SUPPLY CHAIN SECURITY
Three important focus areas for immediate and measurable results
Supply chain cybersecurity attacks have been in the news lately, but they’re nothing new. In fact, nation state adversaries have been targeting and abusing supply chain vulnerabilities for years, writes Chester Wisniewski, principal research scientist, Sophos.
T
hese vulnerabilities are an easy ‘in’, giving attackers an open door to more lucrative targets. Managed service providers (MSPs) and managed security service providers (MSSPs) are particularly attractive targets because they hold the keys to many different customer organizations.
We’re all targets “I didn’t think we would be a target” are words spoken by compromised organizations all too often. Yet the truth is we’re all targets. We’re all links in someone’s supply chain, and that makes us susceptible if we’re not protected. It’s easy to imagine how one might be a backdoor into a military contractor if they supply them with services or tools, but would you consider your local nail salon to be a supply chain risk? Well, you should. In fact, an attack against a large company began by compromising a local salon and using their billing system to send malicious PDFs to executives at the company who used their services.
Where to Start There’s tremendous opportunity for MSPs and MSSPs alike to improve supply chain security defenses – both internally and for the customers that they serve.
60 APRIL 2021
This might seem like a daunting task, but you can tackle it – often with immediate and measurable results – by focusing on three important areas: 1. Authentication Service providers need to stop sharing passwords. It sounds like common sense, but it’s an ongoing problem. As someone who has investigated credit card fraud, I’ve seen firsthand the risks of payment terminal providers using remote access software – like TeamViewer or VNC – with a single, shared password to manage thousands of customer accounts. This is lack of security is no longer acceptable. Phishing one member of your support staff is enough in many cases to destroy your reputation and potentially your business in one incident. No different than in traditional IT departments, accounts that possess privilege should only be used when needed, and they should always require multi-factor authentication. All usage should also be logged and reviewed frequently. 2. Access rights Should every technician be allowed access to every client? Perhaps, but probably not. Logging is critical in recognizing unusual access – like off hours use or access to an account assigned to a different team, which can be signs of insider fraud or an external threat actor preparing to launch a ransomware attack.
Chester Wisniewski, Principal Research Scientist, Sophos.
3. Monitoring for compromise Monitoring is often under resourced as opposed to prevention. The problem is, we know that prevention isn’t always 100% achievable, yet when it comes to detection and monitoring for the failure of our preventative controls, we are being too reactive. Once an attack becomes obvious it is often too late. By the time a criminal pulls out the ransomware, they have already stolen critical data and, more often than not, have had access to your network for 30 days or more.
Prioritizing Supply Chain Security Improving on these three important areas will significantly reduce cyber-security risk, putting MSPs and MSSPs ahead of their competition when it comes to protecting customers. Prioritizing supply chain security defenses can be a significant competitive advantage for service providers in acquiring new customers – and perhaps most importantly, retaining the ones they already serve. These are simply starting points where we have identified common points of failure. Security is a journey, and securing the supply chain is just one piece of the bigger puzzle. Chester Wisniewski is a principal research scientist at next-generation security leader Sophos with more than 20 years of professional experience.