Some attacks come in through the front door. In this video, you’ll learn how the supply chain can be used as an attack vector against our organizations.
The supply chain involves the process of getting a product from the very beginning raw materials all the way through to the process of providing that product to a consumer. From a security perspective, we’re concerned with every step along the way of the supply chain. This includes the processing of the raw materials, suppliers, manufacturers, distributors, customers, and consumers. We know that, anywhere along this path, an attacker may be able to inject malicious code or find some way to gain access to this supply chain.
This is something we often don’t even consider when we are having new equipment delivered. We generally trust the suppliers of our equipment and, therefore, trust the equipment that we’re plugging in. But we know that any exploit that’s put into any step along this supply chain could be a concern. And if an attacker is able to take advantage of any of these steps of the supply chain, it could put you and your data at risk.
When you’re managing all of your own systems, you know exactly what software is being updated and what the security posture of these systems might be. But what if you’re outsourcing that process to a third party service provider? In that particular example, the service provider would be responsible for all of the security concerns for those systems.
This can be especially important if the service provider has access to systems that may contain sensitive data. If there is an attacker that gains access to the service provider, they would, therefore, now have access to our sensitive data. And of course, we may be working with numerous service providers.
We may have third parties helping us with our network, utilities, office cleaning, our payroll and accounting services, our cloud-based infrastructure, and so much more. This is why it’s relatively common for organizations to have an ongoing security audit with their service providers. This is usually something that’s built into the contract with the service provider that guarantees that you’ll have access to be able to audit and find out more information about the security processes for any of your service providers.
One of the most significant credit card breaches in history occurred with the Target Corporation in November of 2013 where over 40 million credit cards were stolen. This entire process began with a breach from a service provider. Specifically, it was an air conditioning and heating firm in Pennsylvania that was infected with an email that was sent and malware attached to that email. Someone at the heating, ventilation, and air conditioning firm clicked on that malicious software, and the attackers now had access to the heating and AC firm.
As it turns out, this HVAC vendor was a supplier of the Target Corporation. And they had access to the HVAC systems that were on the Target network. Unfortunately, the Target HVAC network and the Target cash register network were on exactly the same network with no way to prevent access from one to the other. So when the attackers gained access to the HVAC systems at Target, they also effectively gained access to every cash register at every Target store.
From there, of course, they were able to put malware on every single cash register and begin collecting credit cards, until months later, they were discovered and removed from the network. But at that point, 40 million credit card numbers had been stolen. We often think of service providers as being only IT individuals, but it’s certainly possible that other service providers in your organization may provide unintended access to your network.
Another concern with the supply chain is the hardware itself. What if you bought a new firewall or a new switch or router? You simply pull that device out of the box. You plug it into your network, perform some configurations, and now it’s running on your production systems. The real question, of course, is should we trust that system, and how can we verify that system is running legitimate software?
One way to do this is to have a relationship with your vendors that you can trust. And you might use a small listing of vendors rather than simply purchasing from anyone who happens to be available on the internet. There should also be policies and procedures for the acquisition of this hardware and the implementation for this hardware. You need to make sure that all of your best practices for security are in place, and you can treat this new hardware as if it is untrusted out of the box.
Although we tend to trust our vendors and we tend to trust the manufacturers of this equipment, we still need to treat these devices as if they could potentially have some type of security concern. So we need to make sure that we’re following all of the proper security procedures when we’re putting any type of new hardware onto our network.
If we looked at our networking infrastructure, we can see that every bit of data of our organization is passing through either a router or a switch that’s part of our network infrastructure. This is obviously a perfect place for an attacker to find a way into the network and begin gathering information. This concern became very public in July of 2022 when the Department of Homeland Security arrested a reseller of Cisco products.
This company had sold more than a billion dollars of Cisco products except they weren’t really Cisco products. They were actually a counterfeit product with a Cisco logo on the front. The CEO who was arrested had also created about 30 different companies to be able to sell these counterfeit products under different names, and he had been selling these products since 2013. So over that time frame, hundreds or even thousands of switches and routers had been sent to people’s networks. And each one of those could potentially be a security concern.
The Department of Homeland Security found that most of these devices were being manufactured in China, and then they were being distributed to companies all over the world. These seem to look and act as if they were Cisco products. But very quickly, people found that they started breaking and, in some cases, began catching on fire. This is certainly not the only documented case where counterfeit hardware was installed in someone’s network, so make sure you check all of your hardware before implementing it into your production systems.
Whenever you’re installing new software or you’re updating existing software, you should be thinking to yourself, do I really trust this update or this installation? Trust is a foundation of anything we do in security. And it’s important that when we’re installing new software that we really do trust the source of that software.
One way to help with that trust is to look at the digital signature associated with the installation. Most operating systems will validate a digital signature that exists in an update or installation file. And if it doesn’t validate, it will inform you of that during the installation process.
Another challenge we might have with trusting the software is when software updates itself automatically. We’re not even involved in the process. This means that we really need to trust the software that we’re installing because anything could be installed during this automated process. And many people will say, if you really want to trust your software, you should look at the source code. But even open source software has challenges with security.
When someone has access to the code, they also have the ability to make changes to that code. Some of those changes could be malicious. A good example of problems with a software supply chain is the issue that occurred with SolarWinds Orion. This is software that was used by 18,000 customers, and many of them are Fortune 500 and US federal government.
Attackers were able to gain access to the systems being used by SolarWinds. And they were able to put their own code into the SolarWinds software within the SolarWinds infrastructure. Whenever this software was bundled together with all of the other updates, it was digitally signed and sent out to all of their users in March and June of 2020. These updates were deployed as upgrades to existing installations. And in most cases, I’m sure that the folks running SolarWinds Orion in their infrastructure didn’t even consider the software to be something that they wouldn’t trust.
What’s also interesting about this particular attack is the compromise was made in March and June of 2020, but it wasn’t detected until December of 2020. This delay in identifying a breach of this sort is not unusual, and it just speaks to how important it is to make sure that you trust every step of the supply chain process.
Once this malicious code was distributed automatically as part of this update, the attackers were able to gain their way into many different companies and organizations, including the names that you see here on the screen. Obviously, these are very large organizations like Microsoft, Cisco, Intel, and state organizations such as the Pentagon, Homeland Security, and the Department of the Treasury. These are very large networks with huge infrastructures and very sensitive data. And the attackers were able to very easily gain access by taking advantage of this supply chain exploit.