The Haunted Supply Chain: Why Spooky Season Never Really Ends in Cybersecurity
European Cyber Security Month (ECSM) has come to an end. Awareness has been raised, so what could possibly go wrong now? Nobody will click on phishing emails or dodgy adverts, connect USB sticks found in the car park outside the grocery store or install shady software to convert PDFs to Word documents. Right?
Even if you're extremely careful, is the supplier of your highly specialised software taking care of their security? What about the logistics company you exchange emails with daily and have trusted for years?
This is a well-known phenomenon, it's called supply chain attack, and it basically describes, that one of the pipelines you use, is getting compromised without anyone knowing. This can be a software pipeline where a manufacturer is getting hacked and their software injected with some malicious code, some open-source project where attackers smuggle malware into, or a company you're working with has some week email security and thus malicious actors can easily take over accounts to distribute legitimate looking mails with harmful attachments or links.
So, essentially, cybersecurity isn't a silo. It's a vast, interconnected ecosystem comprising your own cybersecurity, that of your suppliers and subcontractors, and everyone you have ever worked with, or will ever work with. If we trust the theory of Six Degrees of Separation, it is probably one huge, globe-spanning ecosystem, as it says that everyone is connected to everyone else via a surprisingly short span of nodes. Thanks to global players and tech celebrities, as well as open-source libraries - the small, unseen brothers and sisters of those celebrities - the number of nodes may be even smaller.
Just think of log4j and the panic that spread through every security department. There's a good chance that you didn't even know about it until CVE-2021-44228 was announced. Or consider the recent attacks on the npm (Node Package Manager) ecosystem, in which attackers phished a popular package's maintainer and injected malicious code into several widely used node packages for application development and cryptography. There are many such stories, some of which read like thrillers. If you're into crazy cyber stories, check out the XZ backdoor, where you can find some informative videos by Seytonic (EN) and Simplicissimus (DE) on YouTube that delve into the details of this attack.
Scary, isn't it? If one piece of software is compromised or has a critical security bug, large parts of the internet can suddenly be affected. Were you expecting good news? Well, I've got none for you. We can't really avoid this. We do have better security tests integrated into GitHub and GitLab, and AI can help to find issues in code. However, copiloted code can also introduce severe security bugs. And could you also tell me if the servers of the supplier of one of your suppliers use software from a manufacturer that uses a third-party software component whose update pipeline has been compromised?
These are important questions, but there are no good answers. It is not the responsibility of a single company to ensure the cybersecurity of its partners. Everyone needs to understand cybersecurity better, including how important it is and what can happen if things go wrong. ECSM is a good place to start, but awareness is not only for end users in terms of phishing emails and USB sticks. It is also for developers and admins.
However, we can implement narrow security checks and audits. Make sure you have an up-to-date list of vulnerabilities that you can map to your assets and the software running on them, so you can react quickly if a new CVE appears. Keep your firewalls and security rules up to date to limit access and network traffic. Ensure that your software and devices are up to date. If you are willing to accept the risk of having unpatched assets, limit access, and work on alternatives. Make sure you have SBOMs (software bills of material) for the tools you use to detect issues in your dependencies effectively. And most importantly, ensure that your cybersecurity team can do a good job.
To limit the risk of being attacked via one of your suppliers, only work with those that take cybersecurity seriously. Unfortunately, you can't control whether their suppliers do the same, but you should focus on what is possible. Only contract a company if they comply with your security standards. If they don't and it happens often enough, they may improve their security measures to avoid losing more customers. Cybersecurity is a community effort. We don't have different silos; we live in a hyperconnected world where the number of electrical devices far exceeds the number of people on Earth. Therefore, it is everyone's responsibility to improve overall security, even if only by a small amount.
But don't blame others if something goes wrong. Support them and explain how they could prevent the same mistake in future. It's understandable if you're angry with them, but getting emotional in the event of an incident won't help. The most common issue I've seen so far is disabled MFA which leads to successful phishing attacks. After such an attack, the attacker spreads phishing links from a seemingly trustworthy account to your employees. If your employees are aware of phishing, you might be lucky, and they might report suspicious emails to you. Of course, it is not your job to implement a third party's cybersecurity, but pointing out what is wrong is a good idea. This way, you can ensure they understand the issue. And if they make the same mistake again, you might want to consider working with another company.
We once had an incident involving signed phishing emails. It turned out that the company had configured their Exchange server so that all outgoing emails were signed. When the hackers compromised the system, they used the server to distribute phishing emails, and it was automatically signing these malicious emails. Did the hacker know his luck? I don't know. Is it a convenient configuration? Arguable. Did this true/false setting have a significant impact on security? Definitely! It's not only about crazy stories like “xz”, Log4j and so on. Sometimes it's just a tiny parameter that has been configured incorrectly, or user-friendliness has been prioritised over security.
Be mindful of your security, only contract companies that understand the importance of cybersecurity and consider how seemingly convenient security changes could increase risk.
Because in the end, every chain tells a story - of trust, connection, and the quiet fragility between them. Our job isn’t to break the chain, but to understand it. And maybe, just maybe, keep the ghosts from finding a way in.