Updated December 12, 2022. Originally published April 4, 2022.
What is a Supply Chain?
Over the past few decades, supply chains have transformed from linear models that had a few stakeholders into increasingly global and convoluted systems with multiple key players. While this intricate structure makes organizations susceptible to hackers, the advantages of using third-party suppliers and partners cannot be discounted.
Third-party vendors provide modern organizations access to hitherto inaccessible technologies, help reel in fixed costs, and enable economies of scale. For organizations to thrive in the global economy of 2022, they must keep these symbiotic relationships intact. Fortunately, there is a way for businesses to maintain a strong defensive posture without jettisoning vendors. But before we get there, let’s first understand what a supply chain attack is and what type of damage it can cause.
What is a Supply Chain Attack?
A supply chain attack occurs when bad actors infiltrate an organization’s privileged systems via one of the company’s third-party partners, either as a vendor, supplier or contractor. Third-party users often come into contact with sensitive organizational data and have access to corporate networks, systems, and applications. Attackers can inject malicious code into the vendors’ products by compromising the latter’s defenses. Over time, and when larger targets use the now-malicious product, the primary organization can find its own systems breached.
Many supply chain attacks take months to succeed and require a hefty investment. This reveals how persistent and powerful today’s threat actors can be. And it’s not just smaller businesses that are prone to such threats. Even large organizations with solid security postures can fall prey, as seen in the supply chain attacks against Puma and Okta earlier this year. By targeting suppliers and other third parties, hackers have increased the potential surface area of attack and discovered new inroads into global enterprises.
The Impact of a Supply Chain Attack
The December 2020 cyberattack at SolarWinds has come to represent the vulnerabilities that mire the supply chain and impact its security. The breach resulted from Russian hackers adding malicious codes into SolarWinds’ new Orion update. When SolarWinds sent this update out to over 18,000 customers, it unwittingly enabled the attackers to infiltrate the networks of more than 250 major global organizations and US government agencies. This incident clearly illustrates the risks of placing trust in your vendors.
Even in our current age of increased cybersecurity awareness, supply chains are yet to scale up their security robustness. According to a recent ENISA report, 66% of the attacks they mapped stemmed from compromised suppliers’ code. With this form of cyberattack poised to increase fourfold, organizations need to integrate security protocols that shield them from third-party supply chain vulnerabilities.
Indeed, 84% of executives believe that supply chain attacks could become the biggest threat in the next three years. Yet an identical 84% of companies use outdated third-party risk assessment methods, such as unreliable questionnaires, and leave gaping holes for potential malicious agents to exploit. Zero Trust is critical for companies looking to shore up their defenses.
How Does Zero Trust Prevent Supply Chain Attacks?
The zero-trust framework assumes that all users are potential threat actors and that all activity, whether internal or external, is a security threat. This model mandates that every user, whether a company employee or a third party, be authorized before entry is granted. Zero-trust has three cornerstone principles:
By presupposing that every stakeholder is a threat, zero-trust enables companies to verify access and track movement within networks. Meanwhile, the principle of least privilege ensures users access the bare minimum they require to fulfill their roles. Finally, micro-segmentation builds security blocks around key digital assets and prevents lateral movement. These actions are executed on internal users as well as users from the supply chain, so that no vendor is provided transitive trust within the network – even if the vendor itself is considered “approved.” This implementation of zero-trust ensures that attackers who breached a supplier will not gain access into its customers’ systems.
By implementing zero-trust, companies can:
Secure Third-Party Providers
Zero-trust can help companies limit their vulnerability to third-party providers and prevent damage should those parties be breached. When companies provide their vendors with wide access to their network, through connectivity solutions like VPNs, they become just as vulnerable as their suppliers. But when zero-trust is enabled, third-party users must be authorized and granted access only to specific applications or systems. In short, companies are no longer forced to trust their vendors’ internal security controls and are substantially safer as a result.
Limit Vendor Access and Permissions
Organizations that have enabled identity-based zero-trust access can limit third-party connectivity to their systems and minimize risk. By implementing authorization methods like multi-factor authentication (MFA) and device posture validation, only authorized users are given access and this access can even be granted only under specific circumstances or for a limited period of time.
Prevent Lateral Movement
When networks are not cloaked, hackers can move laterally and compromise multiple systems after their initial entry. A rigid zero-trust framework prevents this type of movement within the system. Users and attackers cannot see the network components and therefore cannot progress to other locations or perform reconnaissance for attacks. Simply put, they can’t attack what they can’t see.
To learn more about how Cyolo can help you prevent supply chain attacks with its identity-based zero-trust access control platform, register for a demo today.
