What Do You Really Know About The
Security Posture Of Your Digital Ecosystem?
See the risks you’re exposed to with a vulnerability assessment.
The concept of a Supply Chain, which has spanned the history of business, has entered the digital era. The consequence is that this vital component of product and service delivery has become the target of cybercriminals and threat actors. Below, we discuss physical, software, and digital supply chains, and how they can all be exploited and attacked.
The Analog, or Physical, Supply Chain has a long history in the business operations space. It involves the series of raw materials and processes that are incorporated to create a final, physical product that is delivered to a point of purchase. Often those materials and processes are done by a supplier or vendor and then assembled or finished by the final retailer. While the Physical Supply Chain has its own cybersecurity challenges, which could lead to disruption of businesses and their operations, the focus of this blog is to draw a distinction between the Software Supply Chain and the Digital Supply Chain, and their inherent vulnerabilities, that could lead to a cyber-attack.
Modern software is now built using similar principles of the Physical Supply Chain as a template. Software is now assembled from readymade components from a variety of suppliers: proprietary code, open source components, and third-party APIs. No single developer can build a modern application on their own, and software reuse (the Software Supply Chain) is now a standard practice.
This reuse of code simplifies and accelerates application development, but it also creates some very serious security problems – for example, a single compromised off-the-shelf component can leave countless organizations that use the application vulnerable to attack. The concept of software supply chain attacks have been around for some time, but due to recent events, many CISOs are only now becoming aware of the gravity of the threat, especially to enterprise applications. Recent incidents that have gained national attention include: SolarWinds, Mimecast, ASUS, etc, and the victims of these attacks include governments and global businesses. In these incidents attackers managed to inject a malicious segment of code into the trusted and signed build of the application. In order to prevent these types of attacks, security organizations have to be able answer the question of what code they’re dependent on for every piece of software in their business, be it commercial, open source, free, firmware, cloud or mobile, and they have to implement processes ensure this software is up to date and patched to the latest versions.
A Digital Supply Chain Attack, also called a value-chain or third-party attack, occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data. In the case of a web application or service, all of the third-party code hits the user’s browser without security oversight by the enterprise as it is delivered from third-party servers. A compromise of any of these third-parties would potentially give attackers the ability to capture all of the information visible or accessible via the browser. A common example is the Magecart exploits where a group of threat actors was able to install credit card skimming software in commonly used third-party software components. Another complication is the fact that the enterprise does not always have a direct business relationship with the provider of the code or infrastructure – this dramatically limits their oversight and influence on the security of these ‘Nth’-party vendors. Threat actors know that it is easier to find a vulnerability somewhere deep within the digital supply chain, and exploit it versus attacking the enterprise head-on. The result is that Digital Supply Chains are now the fastest-growing attack surface for most enterprises, and by some estimates, 50-60% of all cyber attacks are now being perpetrated via these third-parties.