The last two years in cybersecurity have been unprecedented. In 2020, there was the en masse transition to remote work as physical offices closed, and dining room tables and spare bedrooms became offices and classrooms. IT professionals were tasked with ensuring operations continued with minimal disruption. In 2021, little relief was found, as ransomware incidents continued to make daily headlines, increasing in both frequency and severity, and critical vulnerabilities in widely used software and operating systems being discovered. On the heels of ransomware is the cyber supply chain attack. As organizations invest in protecting their networks, bad actors are gaining access to an organization’s network through a trusted partner.
What is a cyber supply chain attack?
A cyber supply chain is an organization’s digital ecosystem — essentially, it’s all of the interconnected pieces of software and technology an organization has internally and externally that drives their operations and produces their products. Each of these interconnected pieces has the potential to be a gateway for malware. What makes cyber supply chain attacks different from other malware attacks is that they gain access through trusted access points and their activity appears normal. Recent examples of supply chain attacks are SolarWinds, Kaseya and the ongoing Log4jshell.
What are underwriters looking for?
Digital supply chain attacks are difficult to prevent entirely. However, as underwriters, we consider how organizations invest in the following cybersecurity areas:
1) Patching Discipline
What is the maximum timeframe from when a software patch is released to when it is applied to the organization’s system? Patching would apply to all software and not just the Windows Patch Tuesday cycle.
2) Vendor Management
Who is connected to your organization’s network? What data and level of access does each vendor have? Why do they have the connection, and is it still necessary? How does their security posture compare to the applicant?
3) Authentication
Does the organization use multi-factor authentication, and to what extent? Authentication provides another layer of protection should a bad actor gain access to credentials.
4) Segmentation
Segmentation is all about reducing the attack surface as much as possible. Start by operating on a principle of least privilege. An organization that allows administrative access as a default poses a higher risk than one that grants access only so far as the role or project requires.
5) Detection and Response
Because supply chain attacks are challenging to prevent, it’s important to focus on enabling quick detection and response.
- Endpoint Detection and Response (EDR) — Endpoint Detection and Response software monitors and responds to threats as they occur. Anti-virus software is based on known threats, whereas EDR has the ability to recognize abnormal behaviour.
- Penetration tests and vulnerability scans — How frequently are tests and scans conducted? Vulnerability scans look for known vulnerabilities, while penetration tests look to actively exploit weaknesses in the network.
- Contingency plans — Having thoroughly developed and regularly tested incident response plans, disaster recovery plans and continuity plans can help minimize the impact of an attack, coordinate the responsibilities of an organization and lessen the downtime. The best plans are regularly updated to reflect the current threat environment. Organizations should consider revisiting their plans to include supply chain attacks.
There are no signs of cyber supply chain attacks slowing down. Along with ransomware, supply chain attacks are expected to increase fourfold. Exercising discipline and focusing on the above cybersecurity areas can help organizations manage risk within their cyber supply chain. The ownership of securing digital ecosystems to reduce the risk of potential events belongs to each individual and layer within the organization.
A blog created for Canada. Reference: Eric Edwards
3 Key Steps to Protecting Against Cyber Supply Chain Attacks. [Blog Post]
