What is supply-chain security?
In the world of cybersecurity, supply-chain security means that every business, big or small, in an organisation's supply chain must have proper cybersecurity measures in place, otherwise cyber attackers could get to a big organisation via a vulnerability in their supplier network.
Supply-chain security is something we hear about all the time. One famous example of poor supply-chain security is the “Target vendor, Fazio Mechanical, confirms being victim of attack” case where attackers in the Former Soviet Union broke in through a small company specialising in refrigeration and heating, ventilation, and air conditioning (HVAC). According to Nextgov, such supply-chain attacks increased 78% in 2018. So what about the smaller fish? Your employees or the one-man-band who services an estate of a billionaire?
This is a follow-on blog from “Who would hack a hairdresser?” on why people would want to compromise a, well, less interesting business.
When big deals go wrong: a hacking state vs a firm
Let’s start off with a short story from around 10 years ago. Two large oil firms were trying to do a deal and one was not playing ball – according to the non-Western firm anyway. What no-one at the time thought about was that the non-Western oil giant was owned or partly owned by a sovereign state, who has a reputation for hacking.
By annoying another oil firm they were actually annoying an entire nation state who would stop at nothing to get what they wanted. The rival firm/nation state wanted to infiltrate the Western firm but found they could not because the other firm’s cyber defences were good, so they hacked their legal firm instead to get the files they wanted.
Let’s now look at why Mister, Mrs or Miss “Normal” could be targeted. The “six degrees of separation” theory can assist with this. If there are only six steps between anyone on earth (or less depending on where you live), what you do and your community, then supply-chain hacks can happen to anyone.
Oligarch X and his landscape gardener
Imagine the target is “Oligarch X” who has fled to London to protect himself and his family from the Russian state. His family home has bullet-proof glass, a reinforced front door, safe room, alarm, CCTV, sensors and two full-time security guards along with a large, class protection team. Physically he is safe.
His company is also well protected and so is his personal home network and devices. Now what are you, the attacker, thinking? Go down the chain till you get what you want. His large country estate has many gardeners - including a head landscape gardener. Discretion is key in any industry, especially the private client industry.
The head landscape gardener has a low profile and his or her LinkedIn profile does not state where they work or where their employer lives. One day the girlfriend or boyfriend of the head landscape gardener comes into the estate and takes a few photos, then naughtily posts them on Instagram, identifying where they are and who lives there.
Bingo, the attacker has something to go on. They now know: who the head landscape gardener is, who their boy/girlfriend is, who exactly lives there, what the security looks like and the location. This may be enough for the attacker, or they could delve further. Next they send the boy/girlfriend an email with a “spiked” PDF which then infects the shared home PC.
The landscape gardener’s home PC may have designs of the property’s security, garden layout, and invoices for gardening gear, personal contact details of the employer (our oligarch), and more. Even the smallest amounts of unseemingly interesting information can be the starting point. Football club, religion, holidays, wife, husband, interests, children and more, however trivial the information, it can assist attackers.
Cyber security lessons learned:
Be especially careful when dealing with companies which may have state backing.
The “attacker” will use all resources and time to get what they want.
Your yearly cyber security budget of £100m can go out of the window if one of your suppliers has a budget of £500k – or poor security.
Discretion is key, especially when dealing with private clients. Don’t post photos or any details whatsoever online or on your CV. Client names and specific cyber/physical defences should not be written down.
Put in the NDA and contract what employees are allowed to say.
Audit your supply chain. Go deeper than just a tick box asking if they have “Cyber Essentials” or “ISO 27001”. Ask about actually defences and processes.
Interested in cybersecurity? Find out more about QA's cyber security courses, from entry-level to advanced, by clicking here.