Supply Chain Attacks Are On The Increase

Last month, CCleaner, a popular “computer-cleaning” application, was revealed to harbor dangerous malware. Criminals had targeted the distribution channels of the app’s developers, Avast, infecting binaries with malware that was then downloaded by millions of users. The CCleaner debacle is an example of a supply chain attack, a strategy that is becoming increasingly popular as criminals seek to exploit the trust users have for businesses.

Rather than attacking the target directly, supply chain attackers focus on finding less-well-secured systems or more efficient vectors further down the supply chain. Compromising 2.7 million computers is not an easy task. Compromising the distribution system of a single company trusted by millions of users is a less daunting proposition. In the case of CCleaner, the attackers were sophisticated enough to inject their malware into the developer’s systems before the updates were cryptographically signed — Avast was signing the malware and sending it on its way to users.

It’s likely the incidence of supply chain attacks will increase as ordinary users become more savvy and consumer software becomes more secure. If hackers can’t put their malware on phones and computers directly, they’ll target software developers, suppliers, vendors, and service providers.

One of the biggest supply chain attacks in recent memory compromised retailer Target via POS systems from a third-party vendor. Target’s own systems were quite secure, but the vendor supplying the POS system was less so, allowing the attacker to circumvent the sophisticated security apparatus Target had invested in.

As supply chain attacks increase, we can expect companies to look more deeply into the systems and controls that their vendors have in place. No business wants to lose reputation and revenue because its suppliers’ aren’t secure.

That puts a lot of pressure on companies that would otherwise not have had to worry too much about security. If a company supplies software or services to other businesses or to thousands of individual users, it must make sure its systems are secure. An inability to demonstrate the existence of secure systems and controls will disincline any company from forming a relationship with a potential vendor.

And, of course, that increased vigilance is transmitted up the chain. Software development agencies, SaaS applications, and other businesses that ask for the trust of their users must look closely at their suppliers too, including hosting and data center providers.

At a minimum, software and services businesses should ensure that their data center provider has relevant certifications, including SSAE 16, a set of guidelines for reporting on controls at a service organization. When customers ask what a company does to keep their supply chain clean, third-party certifications of this sort are an excellent response.

Criminals who use supply chain techniques know that if they look far enough along the chain, they’ll find an organization that doesn’t have the resources and the security expertise to build secure systems. Steadfast’s managed security services, which include security and compliance consulting, can help your organization build secure systems and ensure that it doesn’t become a weak link in the supply chain.