What is a Supply Chain Attack?
In partnership with Breezeline
Author Elaine Harrison-Neukirch
Supply chain attacks are becoming increasingly frequent. These types of attacks are effective methods for attackers to obtain their goal and potentially affect multiple consumers or organizations. Attackers may be looking for financial gain, personal information, or industry secrets.
What is a supply chain?
Tech Target defines a supply chain as:
A supply chain is the network of all the individuals, organizations, resources, activities, and technology involved in the creation and sale of a product. A supply chain encompasses everything from the delivery of source materials from the supplier to the manufacturer through to its eventual delivery to the end user. The supply chain segment involved with getting the finished product from the manufacturer to the consumer is known as the distribution channel. What is a supply chain attack?
A supply chain attack is an attack that aims to breach a trusted third-party supplier. The supplier may offer products or services. For example, the Colonial Pipeline attack last year caused an interruption in availability of gasoline for many states in the U.S. This Microsoft article identifies types of supply chain attacks:
Compromised software building tools or updated infrastructure
Stolen code-sign certificates or signed malicious apps using the identity of dev company
Compromised specialized code shipped into hardware or firmware components
Pre-installed malware on devices (cameras, USB, phones, etc.)
Over the past few years, there have been some high-profile supply chain attacks. These include the Colonial Pipeline, Florida Water and Solarwinds attacks. Can consumers protect themselves from these attacks? There is not a lot that you can do to protect yourself, as a consumer. As you may have seen with recent product shortages (baby formula and other products), the consumer is vulnerable to a break in the supply chain. Companies must ensure proper security controls, detections and training are built into their security policies and processes. Even these are not a sure thing when it comes to supply chain attacks. For example, the SolarWinds software was used in thousands of organizations including the Government. The attackers were able to build a “back door” into the software and eventually gain access to the networks of both government and private organizations. This was done over months and was exceedingly difficult to detect.
As technology progresses, so do attack tactics. The supply chain attacks will evolve and most likely continue. What can I do to protect myself? As previously mentioned, the consumer cannot do too much to protect themselves regarding supply chain attacks. There are some steps to take to ensure your personal information and credentials remain safe.
Be wary of the software you use. Research before you buy and be very skeptical of any “freeware.”
Practice good password and cyber security hygiene to protect your online accounts. By doing so, you can help protect your personal information if it is stolen in any type of supply chain attack.
Do not use the same password for multiple accounts.
Use “passphrases” which are longer and harder to guess using password cracking software. An example of a passphrase is “snakesareslitheryandlong.”
Turn on two factor authentication for all online accounts.
Use a password manager to store your passwords securely.
About the Author: Elaine Harrison-Neukirch has over 10 years of experience in cyber security working in the healthcare and financial services industries. She currently runs the customer support program atSCYTHE. Elaine advocates for Women in Cybersecurity; she is a member of both Women in Cybersecurity and Women’s Society of Cyberjutsu. She is also the Education Director for CSNP. @rubysgeekymom