Cybersecurity Q&A: Supply Chain Attacks

Question: Our network was recently breached as a result of an update to a software product we purchased. The vendor told us that one of their own service providers was breached, and the update exposed all of their customers to attack. What should we have done to prevent this vendor from impacting our systems, and what can we do to prevent something like this moving forward?

Answer: You are describing a supply chain attack—a cyberattack that impacts not your organization specifically, but one of your suppliers, thus disrupting your operations or, in this case, exposing your company to further attack.

This type of cyberattack is becoming more common as criminals realize that they can breach organizations en masse by attacking service providers who have some level of access to many companies’ systems. The most publicized recent supply chain attack was the SolarWinds attack in December 2020. In that case, SolarWinds was responsible for pushing updates to their clients’ systems. The attacker gained access to SolarWinds’ systems and published fraudulent updates that installed malware on many of SolarWinds’ customers’ networks. Even though those end-user customers were not directly breached, the attack on their service provider ended up exposing them to risk and attack.

These are complicated situations, especially among small businesses, because third-party vendors are more common than in-house services in those environments.

So, how do you determine if you have risk associated with a vendor or some other party in your digital supply chain?

Ask! If you’ve ever applied for cyber risk insurance or undergone an audit where your computer systems were evaluated, you were likely given a questionnaire regarding your company’s digital security and processes. Make a copy of one of those audits, or download one of the many freely available templates online. Ask your key vendors to complete them. Work with your in-house or contracted IT provider to evaluate responses, and refresh that audit with vendors once a year or so to assess the risks.

What steps should you take to prevent this kind of breach?

Grant access to your systems only when actually needed. Especially with third-party IT support, external vendors are often given unrestricted 24/7 remote access to your systems. While this can be helpful if something goes down in the middle of the night, it also creates opportunities for your systems to be attacked. If you can, limit access to your systems to an as-needed basis, and use permitted-hours settings on your servers or firewalls to determine when external vendors are allowed to access your systems, and from where. The middle of the night, weekends and especially holidays are prime times for attackers to try and breach systems.

Purchase and install endpoint-detection-and-response (EDR) software or systems. EDR can be thought of as anti-virus software plus-plus. It combines the features of old-style anti-virus with proactive threat detection, network monitoring, update verification, and plenty of other features that not only block known threats but can use behavioral data to spot and block “fishy” activity that is out of the norm for your company. EDR will often detect and block threats coming from a theoretically trusted source, like a key vendor. EDR software is also not as expensive as many people believe, as you can obtain high-quality EDR for as little as $45 to $60 per device, per year. Of course, more expensive options do exist, but even a reasonably priced small business solution will provide a great deal of protection from unexpected threats.

Finally, enable and enforce two-factor or multi-factor authentication on all of your systems. Most attacks are related to credential-stealing, where a vendor’s credentials are used to illicitly access your systems. By enforcing multi-factor authentication, you remove the username and password as the sole barriers to entry and require that they possess some physical object like a security key or smartphone to complete the login process.

This article is provided by Enquiron, which offers Association members cybersecurity resources at no cost. Learn more about the benefit at FarmEquip.org/cyberstory.