Jonathan Porter
A company can have the best cyber security money can buy, but there is still one insidious danger lurking in the digital landscape that many business owners and CTOs can overlook – the threat from the electronic supply chain.
The danger, says Kieran Deale, senior strategic consultant for cyber security firm Mandiant, is that all companies have a digital supply chain these days, whether they know it or not. This means attackers can develop other ways of compromising a company, without directly attacking it.
A number of high-profile attacks have targeted third-party vendors to hurt companies. Getty.
“Really, it’s exploiting trust between people and companies,” says Deale, whose career has spanned professional services, law enforcement, critical infrastructure security advisory and security operations.
“A lot of companies do blindly trust their vendors without having assurance layers. That’s where the damage comes from.”
Protecting Australian firms’ long digital logistics chain is complex, says Deale, and relies on boosting threat awareness, helping the client manage their cyber defence programs and improving technology.
“No two companies are the same,” he says. “What we do is to make them realise that it’s not just one solution, it’s not just a piece of technology that can suddenly be deployed inside a company to fix the problem.
“Any company with a mature security posture has multiple overlapping elements to accomplish their security objectives – and so protecting digital supply chains is a challenge that also has multiple overlapping elements.”
He says one of the most challenging aspects of cyber security is getting businesses to define their critical assets.
“Most organisations can’t define their critical IT assets because everything to them is critical. The trick is to get them to articulate what processes are vital to their business and work backward from there,” he says.
Kieran Deale says hackers exploit trust across the supply chain. Supplied.
Deale encourages Australian cyber executives to talk to their digital vendors and ask them about their security standards, working together on security through collaboration. However, Deale also says companies and cyber security teams can’t be naïve. They need to ensure their procurement teams have structured their service level agreements appropriately, ensuring formal channels exist to monitor, measure, escalate and enforce security outcomes with their supply chain partners if necessary.
The challenge for digital supply chains is highlighted by last year’s SolarWinds attack which happened when hackers inserted malicious code into the company’s software updates.
The updates, which contained the malicious software, went on to infect over 18,000 entities globally, some of which were providers of critical infrastructure and critical services to their respective countries. No sector was immune, with victims ranging from national security agencies, law enforcement, nuclear regulation, public health, aerospace, finance and mining.
The breach was detected by FireEye – Mandiant’s parent company. In the wake of the attack Kevin Mandia, CEO of FireEye, testified to the US Senate that the attack was the work of a nation-state level actor. SolarWinds has made security patches available free to its clients and to the wider public, and FireEye has published extensive guidance on how to detect threat activity related to this attack.
The attack is the latest shot fired in a new kind of cyber warfare – although the nature of the attack is not new, with Deale citing historical attacks on physical supply chains dating back to World War II.
“Militaries often design campaigns using effects-based operations, a strategy in which an attacker targets up stream weaknesses to achieve their end goal.”
Mandiant’s concern is that financially motivated actors will have seen how effective it has been to compromise an organisation through its supply chain, and replicate the strategy.
Deale says that moving forward the challenge has been to predict how and where a firm would be attacked.
“We work with our red teams and say ‘how would you go ahead and attack something like this’ or we can work with our intelligence teams to determine if these kind of things are happening out there or not.
“From a business standpoint, it comes down to having good risk management processes in place, understanding your vulnerabilities, knowing your critical assets, and having the intelligence to determine who would actually target them.”
Deale says no Australian company is immune from a digital supply chain attack.
“From a supply chain standpoint, everyone can be vulnerable. It comes down to having those relationships with your supply chain, with your vendors themselves, knowing that they’re doing a good job in regard to their own security. No one’s immune.”
He has also noticed a dangerous “compliance-based” attitude to security in Australia.
“This is an issue, when people rest on their laurels and just sit there and say we’re certified, we’ve ticked the boxes, we’ve done the bare minimum.
“And I’m not saying this happens all the time but it does factor into the things we routinely see. I’ve seen some very, very good compliance-based security programs in place, and they are a good base to go from, to make a few minor tweaks and start to build mature levels of security.”
No comments:
Post a Comment