Tech Journal How Secure Is Your Supply Chain?

As the world strives to rein in COVID-19, many organisations are being challenged by a second universal threat — the cyber pandemic. Both are taking a heavy toll on people, organisations and communities.

In the last year, over 4.3 million lives have been lost in 220 countries and territories due to COVID-19 — and ramped up cybercrime totalled nearly $1 trillion. Both viral and cyber crises have surged with variants, deflating efforts to prevent further destruction.

These pandemics are intertwined.

Opportunistic cybercriminals have used COVID-19 disruption to strike consumers and businesses. The global shift to lockdowns and hybrid working fuelled increases in cyberattacks, sparing no industry, including front-line organisations fighting outbreaks. Threat intelligence research estimates that organisations globally have experienced a 29% increase in cyberattacks.

The real breakout cybersecurity story in 2021, however, is the rise of retooled ransomware attacks, increasing 93% in the first six months of 2021. This new version of ransomware can identify and exploit vulnerabilities within interconnected supply chains. Technology providers, second- and third-level partners, and the users themselves are all susceptible to a “triple extortion” ransomware technique. This means that in addition to stealing sensitive data, criminals are threatening to release the data unless payment(s) are made.

“Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering the files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom isn't paid.”

Ransomware is not new, but the rules have changed.

CEO and Founder of Check Point Software, Gil Shwed, stated, “Countries and businesses are all realising the changing shape of life. In the past, there were clear rules about retaliation and why should someone attack someone else. Now, all the rules are being redefined and it’s much harder to attribute who’s behind a cyberattack than a physical or kinetic attack on a country or business.”

Long before the viral outbreak, Shwed warned of increasingly more potent, illusive and disruptive Gen V or fifth generation cyberattacks. This is no more fitting than with 2021’s high-profile ransomware cyberattacks that have included:

• Colonial Pipeline: A single compromised password found on the dark web was used for the hack.
• JBS: REvil, the prolific cybercriminal organisation responsible for this attack and Kaseya, went offline.

These are the well-publicised attacks, but threat researchers say 15 new REvil attacks have occurred each week in the last several months with the U.S., Germany, Brazil and India as the top targets. On average, criminals behind ransomware attacks hit a new organization every 10 seconds.

Mitigating risk with supply chain partners

One of the most complete analysis of supply chain attacks to date is in a recent European Union Agency for Cybersecurity (ENISA) publication. The following are recommendations for customers and supplier organisations to mitigate the risks with supply chain cyberattacks:

Suppliers should adhere with the commonly accepted security practices:

• Ensure that the infrastructure used to design, develop, manufacture and deliver products, components and services follows cybersecurity practices.
• Implement a product development, maintenance and support process consistent with commonly accepted product development processes.
• Implement a secure engineering process consistent with commonly accepted security practices.
• Consider the applicability of technical requirements based on product category and risks offering Conformance Statements to customers for known standards i.e., ISO/IEC 27001, IEC 62443-4-1, IEC 62443-4-2 (or specific ones such as the CSA Cloud Controls Matrix (CCM) for cloud services), and ensuring and attesting to, to the extent possible, the integrity and origin of open-source software used within any portion of a product.
• Define quality objectives such as the number of defects or externally identified vulnerabilities.
• Report security issues and use them as an instrument to improve overall quality.
• Maintain accurate and up-to-date data on the origin of software code or components, and on controls applied to internal and third-party software components, tools and services present in software development processes.
• Perform regular audits to ensure that the above measures are met.

To manage the relationship to suppliers, customers should:

• Manage suppliers over the whole lifecycle of a product or service, including procedures to handle end-of-life products or components.
• Classify assets and information that are shared with or accessible to suppliers, and define relevant procedures for their access and handling.
• Define obligations of suppliers for the protection of the organisation’s assets, for the sharing of information, for audit rights, for business continuity, for personnel screening and for the handling of incidents in terms of responsibilities, notification obligations and procedures.
• Define security requirements for the products and services acquired.
• Include all these obligations and requirements in contracts; agree on rules for sub-contracting and potential cascading requirements.
• Monitor service performance and perform routine security audits to verify adherence to cybersecurity requirements in agreements; this includes the handling of incidents, vulnerabilities, patches, security requirements, etc.
• Receive the assurance of suppliers and service providers that no hidden features or backdoors are knowingly included.
• Ensure regulatory and legal requirements are considered.
• Define processes to manage changes in supplier agreements e.g., changes in tools, technologies, etc.

Conclusion:

As long as viral and cyber pandemics continue to morph and evade eradication, they’ll continue to take their toll on the global community. It’s important to realise that as you invest further in cybersecurity prevention and deploy more advanced tools, the decades of cyberthreat activity show well-funded threat actors will also evolve. Ransom, phishing and other malware techniques will continue to advance, necessitating the frequent assessments of your cybersecurity strategies and practices.

About the author: