For the past few decades, globalisation has been the norm, with integrated supply chains across continents facilitating the delivery of products and services. Governments and enterprises have spent years finetuning the kinks to ensure that supply chains are cost- and time-optimal. The driving philosophy in some was “A chain is no stronger than its weakest link”, the quote which first appeared in an essay by Scottish philosopher Thomas Reid in 1786.
While the quote is a good two hundred-plus years old, its relevance today is high because of a global economy mired in rising nationalistic fervour, geopolitical instability, post-COVID disturbances, and financial turmoil. Companies have been forced to rework their physical supply chains in response to these global uncertainties. However, there is a blind spot regarding potential vulnerabilities in the technologies companies have developed and implemented.
The genesis
Digital initiatives are integral to how governments, enterprises, and citizens operate today. Every industry legacy or new age seems to have a “tech” add-on next to it, e.g., edtech, govtech, agritech, fintech, etc. These technology transformations combine hardware, software, appliances, and services provided by players big and small from around the world. To add to the complexity, they are procured and managed independently by various parts of the organisation, resulting in a heterogeneous and often unaccounted footprint.
The challenge
According to a report by IBM in 2021, one in every five successful attacks was linked to a supply chain vulnerability, and it takes 26 days more than the average to identify and contain such attacks. Take a look at the following well-publicized cases;
SolarWinds: In December 2020, hackers gained access to SolarWinds infrastructure and injected malicious code into software update binaries. Over 18,000 customers automatically pulled these updates, creating backdoors into their systems and allowing bad actors to exploit private networks. Some high-profile impacted customers were Microsoft, Malwarebytes, FireEye, the US government, etc.
Kaseya: In July 2021, a ransomware group discovered and exploited a zero-day vulnerability in Kaseya, the favoured remote monitoring and management platform used by dozens of managed security providers (MSP). These MSPs, in turn, service thousands of downstream customers, creating a cascading effect of potential victims.
AMD: In October 2021, the flaw in the driver for AMD Platform Security Processor (PSP) could leave systems vulnerable by allowing attackers to steal encryption keys, passwords, or other data from memory.
Apache Log4j: December 2021, a critical zero-day in an immensely popular logging framework was disclosed along with public proof of concept. Attackers pushed malware on vulnerable servers by mass exploiting the flaw.
Victure Baby Monitor: In September 2021, several zero-day vulnerabilities in a home baby monitor were identified, which could be exploited to allow hackers access to the camera feed and plant unauthorised code, such as malware.
Wipro: In April 2019, the company’s systems were seen being used “as jumping-off points for digital phishing expeditions” targeting at least a dozen company’s clients.So you get the drift — be it application software, platforms, hardware, chipsets, or service providers, attackers are targeting them to create a much broader impact and potentially reach hundreds, if not thousands, of companies.
What can be done?
“What you don’t know can’t hurt you” may have been the oft-quoted remedy to not worrying about unknown problems. However, the unknown technology footprint can create significant headaches for the organisation. One needs to live by the new maxim: “What you don’t know can hurt you.”
At an organisational level, it is crucial to understand not only your third parties but also the technologies they have deployed and the underlying platforms, and hardware they use. A classic case of this was the Apache Log4J vulnerability, as most companies were unaware of their provider systems and whether they were using Log4J as part of their product. Some of the best practices that one could look at for managing supply chain risks are:
A comprehensive inventory of all assets not only within the realm of the CIOs' organisation, but any shadow IT, — business applications bought by sales, marketing, quality, or shopfloor environments for industrial IoT and safety.
Identify known third-party risks, on an ongoing basis, for not only the primary technology but the underlying platform or hardware used by the provider and plan to remediate them. Often this leads to technology upgrade which has cost elements or product support issues; in such cases, near-term mitigating controls will need to be identified.
A process needs to be put in place for a periodic audit of third-party systems toidentify vulnerabilities, along with a detailed source code review for gaps. Insisting on the provider to offer the same as part of the procurement process will address the heartburn later.While the above points pertain primarily to how one interacts with third-party providers, there are a few things that one can look at doing from a hygiene perspective.
Limit the number of privileged accounts: Most attackers go after these accounts to carry out significant damage. rReducing them will reduce the overall attack surface.
Reduce access to sensitive data: Treat sensitive data as your crown jewel. Access to them should be restricted to a select few, and the access requests (successful/ unsuccessful) should be monitored, including geofencing.
Third-party vendor access: Tight control on third-party employees/contractors in terms of what they have access to, including their life cycle, needs to be implemented.
Control shadow IT purchases: Any technology system that is being purchased should go through a standard security check and be included in the overall tracking inventory to avoid surprises.In summary
In this technology-enabled connected world, the most significant risk and the weakest link stems from that one small piece of hardware or software in a remote corner with a chance of bringing the company to a standstill. It is high time that organizations and security professionals focus on this blind spot and find a way to stay abreast of risks and mitigate them.
— The author, Pankit Desai, is CEO & Co-Founder of cybersecurity startup Sequretek.
