Tag Archives: Supply Chain Risk

Supply Chain Attacks Are Rampant

Today’s supply chain attack is interesting. I guess I can say that because it didn’t happen to a web site that I own and my information didn’t get stolen.

Here is the situation. Many web sites have embedded videos on them. In this case, most of the sites affected were real estate web sites and they often have virtual tour videos on the web page. In order to play a video, you need a video player. There are many video players that you can choose from, but what almost no one does is write their own video player.

Palo Alto Networks found over a hundred web sites, many or most of them (depending on which story you read) belong to the real estate firm Sotheby’s.

What happened? Some how a malicious version of the video player got loaded onto these web sites. When a visitor went to the site, the video player code was downloaded to the visitor’s computer. In this case, the malware was a data skimmer which steals information that the user provides to the website. It could be name and address information or it could be credit card information. The information can be used for social engineering or financial crimes.

The malware is polymorphic, meaning that no two copies of the malware are the same, making it difficult to detect and block. The code is also obfuscated, which makes it difficult to read and understand, so even if tried to figure out if it was malicious, it is unlikely that you could figure that out.

Now that this particular attack has become public, hackers all over the world are going to copy it. All it takes is a web site hosting the code with lax security. The hacker can then compromise the code and wait for a developer to use it.

This is not at all limited to video players, even though there are thousands of them. Any bit of shared code that is hosted in the cloud and linked to by developers is a valid target.

This means that you need to have a robust software supply chain risk management program in place, unless you want to be like these firms and dealing with a shattered reputation.

If you need help with this, please contact us.

Credit Threatpost and Bleeping Computer

Managing Supply Chain Risk

Supply chain risk is a hot button right now and getting hotter.

It has always been an issue – it was the source of the Target breach, the Home Depot Breach, Panama Papers and thousands of others that you never heard about.  According to a Ponemon study, 56% of organizations admit that they had a breach caused by one of their vendors.

According to that study, the average number of vendors a company is sharing sensitive data with is 471 and only 35 percent of the companies had a list of all of the vendors that they were sharing data with.

The problem doesn’t stop when you terminate a supplier relationship because they do not delete all of your data when you go away.  They keep it.

Add to that the fact that only 18 percent had a handle on fourth party risk – the risk that comes from your third parties using their own third parties.

Regulators are starting to deal with it.  New York is requiring financial service providers to actively manage it and it is not easy.

GDPR also holds companies responsible for what their vendors do with their data, so if you do business in Europe, that is another concern.

Expect regulators to add more third party risk management to their requirements over the next few years.  Colorado just did that.

Supply chain risk not only includes vendors that provide services to your company, but also hardware vendors and software providers.  Each purchased device, each downloaded application needs to be vetted, and monitored for potential security risks, and all patches have to be up to date.

The Magecart malware in the Magento Open Source eCommerce software has allowed hackers to steal millions of credit cards.

Supply chain risk not only puts your client’s data at risk, but also puts your own intellectual property at risk.  When the hackers come, they take everything,

Cloud service providers add their own risks.  Recently researchers were able to compromise at least a half dozen large web hosting providers.

And professional service providers – accountants, lawyers, analytics providers and many others add their own risk to the mix.

So what do you need to do?

Kind of like when alcohol gets out of control, the first step is admitting that you have a problem.

The biggest suppliers are likely not the biggest risk.  They often  have robust security programs, but even when they do, those sometimes fail . Think about Equifax.

We are seeing more CONTRACTS requiring supply chain risk management.  Vendors may be asked to self assess or use third party risk vendors like CyberGRX, Vendorly or others.  And there are vendors that provide security scores such as Bitsight and Security Scorecard.

Companies need to up their game when it comes supply chain risk – because the bad guys have already done that.

Information for post came from CSO Online.