“No business is an island, entire of itself” (with apologies to John Donne). Businesses have connections to other businesses, who supply them with goods, and whom they supply with goods – both parts and software. These connections are known as the supply chain. It can be long and convoluted and has become a favoured attack vector for cybercriminals. In many cases, a company has its own supply chain while simultaneously being part of the supply chain for other, probably larger, businesses.
If an attacker can breach any link in this chain, he can more easily attack other companies further down the chain. Every company has a duty to protect its customers from supply chain attacks while simultaneously taking action to prevent being a supply chain victim of its own suppliers.
In IT, the supply chain can involve both hardware and software. There are few documented hardware supply chain attacks, but it is a constant threat. An example of concerns can be found with Huawei telecoms equipment. The UK has access to Huawei source code. It is worried about hidden backdoors that could be accessed by China’s intelligence services. The UK has never found a backdoor – but remains concerned over the numerous Huawei vulnerabilities that could be exploited by China. If this were to happen, every single user of the vulnerable Huawei equipment could potentially be compromised by China.
Most documented supply chain attacks are software-based. The classic example of the possible scale of a software supply chain attack can be found in the 2020 SolarWinds hack in the U.S. Following an undetected breach at SolarWinds, attackers were able to surreptitiously add malware to its Orion software. Every customer that subsequently downloaded the Orion software was automatically infected with the malware – and this included hundreds of companies around the world and dozens of U.S. government agencies.
A global problem
Supply chain attacks are a global problem. An attack in one country can affect companies in other – sometimes many – countries. This is what happened with NotPetya in 2017. Russian hackers infiltrated the Ukrainian tax accounting firm MEDoc and poisoned the software. Every Ukrainian customer that subsequently downloaded the MEDoc accounting software was infected with NotPetya. However, the malware had wormlike abilities, and NotPetya very rapidly wormed its way out of Ukraine and propagated around the world – causing quite possibly the most expensive cyber incident in history.
Sometimes supply chain attacks have a more limited target. In the UK, this happened with British Airways who had customer details (with estimates of up to 400,000 card payment details) stolen in 2018. It is believed that a hacker group, part of an umbrella group known as Magecart, infiltrated a BA software supplier to gain access to BA’s systems with the next software download.
Magecart specialized in this type of attack. A similar approach was used against Ticketmaster, also in 2018 – displaying another aspect of supply chain attacks. A Ticketmaster software supplier, Inbenta, was compromised and Ticketmaster-bound software was poisoned. Some 5% of Ticketmaster’s global user base may have subsequently had its payment details stolen. Ticketmaster blamed Inbenta for supplying poisoned code, while Inbenta blamed Ticketmaster for putting the code on its payment page – which, it claims should not have happened.
These few examples are just the tip of the iceberg in supply chain threats and compromises.
The hidden supply chain
There is another hidden supply chain threat. It’s like a wave that hasn’t broken, but one that could break at any time: open-source software libraries. Every company that develops its own software will take advantage of open-source libraries – why spend time (and money) developing new code when it already exists and is free to use?
The problem is that these libraries have no overall authority governing their security, and the majority contain vulnerabilities. If those vulnerabilities become known to hackers, any company using the library is a potential victim. But it’s a complex issue. Firstly, not every company is aware of all the libraries used in its code. Secondly, one known library could be dependent upon a different unknown library. Thirdly, not all vulnerabilities are relevant to every company using the library. Applications rarely use every part of a library. A vulnerability may affect a specific class within the library that isn’t used by the application.
Consequently, the vulnerability may exist within the application, but it can never be exploited by an attacker.
These problems make it extremely time-consuming for SMEs to monitor and patch the vulnerable open-source libraries they use – and since doing so will frequently unearth what is effectively a false positive, many companies simply don’t bother: leaving themselves vulnerable to this hidden supply chain threat.
The challenge for SMEs
SMEs – like MEDoc and Inbenta – are frequently the target of supply chain attacks. Firstly, they are unlikely to have the security resources of the bigger companies they supply, so they are targeted as a steppingstone for larger attacks against bigger customers. But they are also targeted via their own supply chains. With supply chain attacks being a major growth area for cyber criminals, this is a worsening scenario, and the question is “What can the SME do to protect both itself and its customers?”
The situation has been aggravated by the COVID-19 pandemic. As of June 2021, it is estimated that 47,000 small UK companies are in financial distress, and unlikely to be able to afford tackling the supply chain threat from in-house.
Regulations, compliance, and certifications are compounding this effect; the explosion in remote working is making it even harder for many companies to meet requirements for security certifications as they often cannot guarantee that remote-working employees’ home networks are sufficiently protected.
Are MSSPs the solution?
Most SMEs need to be very careful with their resources and budgets; fiscal management and minimizing costs can make or break the business. Effective security, especially attempting to create a robust security infrastructure in-house, requires the kind of time and resources that only large-scale, successful businesses can afford, which is only compounded by the complexity of both the inbound and outbound supply chains for many medium-sized enterprises.
The obvious and best solution is to hand off the problem to a specialist managed services provider (MSP). But, beware. Not all MSPs are equipped to offer a flexible, responsive service that can meet the needs of a unique supply chain on a medium-sized enterprise scale; micro-businesses may benefit from certain off-the-rack security providers, and large conglomerates have the option of adopting multiple MSPs to cover different aspects of the business. An SME needs to find a solution that will cover all bases while still being financially manageable.
Specialist Managed Security Service Providers (MSSPs) often have extensive experience working with securing the entire supply chain in organizations of many sizes. There is no business too small or too large to not require comprehensive cybersecurity, as any link in the supply chain is a potentially valuable target to any malicious actors.
That’s where MSSPs don’t just provide a security solution, but work closely with customers to develop a rich, complete understanding of the enterprise’s needs and limitations. This lets MSSPs provide the best, most thorough security through technology, strategy, expertise, and training tailored to the unique needs of businesses of any size, at any point in the supply chain.