More Vendors Mean More Cyberattacks – Protect Your Supply Chain!

CyberattacksThe rise of “as a Service” companies mean that the corporate supply chain is more complicated than ever. Your company probably doesn’t do its own hiring, accounting, or software development in-house. Instead, these services are done by vendors — some of whom are probably vulnerable to cyberattacks. How can you guard against infiltration through the supply chain without losing your invaluable vendors?

DevOps Connect:DevSecOps @ RSAC 2022

The Increase in SaaS Means an Increase in Cyberattacks

In 2018, SaaS shows no sign of slowing down. Cisco predicts that SaaS solutions will comprise 60% of the cloud this year. Unfortunately, this means that 60% of the cloud is now open to cyberattacks that exploit the relationships between businesses and vendors.

Part of this concern is structural, not related to any single vulnerability. SaaS companies aren’t behind your firewall. Your connection to SaaS vendors is discoverable by attackers. Once attackers know which SaaS vendors you’re using they can either:

  • Attempt to steal access to cloud services by phishing credentials from your employees
  • Eavesdrop on your network connection
  • Steal your secrets directly by attacking your SaaS vendors

This last method recently became a lot easier. The CPU vulnerabilities dubbed Meltdown and Spectre have made it easy for attackers to threaten multi-tenant clouds. Specifically, Spectre lets users of a particular cloud instance intercept data from any co-tenant that’s using the same CPU chip. While the major cloud players – AWS, Google, and Microsoft – have already patched their systems, smaller vendors might still be sitting on their hands. Is yours?

Even Traditional Vendor Relationships are Threatened

Not every vendor provides cloud software. Companies that provide physical goods and services, as well as those that provide traditional on-premise software, are still part of the supply chain – and they still offer a window of opportunity for bad actors.

The infamous 2014 Target breach, in which hackers compromised the retailer’s POS network by first attacking their HVAC maintenance vendor, remains one of the standout examples of supply chain cyberattacks. Other well-publicized incidents include the Equifax breach, which was caused by an unpatched vulnerability in 3rd-party software, and the CCleaner breach, where hackers were able to distribute malicious updates through infected registry cleaner software.

These breaches aren’t just the cost of doing business – they’re about to be a compliance issue. For example, new regulations from New York’s Department of Financial Services will require companies to vet their suppliers for potential vulnerabilities. The EU’s upcoming GDPR will do the same – and between those two regulations, many US companies will find themselves restricted in terms of their third-party relationships.

If You Can’t Audit Them, Defend Against Them

The average enterprise may use hundreds of vendors in order to support its nonessential services, so auditing all of them for security issues may end up taking more time than you can afford. If you can’t vet your vendors, however, you can still mitigate any associated security risks.

Zero trust networks and anonymous application access are two ways that companies can safely conduct vendor relationships. This technology lets users from two companies share data across the network without opening holes in the firewall, and without exposing the existence of a connection to the general-purpose internet. If an attacker does breach a vendor, the micro-segmentation provided by a zero-trust network will prevent attackers from spreading freely through your organization.

Safe-T makes it easy for administrators to architect their network in a way that allows them to connect with vendors and customers without exposing critical data. If you think this solves a problem you’re experiencing, contact us today for a free demoNew Call-to-action

*** This is a Security Bloggers Network syndicated blog from Safe-T Blog authored by Amir Mizhar. Read the original post at: