Supply Chain Attack – Security by Design Protecting Your Infrastructure
The world’s most archaic hunting tactic has moved online and is more relevant today than ever before. It is adopted by cyber criminals and by crime statistics it works. The saying “a chain is only as strong as its weakest link” truly applies to cyber security, both private and corporate as those two are nowadays so keenly intertwined. Why the supply chain attack tactic is so dangerous and how you can protect yourself?
It is an archaic hunting tactic that early hominids copied from the great carnivores whose prey they were first and foremost themselves. That was before humans rose to become rulers of the planet, and far before they broke down their environment into bits and bytes, into zeros and ones. Since then, since humans had to protect their clans in the primeval African savannahs from the attacks of large carnivores, times have become safer for the vast majority of us. Neither do we have to protect ourselves from saber-toothed tigers, nor do we risk our health hunting woolly mammoths. But the hunters are still out there in a different form. And they still use this oldest hunting tactic in the world: go for the weakest link in the flock.
These hunters no longer wear skins and no longer hunt with spears or slingshots. They are – whether out of criminal greed or political motivation – hunting for company property, data and most of all capital. With scripts and applications, tempting ads and personal messages. Therefore, you still have the task of a primeval clan leader: you are responsible for protecting your company from attackers, for what has been entrusted to you.
Protecting yourself from cyber-attacks is a network effort
However, the world is nowadays more complicated. The possibility to maintain an isolated company that exists self-sufficiently in its own private bubble no longer exists. All companies, big and small, are integrated into an ecosystem of suppliers, partners, external service providers, employees and other entities. This ecosystem is what the cyber security nerds call a supply chain. The links in the supply chain are all the entities somehow connected to your company. The supply chain network grows broader than you’d first think. It also includes the entities connected to your suppliers and your subcontractors, anything and anyone who in some point is in touch with your company, its people or its systems. This means that you, as the person responsible for the security of your company, must always keep an eye on the security of the units connected to you.
On the other hand, as a service provider for a superordinate company, you are not only responsible for your own company, but the collective cyber security of your employer and your employers other service providers. Therefore, whether big or small, measures and technology must be chosen in such a way that you can also guarantee security for the superordinate company.
In the current pandemic situation, it is pretty much impossible to keep such an ecosystem closed. Remote work has become an imperative for the security of your employees, when people in all organizations are plugging work computers to their own wi-fis and office VPNs, applying remote communication tools to a work setting. Unfortunately, most of the communication tools in use today rely on you opening your own firewall a bit to let computers in your own network can communicate with external computers. Understandably even tiny holes in that cyber security infrastructure leaves you vulnerable. When a digital ecosystem is not closed, you are dependent on your supply chain doing everything possible to avoid security gaps, just as they are dependent on you to do the same.
For example: Can you guarantee that the WLAN that your supplier’s employees use in their home office – and their children use for homeschooling – is secured in a way that it cannot serve as a gateway for malware into their company and thus, as a gateway into yours? How about the WLAN used by their colleague in Venezuela? How about your own WLAN security, could you swear on its impenetrability if your life depended on it?
That is exactly what a supply chain attack is. An attack on the weakest link in the chain, relying on someone being too busy to pay attention, too overloaded and starting to cut corners, someone not being aware of the danger, or just waiting for a human error to occur. The supply chain attackers do not prey on stupidity. They prey on small mishaps and shortcuts that happen in a rush and under pressure.
Victims of the recently uncovered supply chain attack, also known as the Solarwinds Hack, include government agencies and companies in the consulting, technology, telecommunications and resource extraction sectors in North America, Europe, Asia and the Middle East. It is likely that there are additional victims in other countries and industries. Because everything is so connected it can be impossible to say how far in the chain the effects of such attack can spread.
Security by Design and Supply Chain Attacks
There are ways to eliminate the chances to be struck by a supply chain attack. But if even the powerful and feared US-American NSA could fall victim to the initiators of the Solarwinds hack, it shows only too clearly how difficult it is to control a complete supply chain by conventional means.
Here are some fundamental tips how to at least increase the security level:
- Keep the supply chain as small as possible. This is a theoretically good advice for multinational and highly networked companies, but it is difficult to implement.
- Always keep the security level as high as possible, whether it is physical security of your premises or cyber security. For example, only open monitored ports for external communication. This advice is quickly given but it is very difficult to implement in large networks, because all the people in that network need to share that same strict security mindset for it to work. It is also associated with extremely high effort and thus, costs.
- Ideally, only use tools that have been developed according to the Security by Design principle and commit your network to only using communication solutions that comply with this architectural principle.
Security by Design is the answer
Security by Design means that tools and programs have been designed from the start to prevent malware from entering and other features or needs never prioritize over this at any point. It is a software architecture decision that makes impenetrability possible when followed through persistently. This is is the case with our remote collaboration solution POINTR.
Human errors when configuring firewalls and opening ports in large, diverse, distributed network spanning the entire supply chain, causes large security gaps. With POINTR one major part of the Security-by-Design thinking is to limit the user’s responsibility of collaboration security to minimum. This limits the chance of any human error in configuring but also frees their time for what they actually need the collaboration tool for without risking cyber security one bit. To use POINTR no inbound ports have to be opened at all, so such human errors are excluded with the principle of Security by Design.
From the business point of view, using POINTR has another big advantage for you as a clan leader in terms of your ecosystem. The licensing model of POINTR allows you to use it in your entire business ecosystem with the license you buy. Whether your own employees need to consult each other on an issue or your sales team needs to see what’s up with a potential customer somewhere on the coast of Newfoundland, you never need to think if it is included in your license or causes extra costs. It is included, with no tricks or fine print. This effectively closes a gateway to enter your business, regardless of whether your network partners use WhatsApp or WeChat to communicate with their other partners out of convenience, ignorance or uncertainty due to the circumstances.Communication security is our passion, and we would love to talk more about it! Contact us for more info.