5 Ways to Minimize Supply-Chain Attacks

ASUS was pounded earlier this year when ShadowHammer struck. Though it targeted 600 individuals, the computers of tens of thousands of customers—who unknowingly downloaded malicious code via the ASUS Live Updater—were ultimately compromised.

Around the same time, IT outsourcing giant Wipro and other IT providers were also victimized. The attackers launched a sophisticated phishing scheme that enabled them to access Wipro’s customer base, many of whom were retailers and financial institutions. With this access, the attackers exploited the gift and payment card systems of Wipro’s customers, netting an indeterminate amount of hard-to-trace cash.

Experts have reported that the number of supply-chain attacks has increased by 78%, which is consistent with special publications from the FBI’s InfraGard Program. In fact, this is one of their biggest problems.

Supply-chain attacks can happen to IT service providers (MSPs, MSSPs, etc.) and their customers in any industry. Regardless of how it happens, these attacks can wreak havoc on customers, suppliers, partners and other trusted individuals within your ecosystem. Taking action to protect your ecosystem now can alleviate the often-devastating effects of a potential attack later.

5 ways to protect against supply-chain attacks

1. Know who is in your ecosystem. Understand that you are a part of an ecosystem and threats are coming at you asymmetrically. You may not be the intended target, but you are absolutely a target, no matter where you are in the ecosystem. Our Tech Data Services team offers risk assessments that look at your ecosystem to thoroughly analyze, identify and mitigate cybersecurity threats based on likelihood and impact.

Speaking at Black Hat 2019 a couple of weeks ago, Microsoft Security Response Center GM Eric Doerr said, “People like to think about hardware as the main supply-chain threat, but, really, you need to start with people—your contractors and partners.”

2. Understand their security postures. Just as your business has a security posture, your ecosystem also has a security posture. Understand how the members of the ecosystem are handling security, what their security policies are, and what regulations and compliance requirements they have. Know whom to call, either at your suppliers or end customers, if there’s a supply-chain breach.
3. Stay informed and aware. Join groups such as the FBI’s InfraGard program, a public-private sector partnership dedicated to collaboration around protecting critical infrastructures.

Information Sharing and Analysis Organizations (ISAOs) are also good sources of information. Tech Data is currently working on a partnership with an ISAO to help its partners and customers stay on top of incoming threat intelligence.

4. Leverage assessments and testing. Penetration testers (also known as ethical hackers) often go into organizations to find gateways through which an attack might be launched.

While these assessments are extremely useful at finding gaps, companies have, in recent years, limited their scope to get the answers they want or to save face. This short-sighted, “check the box” thinking not only keeps organizations from improving their security postures, but it could also expose their customers and suppliers to an attack.

Another option is an attack simulation. These simulations take place in a real-world environment to help detect how your policies, procedures and technologies will fare against an advanced persistent threat.

5. Start a conversation with your ecosystem. Finally, talk to everyone in your ecosystem in an open and honest way. Tell them you’re undertaking a supply-chain assessment to uncover weaknesses. Work together to not only bring everyone up to a mature security posture. Help get the approvals needed to ensure your ecosystem can effectively respond to a supply-chain attack.

To achieve a mature security posture, you must be willing to recognize that there may be weak spots in your network and do a no-holds-barred assessment. If you leave it to chance, then you’ll be at a significant disadvantage when an attack does occur.

Your weaknesses may be exposed, but it will be much less public than if your customers experience a massive security breach where they’ve been defrauded of millions of dollars, have their trade secrets stolen or are made to pay millions in penalties.

Acting for the good of your ecosystem better serves your customers. It’s good for business—and it’s good for business continuity.

Tech Data has the expertise and resources you need to build a reputable security practice. Our team of security experts is equipped with the tools, people, services and solutions to keep your companies safe by identifying weaknesses, reducing risks and quickly responding to cyber attacks. Let our security team provide you with the right solutions to grow your security practice. Contact [email protected] to learn more.

Joshua has hands-on experience and deep technical knowledge in both computer network attack (CNA) and computer network defense (CND). He is a core volunteer with a local non-profit organization leading the country in teaching hands on cyber security skills with real-world application. Outside of work and volunteer contributions, Joshua can be found jamming with the console cowboys in cyberspace.

This guest blog is part of a Channel Futures sponsorship.