5 Ways to Minimize Supply-Chain Attacks

ASUS was pounded earlier this year when ShadowHammer struck. Though it targeted 600 individuals, the computers of tens of thousands of customers—who unknowingly downloaded malicious code via the ASUS Live Updater—were ultimately compromised.

Around the same time, IT outsourcing giant Wipro and other IT providers were also victimized. The attackers launched a sophisticated phishing scheme that enabled them to access Wipro’s customer base, many of whom were retailers and financial institutions. With this access, the attackers exploited the gift and payment card systems of Wipro’s customers, netting an indeterminate amount of hard-to-trace cash.

Experts have reported that the number of supply-chain attacks has increased by 78%, which is consistent with special publications from the FBI’s InfraGard Program. In fact, this is one of their biggest problems.

Supply-chain attacks can happen to IT service providers (MSPs, MSSPs, etc.) and their customers in any industry. Regardless of how it happens, these attacks can wreak havoc on customers, suppliers, partners and other trusted individuals within your ecosystem. Taking action to protect your ecosystem now can alleviate the often-devastating effects of a potential attack later.

5 ways to protect against supply-chain attacks

Speaking at Black Hat 2019 a couple of weeks ago, Microsoft Security Response Center GM Eric Doerr said, “People like to think about hardware as the main supply-chain threat, but, really, you need to start with people—your contractors and partners.”

Information Sharing and Analysis Organizations (ISAOs) are also good sources of information. Tech Data is currently working on a partnership with an ISAO to help its partners and customers stay on top of incoming threat intelligence.

While these assessments are extremely useful at finding gaps, companies have, in recent years, limited their scope to get the answers they want or to save face. This short-sighted, “check the box” thinking not only keeps organizations from improving their security postures, but it could also expose their customers and suppliers to an attack.

Another option is an attack simulation. These simulations take place in a real-world environment to help detect how your policies, procedures and technologies will fare against an advanced persistent threat.

To achieve a mature security posture, you must be willing to recognize that there may be weak spots in your network and do a no-holds-barred assessment. If you leave it to chance, then you’ll be at a significant disadvantage when an attack does occur.

Your weaknesses may be exposed, but it will be much less public than if your customers experience a massive security breach where they’ve been defrauded of millions of dollars, have their trade secrets stolen or are made to pay millions in penalties.

Acting for the good of your ecosystem better serves your customers. It’s good for business—and it’s good for business continuity.

Tech Data has the expertise and resources you need to build a reputable security practice. Our team of security experts is equipped with the tools, people, services and solutions to keep your companies safe by identifying weaknesses, reducing risks and quickly responding to cyber attacks. Let our security team provide you with the right solutions to grow your security practice. Contact [email protected] to learn more.

Joshua has hands-on experience and deep technical knowledge in both computer network attack (CNA) and computer network defense (CND). He is a core volunteer with a local non-profit organization leading the country in teaching hands on cyber security skills with real-world application. Outside of work and volunteer contributions, Joshua can be found jamming with the console cowboys in cyberspace.

This guest blog is part of a Channel Futures sponsorship.