Days away from Christmas and weeks away from a new year, this challenging year got a whole lot more threatening. On December 8th, US cybersecurity firm FireEye disclosed that they were hacked. Sophisticated, state-backed hackers had stolen their penetration testing tools.
Since then, more developments continue to come to light each day. It is now identified as the biggest supply chain hack ever. The targets were the US government, its agencies, and a few other private companies. Recent reports are confirming that it might likely become a global cyber attack.
The origin of the supply chain hack was traced back to SolarWinds’ Orion network monitoring products. SolarWinds is a third-party network management software vendor. Hackers had planted malicious code within Orion’s March software update.
This means that about 18,000 of SolarWinds’ Orion customers may have installed the update with this vulnerability. Reports also dive into how SolarWinds’ Microsoft Office 365 email and office productivity tools are also compromised.
The SolarWinds supply chain hack has since been identified as a nation-state cyber attack. The sophisticated methods used highlights a critical need for more robust cybersecurity.
Today, companies need to maintain constant vigilance about threats that lurk deep within. Here are a few lessons we can learn from SolarWinds' supply chain hack.
Re-evaluate your cybersecurity hygiene
2020 has proved to be a very disruptive year for the cybersecurity industry. One thing is for certain; companies of all sizes need to ensure better cyber hygiene. To do that, we need to commit to:
Understanding where our data is at all times across all environments
Ensuring that this data is classified to limit access
Making sure that the right information security controls are in place
Identifying if powerful tools for auditing and anomaly detection are being used
This attack didn’t happen overnight. Reports, so far, indicate that it has been in the making for over a year.
This may mean that if better cyber hygiene was maintained, this could have been detected much earlier. In this way, the companies affected could have controlled the spread of the attack.
Don’t ignore ‘nth’-party vendors in your cyber ecosystem
Today, companies are more aware of supply chain hacks. Most have protocols to ensure the cybersecurity of their third parties.
The SolarWinds supply chain hack shows that it’s not just applications that can pose threats. It can also come from other components of these very applications. This includes:
Application execution protocols
Application verification functions
Services and components that interact with the application
The SolarWinds supply chain hack highlights some of the hidden and forgotten aspects of supply chain cybersecurity. Just because a company has the best security controls, it doesn’t necessarily mean their vendors do.
This hack also shines a light on the importance of the right level of oversight over vendor security. This type of due diligence must be extended to ‘nth’-party vendors. Remember—your supply chain doesn’t include only first-tier vendors.
Leverage technology that supports powerful cybersecurity across your vendor ecosystem
The only way you can uncover vulnerabilities in the deepest layers of the vendor supply chain is to harness the power of AI. Organisations need to leverage tools that allow them to maintain operational resilience.
You also need to extend your supply chain cybersecurity capabilities down to nth-parties in real-time. Monitoring these suppliers must also be continuous. Such capabilities aren’t practical at the scale it’s required through manual, human-driven processes.
At RiskXchange, we support companies with a powerful, 360-degree security risk rating and risk reduction management system. We generate objective, quantitative insights on a company’s supply chain security risk and performance, and provide ways for a company to collaborate with their supply chain to identify and address poor cyber hygiene.
Contact our team at RiskXchange to get your free supply chain risk score, and integrate cybersecurity ratings into your forward-looking security strategy.