Home / Blogs

Securing Weak Links in Supply Chain Attacks

We’ve all heard the term, “you’re only as strong as your weakest link.” Whether talking about a tug of war on the playground, a sports team, or a business, this rings as true as ever.

Every business relies on a series of suppliers and vendors—be it the dairy farm supplying milk to the multinational food manufacturer or the payment systems that retailers use. These links form supply chains that every business, large and small, deals with. There is simply no way around it. With an increasingly complex series of vendors and workflows comes increased risk.

What is a supply chain attack?

A supply chain attack is a cyber attack that occurs when a threat actor compromises your system through a third-party partner that has access to your systems and data. Typically, the vendor with the weakest cyber security is targeted.

A survey by Anchore found that 3 out of 5 companies were exposed to a supply chain attack in 2021 due to the global nature of business and the amount of different technology and vendors used.

An attack on your provider affects you too

The last two years have seen a few notable supply chain attacks. In late 2020, SolarWinds, an IT software provider to many U.S. federal government agencies and private sector companies, experienced a security breach. Its IT inventory management product was laced with malware which led to a further compromise of at least 18,000 of its clients who found signs of the malware in their systems.

Less than six months later, in May 2021, a major U.S. oil company, Colonial Pipeline, suffered a ransomware cyberattack; bad actors demanded millions in Bitcoin to restore the computerized systems that were compromised by the hackers. It was reported that an employee’s virtual private network (VPN) account that didn’t have multi-factor authentication had been breached, allowing the attackers access to the company’s network. The attackers made away with 100 GBs of data and encrypted IT systems in exchange for ransom. Fearing an attack on its operations technology that controls its fuel distribution, the company shut down its entire pipeline system. The company transports about 2.5 million barrels of fuel daily, and this sudden shutdown not only drastically reduced supplies but news of it resulted in panic buying that exacerbated fuel shortages. Many sectors rely on fuel, and the impact of this attack was unprecedented.

And if that wasn’t enough, in October 2021, Schreiber Foods, the U.S.’ largest cream cheese manufacturer, was disrupted by a ransomware attack that impacted its ability to “receive raw materials, ship product, and produce product.” This is a perfect example of the impact of supply chain events due to timing—it occurred at the height of the cream cheese season. On top of existing pandemic-driven challenges in manpower and logistics, the attack resulted in price spikes in cream cheese due to low production supply (and short shelf life of the cream cheese) and also had a farther-reaching impact on retail and foodservice sectors.

Domain security as your first line of defense

As the above cases illustrate, common in the attacks were breaches due to malware and ransomware. Research shows that phishing and related malware attacks most commonly occur from a compromised or hijacked legitimate domain name, a maliciously registered and confusingly similar domain name, or via email spoofing. A cleverly social-engineered domain name could trick even the most discerning user into unwittingly clicking on a link that inadvertently installs malware or ransomware. By employing domain security controls to prevent the abuse of the domain name and domain name system (DNS), companies can reduce the risks of such breaches.

Domain security is a critical component to help mitigate cyberattacks in the early stages—your first line of defense in your organization’s Zero Trust model.

Preventing a supply chain attack

All industries are susceptible to a supply chain attack, and there certainly are measures companies can take to mitigate the threat.

  • Know your vendors. First and foremost, audit your supply chain vendor. Choose your vendors carefully, and only use those that are enterprise-class with robust security practices and policies.
  • Control access. Keep track of access to key third-party applications, as well as limit network access to third-party tools wherever possible. Understand the subcontractors your third-party vendors have that could potentially introduce a fourth-party risk.
  • Follow government advisories. The scale and severity of the recent incidents have prompted many government agencies and security firms to release frameworks and best practices to defend against such attacks. Follow the guidelines and ensure your vendors follow them too.
  • Train your employees. According to the Cybersecurity and Infrastructure Security Agency (CISA), most cyberattacks—including ransomware and business email compromise (BEC)—begin with phishing. Train employees on security awareness to reduce this risk.
  • Enhance your domain security posture. Use a Domain Security Checklist based on a defense-in-depth approach to enhance your security posture.

By Vic DeBari, Global Director, Advisory and Engagement at CSC

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

Related

Topics

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPXO

Domain Management

Sponsored byMarkMonitor

Domain Names

Sponsored byVerisign