In the cyber security world, there has been an increased chatter and focused around the supply chain cyber security risks. Supply chain attacks are defined as, “Any threat targeting an organization that originates from a third-party vendor, or outside firm, with access to the organizations network.”
When thinking about supply chain attacks, use the following types of businesses as a general starting point.
Building Maintenance (HVAC, Plumbing, Electrical)
IT/Managed Services Providers
Physical Security Companies (Alarms, Cameras, Access Control, etc.)
Clinics, Hospitals, Surgical Centers, Rehab Facilities, General Practitioner Offices
In general, any third-party vendor, or outside firm that has access to your data (locally or cloud), email or the network risks a supply chain attack targeting your organization. Take into consideration the following two examples. Many organizations hire an HVAC company to manage their environmental controls inside their building. The systems are placed on the network and then access is opened up through the firewall so that the system can be managed. Another example is an outside accounting firm that needs to remotely access the company books in order to prepare tax filings, perform audit functions, or assist with any questions.
Where the Risk Comes In
The risk to your organization comes when you open up access to these outside firms. Once they are connected and have access, anything is possible. If your network is open to anyone connected, flat, and/or not property sanitized then the possibilities of the risks are endless.
It is possible that you have a number of security controls in place, but the connected firm has not taken the proper steps to protect themselves. Once that connected firm crosses paths with any resident malware, ransomware, or any other malicious cyber content, your data will be accessible.
Take into consideration the attack of Target. The threat came through the HVAC vendor who had a connection to manage the systems. The threat actor was able to find the POS systems, and from there the rest is history. The outcome was devastating, resulting in Target losing almost a billion dollars and employees losing their jobs, all because the connection wasn’t properly secured.
What Can Be Done
So, what can be done about this? The process to limit access is something that needs to be in the DNA of every person on your IT staff. Our General Manager calls this the Policy of Least Privilege. Every connection needs to be limited to access just what they need. Connections from third parties never need to be the same connection used by another vendor. The connections used by your vendors should be unique and private from all other vendors within your organization.
You also need to section off, or VLAN, your network so the devices that need remote access are not part of the general network. Everything within your network should be contained and within its designated spot, limiting the number of places that a breach could occur. If Target had placed their POS systems in an isolated environment, then the attack would have never happened. The bad actors would have found their way to the HVAC systems and possibly would have caused some damage, however, the damage would have ended there. No individuals would have been harmed and no one would have lost their jobs, especially not the CEO or IT team.
My last suggestion is to ask any vendor that wants access to your network or data for a recent copy of their security assessment, or at least a report verifying that they are taking the steps necessarily to protect their organization. You should ask the vendor for proof of cyber-protection before you execute a contract. Additionally, it should be required that the vendor’s cyber-protection is assessed every year. This will go a long way, and ensure that the vendor’s you are working with are taking the security of your business seriously. This is no substitute from doing the isolation and limit work on your end, but it does mitigate the risks further.