Six months later: Key takeaways from the SolarWinds supply chain attack
Last year’s SolarWinds supply chain attack shook the security world. Hundreds of private businesses, many of them Fortune 500 companies, and several US agencies, including the Pentagon, Homeland Security, the Treasury, and the State Department, were all victims as they all use SolarWinds’ Orion system.
The scope of this attack and the fact that hackers broke into the system, going undetected for months, shows that even organizations that believe they have the highest levels of security can be compromised through supply chain attacks. Supply chain attacks aren’t new, and unfortunately, they are increasing in frequency at an alarming rate. According to the Identity Theft Resource Center, they are on the rise. During the first half of 2021, there were 58 supply chain attacks, suggesting they will become the third most common root cause of data breaches this year.
In the wake of the SolarWinds attack and more recent Codecov and Kaseya attacks, cyber teams need to look at their security and that of their third-party vendors to ensure they have the best possible cyber hygiene in place.
The supply chain attacks of the past have shown us that a single point of failure can have far-reaching consequences. However, security managers can increase their protection by taking cautious and appropriate steps in advance. Below are the key takeaways from these recent:
1) Vet third-party vendors carefully
Third-party vendors are particularly attractive targets for hackers, which means you need to vet vendors more thoroughly than ever before. Once you’ve shortlisted the vendors, it’s time to investigate them using both publicly available records and internal processes. To better understand a vendor’s cyber risk, check operational and monitoring reports, Common Vulnerabilities and Exposures (CVE) investigation reports, fourth-party investigation reports, board reports, supplier comparison reports, and supplier mapping reports.
Pay careful attention to a vendor’s cybersecurity framework. Ensure each one you choose to work with has validated and certified security procedures and policies, and verify that the vendor produces logs to monitor its software. Require vendors to have all files digitally signed and confirm that contracts include SLAs for incident response actions in case their tools are hacked, and you require their expertise to mitigate an incident in your environment.
Before adding a new product or software solution, always perform a thorough audit of the product, check for vulnerabilities, and patch as many holes in the network as possible.
2) Understand how vendors handle data
Vendors will need access to your data – that is just the reality of the situation – but that means you need to know what data is accessible to each vendor. The best approach is to only allow vendors access to unclassified or low severity classified data and ensure that vendors can delete all data upon request. Every vendor contract should clearly detail their requirements for access to data and their policies around data use.
3) Limit access as much as possible
One of the best ways to protect against supply chain attacks is to limit employees’ and third-party vendors’ access to your IT environment. Service accounts for external technology and products should have as little access as possible, as should team members. By creating Conditional Access policies, you’ll enable users to be productive while protecting your assets. Conditional Access policies can address concerns by requiring multi-factor authentication for specific users or tasks, requiring organization-managed devices for specific applications, blocking or granting access from specific locations, and blocking risky sign-in behaviors.
4) Patches and updates are particularly vulnerable
Although vendors take extra measures to test updates before releasing them, you cannot blindly accept that updates and patches are vulnerability-free and secure. Hackers were able to access SolarWinds customers’ IT systems through a software update that contained malicious code. Before deploying any updates, your IT team should evaluate each one to ensure it’s safe, stable, and doing what it is supposed to do. Regularly scan vendor files with antivirus software and use endpoint protection sandbox tools. If your team is stretched thin and they cannot vet every update, at the very least, major updates should be thoroughly examined and checked for malicious code.
A final thought
As IT environments become more complex and businesses add more third-party vendors to achieve best-in-breed tech stacks, supply chain attacks will become more commonplace. After all, this kind of attack gives hackers access to many more businesses and can be more profitable. To give your business the best chance at not being a victim of a supply chain attack, security practitioners need to take the precautionary measures we mentioned above and continue to learn from each new data breach.