Supply chain attacks are a serious threat to organisations of all sizes. They happen when attackers target the companies that provide services or products to a business, rather than the business itself. Once attackers gain access to a supplier's system, they can use it to steal sensitive data or install malware on the target company's systems. Few tactics are common in this specific type of attack such as:
Social engineering: This involves tricking employees or suppliers into giving up sensitive information or clicking on malicious links.
Zero-day exploits: These are vulnerabilities in software that the software vendor is not aware of and that have not yet been fixed.
Supply chain manipulation: This involves modifying or tampering with software or hardware components during the manufacturing or distribution process.
Few Examples
Codecov supply chain attack (June 2023)
Targeted company: Codecov, a software company that provides continuous integration and continuous delivery (CI/CD) services.
Third-party involved: The attackers compromised Codecov's pull request system, allowing them to distribute a malicious pull request.
Malicious pull request: The malicious pull request contained code that could be used to install a backdoor on the systems of organisations that used Codecov.
VMware supply chain attack (April 2022)
Targeted company: VMware, a software company that develops virtualization software.
Third-party involved: The attackers compromised the VMware Workstation Player software, allowing them to distribute a malicious virtual machine (VM) template called "Log4Shell".
Malicious VM template: Log4Shell was a VM template that contained malicious code that could be used to install a backdoor on the systems of organisations that used it.
SolarWinds Orion attack (December 2020)
Targeted company: SolarWinds, a software company that develops IT management tools.
Third-party involved: The attackers compromised SolarWinds' Orion software update mechanism, allowing them to install malicious code on the systems of thousands of organisations, including government agencies and Fortune 500 companies.
REFERENCE: The Supply Chain Security in GDPR
The following articles are addressing Supply Chain Security:
Article 32: This article requires data controllers to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including pseudonymization and encryption.
Article 33: This article mandates that data controllers notify the supervisory authority within 72 hours of becoming aware of a personal data breach unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
Article 34: This article requires data controllers to notify data subjects of a personal data breach without undue delay unless the breach is unlikely to result in a high risk to the rights and freedoms of individuals.
To protect against supply chain attacks, businesses can take the following steps:
Perform thorough due diligence on vendors: This includes assessing their security practices and background. A simple set of security-related questionnaires will help you understand your vendor's security posture.
Implement supply chain visibility: This involves monitoring and tracking the movement of sensitive data and software components throughout the supply chain.
Proactively identify and patch vulnerabilities: This includes using vulnerability scanning tools and patching software updates promptly.
Educate employees on cybersecurity best practices: This includes training them to identify and report suspicious activity.
Develop an incident response plan: This plan should outline how the organisation will respond to and recover from a supply chain attack.
At AdviceBytes, we conduct a thorough assessment of third-party suppliers and vendors and provide guidance to address the associated risks.
One of the basic things we look into is having a legal and contractual agreement with your third-party suppliers.
"Protect your business's reputation and integrity with vigilant third-party vendor security checks."
Comments