Why supply chain security blind spots put enterprises at risk [Q&A]
Many recent cyberattacks have focused on the software supply chain, with SolarWinds being perhaps the most high profile example.
Businesses can often have a blind spot when it comes to the supply chain and this can have catastrophic consequences. We spoke to Todd Carroll, CISO of CybelAngel to learn more about the problem and what companies can do to keep themselves safe.
BN: What impact can open databases have on a business's security stance?
TC: The mass migration to the cloud in recent years has resulted in thousands of open databases -- those that do not require passwords to access. Unfortunately, hackers are often more aware of the vulnerabilities in these databases and repeatedly use them as a route into the wider network, which can leave huge gaps in business’s security.
Criminals work hard and fast, exploiting any opportunity made available to them. An experiment demonstrates the severity of this issue, when a researcher created an unsecure database to measure criminal activity. In a mere 11 days, the database was attacked 175 times.
Using techniques such as stolen credentials, hackers can extract information to then sell on the Dark Web or use to demand a ransom. Either way, the primary and secondary impacts on the business can be devastating. To put this into numbers, the cost of a breach involving 50 million compromised records sky-rocketed to $392 million in 2020. Not only could organizations face huge financial and data loss, but their reputation also takes a hit.
These databases are often unintentionally created, usually because teams forget about them, or new ones are created without the wider team knowing about it. Unfortunately, even if they did know about them, it could take months for security teams to successfully patch each open database, which is time they generally do not have. During the time spent patching, the databases remain vulnerable to attacks.
Open databases have also become targets for 'Meow' attacks -- when criminals target exposed databases and wipe them out without notice or even demanding a ransom. Whatever the reason for this form of attack may be, they leave businesses in desperate positions where they're unable to identify the origins of the breach and therefore remain vulnerable to future attacks.
BN: What risks do third party service providers pose to businesses, and how has this changed since COVID?
TC: It is easy to focus predominantly on our own cyber defenses and forget about other significant threats to our security -- including third party service providers. Supply chains are often discovered to be the weakest link in a business security plan, supported by the fact that half of businesses have experienced a data breach through a third party.
In early August, the European Union Agency for Cybersecurity (ENISA) has reported that it anticipates supply chain attacks to get worse and that from its own analysis of recent attacks, in about 66 percent of reported incidents, the attackers focused on suppliers’ code.
As the Solarwinds attack back in January demonstrated the scale of a breach through the supply chain can soon escalate, even reaching the echelons of US Government agencies. In this case, the malware which spread using the company's Orion products left around 18,000 customers vulnerable to hackers. One of the main concerns among businesses was finding out if they had consequently been breached, as a stealthy attack can remain undetected for weeks or even months. DomainTools conducted a survey shortly after the breach, and at the time of completion, 60 percent of global security professionals were still trying to figure out if they have been breached.
Security rating companies, can audit third-party security before they are integrated into the supply chain. Beyond that, risk management solutions are critical for maintaining the security around the entire supply chain.
BN: Are there any vulnerable areas of the supply chain that businesses may be unaware of?
TC: The most dangerous weak points of an organization's network are those that often pass under the radar. Backup storage media is a prime example. As part of business disaster recovery plans, backup storage media are usually automated and easily forgotten. The fact that they are often unmonitored, and therefore unprotected, means they become easy access points for hackers. To make matters worse, their storage purpose means they tend to be shared around departments with unrestricted access.
Like with most forms of cybersecurity, protecting back up storage is not a complicated process if businesses dedicate the necessary time and resources to carry out regular check-ups and maintenance. If the issue is ignored for too long, then the task of backtracking and securing each backup storage becomes far more challenging. An American supermarket chain suffered the consequences of unprotected backup storage when it suffered a leak, caused by a third-party vendor who left a shared cloud backup storage account with unrestricted access. Huge quantities of data were compromised, including names, physical addresses and email addresses.
BN: What can businesses do to overcome these blind spots in their supply chain?
TC: When it comes to ensuring your entire supply chain is secure, it's important to have visibility over all the potential weak points. Even the most technologically advanced and cyber security savvy businesses are still vulnerable to attacks so organizations should never let their guard down.
Data monitoring solutions are key for identifying and managing open databases and forgotten backup storage media to avoid them slipping under the radar and granting hackers free access to the network. All members of a supply chain have the responsibility of maintaining their own security, for the sake of their safety and that of other organizations in the chain. Failing to assess the security risks posed by suppliers, partners or contractors which have access to your network and solely focusing on your own security could be the undoing of your efforts. Instead, companies in the supply chain should work together to identify any vulnerabilities or data leaks before attackers do -- it's all about staying ahead of the game.
Image Credit: Manczurov/Shutterstock