The SolarWinds Hack: 4 Supply Chain Attack Survival Tips You Need to Know

Episode Resources:

• Resilience Cybersecurity & Data Privacy

• 8 Useful Small Business Cybersecurity Tips You Need to Know – Resilience Cybersecurity & Data Privacy

• How To Destroy Perfectly Good Cybersecurity Policies – Resilience Cybersecurity & Data Privacy

• Supply chain attacks show why you should be wary of third-party providers – CSO Online

• There’s a new supply chain attack targeting customers of a phone system with 12 million users – TechCrunch

• Supply Chain Attack (Definition) – TechTarget Security Blog

• What is a Supply Chain Attack? – CrowdStrike

• 3CX blames North Korea for supply chain mass-hack – TechCrunch

• The Massive 3CX Supply-Chain Hack Targeted Cryptocurrency Firms – WIRED

• Hackers Behind 3CX Hijacking Attack Began Infecting the App Weeks Ago – PC Magazine

• I Read the Biden Administration’s New Cyber Policy So You Don’t Have To – Gizmodo

Episode Summary

In the latest episode of The Fearless Paranoia Podcast, we discuss the increasing prevalence and danger of supply chain cyberattacks, focusing on incidents like the recent 3CX hack and the notorious SolarWinds attack. With the number of next-gen supply chain attacks skyrocketing by 430% between 2019 and 2020, it is crucial for organizations to understand the risks and take proactive steps to protect their digital infrastructure.

Supply Chain Attacks: A Growing Concern

Supply chain attacks are downstream attacks that target deployable systems, often running with elevated privileges, making them attractive targets for hackers. By compromising these systems and modifying the source code, attackers can distribute malicious code through trusted channels, bypassing security measures. These attacks have turned the common cybersecurity practice of updating and patching software on its head.

Types of Supply Chain Attacks

There are various types of supply chain attacks, with software or platform-based attacks being the most prevalent. In these attacks, hackers target software operated or maintained by one company and used by many others downstream. By gaining access to the initial company and inserting malicious code, the attackers can infect all users of the product. The wide range of opportunities and the ability to access multiple environments make supply chain attacks very attractive to threat actors.

Zero-Trust Authentication Systems: A Vital Countermeasure

As attackers increasingly target circles of trust built around trusted software packages, the importance of implementing zero-trust authentication systems cannot be overstated. These systems help counter supply chain attacks by limiting trust and access, adding a layer of security to protect against malicious actors.

The Scope of Cyberattacks Through Supply Chain Attacks

Supply chain attacks can involve numerous types of cyberattacks, ranging from financially motivated ones, like deploying crypto-mining tools or widespread ransomware, to monitoring and data theft. The rise in digital infrastructure and interconnectivity has created fertile ground for these attacks to become more popular and effective.

Securing Your Organization Against Supply Chain Attacks

1. Adopt a Security-First Mindset

Organizations must prioritize security in the age of digital transformation. Adopting a security-first mindset and focusing on building secure technologies is critical to mitigating the risk of supply chain attacks.

2. Restrict Privileges and Implement a Layered Security Approach

Implementing a layered security approach and restricting privileges around tools can significantly improve an organization’s chances against supply chain attacks. Ensuring that nothing has the ability to go nuclear in your environment is a vital part of security best practices.

3. Emphasize Software Development Security and Vendor Management

With most privacy protection regimes holding companies responsible for their vendors’ security policies, organizations should ensure their software development partners are implementing security by default and security by design approaches. This includes addressing vulnerabilities in open-source components, which are common in software development.

4. Test and Scan Software Packages

Businesses should not rely solely on vendors’ assurances. Instead, they should proactively test and scan software packages using available security testing tools to ensure the security of their digital infrastructure. This allows organizations to understand vulnerabilities and put proper mitigations in place.

Conclusion

Supply chain attacks are a growing concern in today’s interconnected digital landscape. By adopting a security-first mindset, implementing a layered security approach, emphasizing software development security, and proactively testing and scanning software packages, organizations can protect themselves against the rising threat of supply chain cyberattacks.

We’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or LinkedIn. For more information about today’s episode, be sure to check out Fearless Paranoia.com where you’ll find a full transcript as well as links to helpful resources and any research and reports discussed during this episode. While you’re there, check out our other posts and podcasts as well as additional helpful resources for learning about cybersecurity.