Supply chain attack: a potential blind spot

For the past few decades, globalization has been the norm, with integrated supply chains
across continents facilitating the delivery of products and services. Governments and
enterprises have spent years fine-tuning the kinks to ensure that supply chains are cost and
time optimal. The driving philosophy in some was “A chain is no stronger than its weakest
link,” the quote which first appeared in an essay by Scottish philosopher Thomas Reid in
1786.

While the quote is a good two hundred-plus years old, its relevance today is high because of
a global economy mired with rising nationalistic fervor, geopolitical instability, post-COVID
disturbances, and financial turmoil. Companies have been forced to rework their physical
supply chains in response to these global uncertainties. However, there is a blind spot
regarding potential vulnerabilities in the technologies companies have developed and
implemented.

The genesis

Digital initiatives are integral to how governments, enterprises, and citizens operate today.
Every industry legacy or new age seems to have a “tech” add-on next to it, e.g., ed-tech,
gov-tech, agri-tech, fin-tech, etc. These technology transformations combine hardware,
software, appliances, and services provided by players big and small from around the world.
To add to the complexity, they are procured and managed independently by various parts of
the organization, resulting in a heterogeneous and often unaccounted footprint.

The challenge

According to the latest report by IBM, in 2021, one in every five successful attacks was
linked to a supply chain vulnerability, and it takes 26 more days than average to identify and
contain such attacks. Take a look at the following well-publicized cases;

 Solarwinds: In December 2020, hackers gained access to SolarWinds infrastructure

and injected malicious code into software update binaries. Over 18,000 customers
automatically pulled these updates creating backdoors into their systems and
allowing bad actors to exploit private networks. Some high-profile impacted
customers were Microsoft, Malwarebytes, FireEye, the US government, etc.
 Kaseya: In July 2021, a ransomware group discovered and exploited a zero-day
vulnerability in Kaseya, the favored remote monitoring and management platform
used by dozens of managed security providers (MSP). These MSPs, in turn, service
thousands of downstream customers, creating a cascading effect of potential
victims.
 AMD: In October 2021, the flaw in the driver for AMD Platform Security Processor
(PSP) could leave systems vulnerable by allowing attackers to steal encryption keys,
passwords, or other data from memory. 
 Apache Log4j: December 2021, a critical zero-day in an immensely popular logging
framework was disclosed along with public proof of concept. Attackers began mass
exploitation of the flaw to push malware on vulnerable servers.
  Victure home baby monitor: In September 2021, several zero-day vulnerabilities in a
home baby monitor were identified, which could be exploited to allow hackers
access to the camera feed and plant unauthorized code such as malware.
 Wipro: In April 2019, the company’s systems were seen being used “as jumping-off
points for digital phishing expeditions targeting at least a dozen company’s clients.

So you get the drift, be it application software, platforms, hardware, chipsets, or service
providers, the attackers are targeting them to create a much broader impact and potentially
reach hundreds, if not thousands, of companies.

What can be done?

“What you don’t know can’t hurt you” may have been the oft-quoted remedy to not
worrying about unknown problems. However, the unknown technology footprint can create
significant headaches for the organization. One needs to live by the new maxim: “what you
don’t know can hurt you.”

At an organizational level, it is crucial to understand not only your third parties but also the
technologies they have deployed and the underlying platforms, software, and hardware
they use. A classic case of this was the Apache Log4J vulnerability, as most companies were
unaware of their provider systems and whether they were using Log4J as part of their
product. Some of the best practices that one could look at for managing supply chain risks
are;

 A comprehensive inventory of all assets not only within the realm of the CIOs
organization but any shadow IT, i.e., business applications bought by sales,
marketing, quality, or shopfloor environments for industrial IoT and safety.
 Identify known third-party risks, on an ongoing basis, for not only the primary
technology but the underlying platform or hardware used by the provider and plan
to remediate them. Often this leads to technology upgrade which has cost elements
or product support issues; in such cases, near-term mitigating controls will need to
be identified.
 A process needs to be put in place for a periodic audit of your third-party systems to
be carried out to identify vulnerabilities, along with a detailed source code review for
gaps. Insisting on the provider to offer the same as part of the procurement process
will address the heartburn later.

While the above points pertain primarily to how one interacts with third-party providers,
there are a few things that one can look at doing from a hygiene perspective.

 Limit the number of privileged accounts – most attackers go after these accounts to
carry out significant damage, reducing them will reduce the overall attack surface
 Reduce access to sensitive data – Treat sensitive data as your crown jewel. Access to
them should be restricted to a select few, and the access requests (successful/
unsuccessful) should be monitored, including geofencing.
  Third-party vendor access – tight control on third-party employees/contractors in
terms of what they have access to, including their life cycle, needs to be
implemented
 Control shadow IT purchases – any technology system that is being purchased should
go through a standard security check and be included in the overall tracking
inventory to avoid surprises

In summary

In this technology-enabled connected world, the most significant risk and the weakest link
stems from that one small piece of hardware or software in a remote corner with a chance
of bringing the company to a standstill. It is high time that organizations and security
professionals focus on this blind spot and find a way to stay abreast of risks and mitigate
them.