Supply chain attacks are on the rise and putting many companies at risk. Microsoft and F-Secure Service Technology have provided statistics that show these types of attacks are on the rise and are causing billions of dollars in losses to global firms. Maersk Shipping was hit by NotPetya through the injection of the malware into an ME Doc software on one machine. This one machine caused an estimated $200-$300 Million in damages to the organization. Had some fundamental practices been in place, the organization could have reduced the damage from the infection.
Where Do I Start?
There are a few key things to know about supply chain attacks:
- Know who you are doing business with
- Know where your systems are exposed
- Know your network
- Layer your defenses
We will go through each of these bullets at a high level and give you some tips for reducing your risks.
Who Are You Doing Business With
The biggest point in supply chain attacks is the trust between users. That trust is even bigger with business partners and vendors. This makes it all the more applicable for you to understand how your partners are addressing risk. Do you know that they are backing up critical systems, do they have mechanisms in place for handling incidents, and can they still deliver service to your organization in the event they have a disaster scenario?
First, if you cannot list all the organizations you get services, products, or materials from, that’s your starting point. From there, you need to start determining how they are staying safe and apply some of the mentioned questions to your business as well.
How Are Third-Parties Connecting to Your Business
Next, you want to know how you connect to these partners. Some examples in order of trust are:
- Unattended direct connections to your network (VPN, RDS, SSH)
- Monitored connections to your network, they don’t connect without your consent and knowledge
- Organizations that you do business with regularly
- CPA
- Legal Services
- Supply Companies
- Professional Connections
This is not the absolute list but a framework for you to understand that not every third-party connection is direct. Each of these items listed above provide some degree of trust that if violated could result in compromise for your systems, which could lead to reputational and financial damages.
Do You Know What’s on Your Network
Once you know how businesses connect to you and what the risks are, you need to ensure you are also aware of what’s going on within your network. If you cannot identify all of your assets or do not maintain a complete asset list, how do you determine what is and is not permitted on the network? Monitoring your network for intrusions and being able to identify and address those intrusions are critical in the event/incident handling process. The time to threat identification and to remediation can make the difference in the scale and scope of impact to your business and the customers it serves.
You Need to Layer Your Defenses
Last, we need to establish a defense in depth strategy. No one solution will provide you with absolute coverage, and there is no such thing as the perfect security stack. A defense in depth strategy would look something like this:
- Well-developed policies and procedures for administrative protections
- Developed Security Awareness Training Program to strengthen employee knowledge in identifying common threats
- Well-maintained systems with up-to-date operating system and software patches
- Covering every system with some form of endpoint protection
- Ensuring you have proper network perimeter protections in place
- Network and system monitoring tools that can identify threats and address them accordingly
- Some form of event logging solution to allow for ease of incident investigation and reporting on critical systems
Again, this isn’t an all-encompassing list but a primer to get you thinking on where you may have gaps in your security posture and how you can start to reduce risks in those areas. In closing, you should at a minimum take these key things away from the discussion:
- Know who you are doing business with
- Know where your systems are exposed
- Know your network
- Layer your defenses
The world in which we work and do business is becoming more complex. With that, the methods in which attackers are targeting and taking advantage of business owners are becoming more complex as well. Taking measures today to reduce your risks helps you to work through a breach should it occur and reduces the risk that your business becomes a statistic that we talk about in later discussions.