting supply chain relationships. Hackers can spoof the domains of business suppliers or lurk on domains with only slight misspellings. The threat actor can then send emails purporting to be from the supplier, requesting payment to a specific bank account under the attacker’s control. Physical security risks also play a role in fraud; mimicking a trusted supplier can trick employees into allowing unauthorized personnel into your premises.
Conduct third-party risk assessments
Analyzing the risk posed by a company’s third-party relationships throughout the entire supply chain, including suppliers, vendors and service providers, is known as a third-party risk assessment. This practice is a crucial aspect of a broader set of third-party risk management procedures, and analyzing cybersecurity risks should play a central role in the assessment.
Any vendor should be able to provide you with honest answers to assessment questions that help you gauge how seriously they take security. Re-assess all vendors and partners every year or two. Leverage ready-made questionnaires to help you out, such as The Consensus Assessments Initiative Questionnaire (CAIQ) and the Standardized Information Gathering Questionnaire.
Educate employees about supply chain social engineering attacks
Since supply chain social engineering attacks exploit the trust employees have in their suppliers or vendors to infiltrate a company’s network or gain access to sensitive information, it makes sense to focus on ongoing education and awareness to reduce the risk of fraud and other outcomes. By educating your employees about the risks associated with these attacks, you can help them better recognize and prevent suspicious activity.
Furthermore, when employees understand the importance of cybersecurity and their role in protecting sensitive information, they are more likely to take precautions to safeguard data and prevent attacks. Of particular value are specific training materials that focus on supply chain social engineering. Complement standard video or text learning with social engineering simulations that emulate real-world attacks.
Implement a software bill of materials (SBOM)
A software bill of materials (SBOM) is a detailed inventory of all the components that make up a piece of software. It lists everything from open source libraries to proprietary code, providing transparency and visibility into the entire software supply chain. Having an SBOM is critical for supply chain security because it lets you identify vulnerabilities, track changes and monitor updates, ensuring that all software components are up-to-date and secure.
An SBOM also allows you to quickly respond to security incidents by identifying which software components are affected by vulnerabilities and taking appropriate action. A 2021 Executive Order by the Biden Administration specifically called for enhancing software supply chain security; an SBOM is a good candidate for this because of the transparency it brings.
Create an open source security policy
If, like many companies, you want to benefit from ready-made functionality in open source libraries and frameworks for your app development projects, create an open source security policy for developers. This policy should outline the risks of open source code and instruct anyone involved with development on how to minimize those risks.
One important practice is to verify the authenticity and integrity of all software components and dependencies before integrating them into your codebase. Also, ensure developers use reputable sources for software components and dependencies and only download code from trusted repositories.
Identify 4th-party vendors
When it comes to securing your supply chain, the further up you go, the less you can see. This can be a problem if your organization is at risk of ransomware attacks or security breaches. By gaining visibility into your entire vendor ecosystem, you can identify potential risks associated with your data. However, obtaining this information can be time-consuming and the information quickly becomes outdated.
To address this challenge, consider using a third-party assessment platform to develop comprehensive vendor profiles that include critical information such as location, fourth parties (or in plainer terms, your vendors’ vendors) and deployed technologies. This information can be supplemented with data from external supplier perimeter scanning to create a relationship map and reduce the risk of becoming a victim of an island hopping attack. With this approach, you can be better prepared for potential security incidents reminiscent of the SolarWinds breach.
Awareness of key security threats and best practices will help bolster your supply chain security in 2023 and beyond. Another difficulty with supply chain security is that internal security staff are so consumed with putting out other fires that these specific best practices easily get neglected.
Outside help via managed security services can offer many benefits for enhancing the security of your supply chain. One key advantage is the expertise and resources that a managed security services provider can bring to the table in detecting and thwarting threats with teams of highly skilled security professionals. With their in-depth knowledge and experience, outside security experts can assess the risks associated with different components of your supply chain and implement effective security measures to protect against attacks.