Supply Chain Security: Why You Don’t Have Enough Fingers to Plug the Dike

By Michael Oldham

The latest news that the notorious Nobelium hacker group flooded at least 140 resellers and technology providers worldwide with software supply chain attacks is no surprise. It is just the next generation of these rapidly rising waves of attacks that have been progressing in their sophistication for more than a decade now:

  • Stuxnet, first observed in 2010, went from a small, targeted attack on Iraq’s nuclear program to infect the SCADA software of 200,000 computers worldwide, seriously degrading industrial control systems (ICS) around the globe.
  • The 2017 Equifax breach, caused by a flaw in externally managed software, led to the staggering compromise of data on 145 million Americans.
  • The 2020 attack launched through SolarWinds’ Orion IT performance monitoring platform, exposed because Orion’s software updates – often exempt from routine security screenings – provided access to hackers via a backdoor to networks at 18,000 companies around the globe.
  • Just this summer, the REvil ransomware group locked down 60 managed service providers and over 1,500 businesses. REvil used a Zero-day vulnerability in the Kaseya VSA remote management platform and demanded a $70 million ransom from Kaseya to release the encryption key. (Kaseya denies paying the ransom.)

The problem only continues to get worse. The European Union Agency for Cybersecurity (ENISA) in July estimated that we will see a fourfold increase in supply chain attacks in 2021 alone, as Advanced Persistence Threat (APT) actors continue to torpedo even more enterprise organizations whose attack surfaces are woefully ill-suited to fend off these increasingly sophisticated attacks.

The challenge is that too many organizations still take an antiquated castle-and-moat approach to securing their infrastructure. Any hacker able to penetrate the outer perimeter of the network can pivot once inside the perimeter to attack critical resources and applications – on the local network, in the cloud, with web resources, and even through devices connected through the Internet of Things.

Plain and simple, the archaic, perimeter-focused network designs are working against all of us. That makes many of today’s network designs complicit in the compromises that continue to plague us. The poor and porous approach to securing our internal networks gives hackers free rein to create cyberchaos everywhere and anywhere across our infrastructure – local, cloud, web services, IoT – from the lowest to the highest levels.

Hackers are looking for any way to get into your network. The recent supply chain attacks are the latest version of many other types of attacks enterprise organizations been dealing with over the years. All the hackers need to do is take advantage of one mistake, one product vulnerability or one supply chain vendor to set the wheels of potentially catastrophic events into motion. With the legacy castle-and-moat design, once the hacker is past the firewall it’s game over.

Sure, you may have invested a ton of money in all sorts of firewalls and other security products over the years. But leave open a vulnerability like those exposed in a number of VPN products or through a third party’s IoT management console, and you could be in a world of hurt. And just because you are not aware that you have been hacked doesn’t mean you are secure. The reality is quite a bit scarier.

The Cloud Security Alliance estimates that the average enterprise has more than 464 custom applications deployed across its infrastructure. That means your IT security team is drinking from a mammoth firehouse as it tries to keep up with all the updates and patches on so many applications.

Every open port is a different attack vector. Each product you have on the perimeter can be targeted. Do you really have enough expertise to manage and patch every one of your products, in a timely fashion? Most organizations do not have that type of resource, or it is cost prohibitive to do it yourself.

As if that’s not a dire enough security situation, shadow IT exponentially compounds the impact: IT security professionals are aware of less than 40% of those custom applications, the CSA reports. That’s leaving a standing open invitation for hackers to swim right in to launch malware, ransomware, business email compromises, brute force and phishing attacks across your infrastructure.

Throw in the massive migration to the cloud taking place through Amazon Web Services, Google Cloud, Microsoft Azure and other web services, and that’s thousands of holes in the IT dike that you have to plug – constantly, every second, every day. Then add all the partners, vendors, contractors, volunteers, remote employees and others who are connecting to your network through VPN or RDP.

You can see how these issues can quickly become a ripe candidate for a full-on breach. Just one lapse is all it takes for your attack surface to quickly find itself underwater, and no amount of post-breach bailing – either through patching or paying the hackers – will help you stem the damage that the flood of such an attack can cause.

That’s a huge problem when most organizations today still only check for trusted users at the perimeter before giving them access to the full network. Sure, some may have permissions set up in networks around certain files or applications. But if a hacker has acquired valid credentials through phishing attacks or the Dark Web, once they crack the outer edge of your dike, they can swim anywhere across your organization.

That means a hacker can target higher levels of people inside your organization for specific attacks and continue to row laterally across your enterprise to launch even more devastating malware. Or the attacker can scan network traffic and build up enough intelligence on your organization to broaden the initial penetration substantially, both horizontally and vertically. They can even run an attack on your authentication repositories themselves. From there they can exfiltrate proprietary data across all your businesses.

There is a better way to shore up your IT security. Zero Trust Access is the lifeboat that can carry you to safety and much more securely defend your attack surface. A strong Zero Trust Access solution can be located as a gateway between your users and the resources they are trying to access. That means it will work for all 464 of those custom and Shadow IT applications – SaaS, PaaS, IaaS, client server applications, legacy applications, VDI, SSH, IoT – and more.

With Zero Trust Access, by default no one is trusted, and no one gets access to resources without stringent permission after having their full context of access seamlessly authenticated. A solution like Total Access Control (TAC) closes all those gaps to more efficiently and effectively protect your organization’s infrastructure. No connections are granted to a wide-open network; resources are specifically authorized for access, or else a user is not able to connect to them.

A strong Zero Trust Access solution such as TAC provides multiple factors of authentication on the front end, along with the ability to isolate access to resources through microsegmentation. And that focused approach to microsegmentation helps ensure that hackers stay out of your infrastructure.