Identity & AccessThreat Detection & Defense

Valuable Assets are Valuable Targets – Protecting the IT Supply Chain

Written by: Kenneth Chen, Vice President, Asia, ExtraHop.

As Singapore recovers from pandemic-related disruptions and steps into endemicity, its global supply chains continue to face mounting threats from cyber attacks.

In a World Economic Forum report, the Commissioner of Cybersecurity and Chief Executive of Singapore’s Cyber Security Agency (CSA) said, “The rise of supply chain threats and escalating ransomware attacks are the most pressing cyber challenges the international community needs to address.”

Echoing that, the Monetary Authority of Singapore (MAS) also discussed the adoption of new and emerging technologies to strengthen supply chains against cyber attacks. These developments highlight the importance of an effective monitoring system to facilitate prompt detection of suspicious cyber activities.

Assess your suppliers
Having a thorough knowledge of key technology suppliers is vital when it comes to warding off supply chain attacks. To ensure a formidable security posture, it is essential for organisations to know whether their suppliers are asynchronous, synchronous, or a technology or service provider.

Synchronous suppliers are often preferred within supply chains. They provide a vibrant and connected ecosystem where information can be collected, analysed and utilised in real-time.

However, while this can deliver accurate visibility, it can also be highly dangerous as it is connected to core applications within the infrastructure. For example, large organisations such as banks often have extranets and demilitarised zones (DMZ) where they exchange valuable data with third-party partners. This opens additional risks if these are connected to other critical systems.

Synchronous supply chain areas need to be segmented so that only the exposed parts of the networks are visible, without enabling access to critical systems which are not needed for the zones. This will significantly reduce the attack surface and close what might have been an opendoor for cyber criminals to force entry.

Asynchronous suppliers, where there is space to share information via emails or collaboration tools in a shared and synchronous zone, limit the wider network exposure but still continue to pose some risks. This risk is limited, as internal IT systems are not connected, however these zones are prime channels for phishing emails and malware in documents.

It should also be remembered that risk differs between technology partners and service providers. Companies devote hours ensuring they pick the right technology partner, where security needs to be a key consideration.

If a technology partner does not have security processes in place to match the rest of the supply chain, it quickly becomes the weakest link and thus the most attractive target for cyber attackers. At the same time, it is crucial that service providers within the supply chain maintain a rigorous and regular patch process to resolve lurking vulnerabilities and maintain a strong security posture.

Aim for balance
When assessing suppliers, it is necessary to agree on similar systems and standards, especially when it comes to data exchange and core infrastructure. Every organisation has its own proprietary way of operating, however common standards across suppliers is essential to minimising friction.

Another area that should concern organisations is the different levels of risk assessment that will sit across the supply chain. Agreement on the minimal, viable security posture is critical, and even more pressing is making sure suppliers implement this security posture.

All sides of the business will need to align on both when and how to implement security measures. When it comes to partners, they should frequently test and audit shared IT infrastructure to uncover any potential vulnerabilities or leaks.

Previous supply chain attacks serve as a stark reminder that vendors and suppliers should check their IT systems often and never assume that certain controls are in place. It also is essential to have up-to-date, active inventory of all connected devices, to ensure that all vulnerable systems can be quickly identified and patched.

Minimum steps are never enough
However, securing organisations’ supply chains does not stop with agreements on standards. Significant resources also need to be allocated toward maintaining the chain from start to finish.
Unfortunately, if the reviews undertaken are not rigorous enough to be effective, this will have major repercussions in the future. The threat is dynamic and security teams need to be outpacing cyber criminals. It can be worth ranking suppliers on how critical they are and what risk they could pose.

Furthermore, when visibility into a key supplier’s infrastructure is limited, security professionals need to plan for worst-case scenarios such as supply chain leaks or backdoors. This practice is common for internal risks, but less common for external suppliers.

Having network detection and response tools in place to track and record all network activity can make the difference when it comes to preventing or eliminating a supply chain attack. A full picture of movement within the network is crucial to mitigating damage in the event of an attack as it empowers incident response to uncover attacks and understand their extent through rapid remediation of vulnerabilities.

It is clear that supply chain attacks are growing in both number and sophistication. Given the exponential growth in the digital technology sector and thriving global manufacturing hub in the region, it should come as no surprise that we’ve started to see this type of advanced attack. By taking these recommended steps today, organisations will significantly reduce their chances of falling prey tomorrow.

CSA Editorial

Launched in Jan 2018, in partnership with Cyber Security Malaysia (an agency under MOSTI). CSA is a news and content platform focusing on key issues in cybersecurity in the region. CSA is targeted to serve the needs of cybersecurity professionals, IT professionals, Risk professionals and C-Levels who have an obligation to understand the impact of cyber threats.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *