• Product
      • circleROAR Platform
      • cogwheelZenComply
      • lockZenRisk
      • globeZenGRC Platform
      • chartRisk Intellect
      • kes tagPricing
    • Solutions
      • By Industry
        • TechnologyTechnology
        • Financial ServicesFinancial Services
        • HospitalityHospitality
        • HealthcareHealthcare
        • GovernmentGovernment
        • Higher EducationEducation
        • retailRetail
        • MediaMedia
        • InsuranceInsurance
        • ManufacturingManufacturing
        • Oli & GasOil & Gas
      • By Framework
        • PopularPopular
          • ISO
          • PCI
          • SOC
          • COSO
          • SSAE 18
        • PrivacyPrivacy
          • CCPA
          • GDPR
        • HealthcareHealth Care
          • HIPAA
        • GovernmentGovernment
          • NIST
          • FedRAMP
          • FERPA
          • CMMC
          • FISMA
        • FinanceFinance
          • SOX
          • COBIT
    • Success
      • customer-successCustomer Success
    • Resources
      • Resource CenterResource Center
      • Reciprocity CommunityReciprocity Community
      • NewsroomNewsroom
      • EventsEvents
      • BlogBlog
      • Customer StoriesCustomer Stories
      • Content RegistryContent Registry
    • Company
      • About UsAbout Us
      • Contact UsContact Us
      • CareersCareers
      • Leadership
      • Trust CenterTrust Center
      • PartnersPartners
      Get a Demo

        Signs You May Be Vulnerable to Supply Chain Attacks

        Published November 9, 2022 • By Reciprocity • Blog
        technology and information security icons

        One of the most notorious cybersecurity attacks to strike through the corporate supply chain happened in 2020. That’s when criminals successfully installed malware into the Orion software product sold by SolarWinds, which then infected thousands of SolarWinds’ corporate customers around the world.

        Due to the level of stealth employed by the attackers and their success at compromising so many victims at a single stroke, the SolarWinds attack demonstrates all the perils that can come from supply chain attacks.

        So how can you protect your own organization from supply chain attacks? Start by identifying the risk factors. Knowing these factors will help you determine your protection strategy and to keep adversaries out of your IT environment.

        What Is a Supply Chain Attack?

        A software supply chain attack can occur when a software product contains vulnerabilities that an attacker can exploit to simultaneously attack all the organizations using that software product. In the SolarWinds case, the attackers leveraged SUNSPOT malware that then inserted the SUNBURST backdoor vulnerability into Orion.

        SUNBURST, which is a piece of malicious code, can execute files, reboot the machine, and even disable system services. Worse, it can carry out these activities at scale – which is why the attack had so many victims.

        Other Examples of Supply Chain Attacks

        In 2018, the Event-stream Attack caused some ripples in cybersecurity circles. Attackers injected malware into event-stream, a popular open-source JavaScript code library. Their aim was to steal funds from bitcoin wallets, and they did succeed to some extent.

        Two other supply chain attacks were discovered a few months earlier. One compromised a piece of server management software, while the other slipped a malicious package into Python’s official repository, increasing fears about a widespread attack.

        In 2021, the Mimecast attack also made waves worldwide. In this attack, hackers successfully compromised a security certificate, affecting about 10 percent of Mimecast’s customers.

        Guard Against These Supply Chain Attack Risk Factors

        In cybersecurity, forewarned is always forearmed, especially for supply chain management risks and supply chain attacks. By recognizing your risk factors, you can detect threats, address vulnerabilities, and minimize risk.

        Which risk factors are most common? Consider the following.

        You use many commercial software products

        Most modern organizations use commercial software applications for HR, financial services, accounting, operations, project management, and a host of other needs. Attackers may exploit the vulnerabilities in these applications, resulting in an attack against your critical assets or sensitive data.

        You use many open-source software or components

        Per one 2021 report, about 90 percent of companies use open-source innovations and source code to save time and money, accelerate innovation, and solve business problems. That said, security vulnerabilities are an ongoing problem with open-source components. The Equifax data breach from 2017, for example, is one well-known attack that exploited a vulnerability in an open-source component.

        In 2021, more than 4,000 high-severity vulnerabilities were discovered in open-source components, which is why even President Biden’s cybersecurity executive order talks about the integrity of open-source and third-party software and securing the software supply chain.

        Your vendor network is growing

        The more software applications you purchase, the more your third-party vendor network grows and the more cyber threats can potentially enter your environment. If these applications contain vulnerabilities, they will increase your risk of supply chain attacks.

        You source software from ‘risky’ foreign countries

        Software that originates in some low-cost countries often contains exploitable vulnerabilities and malware. These gaps allow attackers to compromise the application and attack all its enterprise users. If you purchase software from such countries, be warned that you may be at risk of a supply chain attack.

        How to Prevent Supply Chain Attacks

        You want to eliminate the risk of supply chain attacks. As a practical matter, however, most businesses can’t simply stop using commercial software; nor are they likely to stop using open-source software or components. Also, your vendor network may continue growing, depending on your software requirements, budget, and vendor capabilities.

        You can, however, minimize the risk of many types of supply chain attacks by following these best practices:

        • Buy software only from trusted vendors
        • Apply security patches and updates to all software and operating systems as soon as the vendor releases them
        • Conduct regular audits of software assets and create a software inventory so you know exactly what needs to be protected
        • Run regular vulnerability scans and penetration tests across your entire software environment
        • Keep track of “shadow IT” software (that is, unauthorized software users install themselves) and remove such applications if you find vulnerabilities

        You should also install client-side protection tools to stop malicious code before it gets installed on your network, install antivirus software, and deploy endpoint detection and response (EDR) tools to protect endpoints.

        It’s also crucial to implement a comprehensive third-party cyber risk management program and conduct due diligence on every software vendor. Also assess providers’ security posture and check whether they have implemented a security framework to protect their software and minimize their attack surface.

        Some other good practices to follow to prevent supply chain attacks to your business:

        • Implement code dependency policies so only authorized apps can run on the network
        • Make secure coding part of your company’s software development lifecycle (SDLC)
        • Develop an incident response process for quick remediation of supply chain security incidents

        Protect Yourself from Supply Chain Attacks With Reciprocity ROAR

        Visibility is crucial to understand your threat landscape and prevent supply chain attacks. Get this enhanced and granular visibility with Reciprocity’s ROAR platform. ROAR will help you see and understand your supply chain risks.

        Use its insights to determine the required action to minimize these risks. ROAR will also allow you to make data-driven decisions about your security investments. Take advantage of expert-provided guidance, automated workflows, built-in content library, and single source of truth to enhance your software supply chain’s security and protect your organization from the bad guys.

        Why sign up for the Risk Insiders newsletter?

        To stay in the know! Get new blogs, resources, CPE opportunities, industry research & more — direct to your inbox.

        Thank you for subscribing to the Risk Insiders newsletter!

        Recommended

        Image
        Up Your Lean Risk Management Team’s Efficiency
        Best Practices for Lean Risk Management Teams
        Risk

        Up Your Lean Risk Management Team’s Efficiency

        Read more
        Image
        Duty of Care Risk Analysis (DoCRA) Explained
        hand tapping digital risk management icons
        Risk

        Duty of Care Risk Analysis (DoCRA) Explained

        Read more
        Image
        The Secret to Reframing Risk
        reframing cybersecurity risk
        Risk

        The Secret to Reframing Risk

        Read more

        Discover the Power of the Reciprocity ROAR Platform

        Get a Demo
        Reciprocity Logo
        Product
        • ROAR Platform
        • ZenComply
        • ZenRisk
        • ZenGRC Platform
        • Risk Intellect
        • Pricing
        Solutions
        • Industries
        • Frameworks
        Success
        • Customer Success
        Resources
        • Resource Center
        • Reciprocity Community
        • Newsroom
        • Events
        • Blog
        • Customer Stories
        • Content Registry
        Company
        • About Us
        • Contact Us
        • Careers
        • Leadership
        • Trust Center
        • Partners
        Contact Us
        Contact Us

        © 2023 All rights reserved

        Privacy Policy