Story image

Palo Alto says supply chain is cybersecurity’s weakest link

18 Jan 2019

Cybercriminals will often scour over a company’s digital fortress, seeking for a weak point to exploit.

And according to Palo Alto Networks, the weakest link is the supply chain, as organisations can’t always control the security measures taken by supply chain partners.

Effectively this creates a hole that cybercriminals can capitalise on by first infiltrating the supply partner to then exploit other members in the chain.

Palo Alto Networks vice president and chief security officer Sean Duca says in light of this, it’s vital partners are aware of this risk and act to protect each other.

"Supply chain organisations are targeted because they often aren’t as aware of potential threats and may not have adequate resources to manage security to a high level,” says Duca.

“Bad actors often start small, waiting in systems for years before striking the target organisation where it’s weak."

Duca says software supply chain attacks are pernicious because they violate the basic trust between software provider and consumer, with hackers evading traditional defences to jeopardise software and delivery processes.

The end result of this is companies using the corrupted software can find themselves victims to ransomware attacks, proprietary information theft, and commercial sabotage.

"Organisations are increasingly interconnected and, while this provides a variety of business benefits, it also comes with security risks. Cybercriminals are very aware of these connections and are using them to access networks that are otherwise well-protected,” says Duca.
"In today’s world of Internet of Things (IoT), digital buyer-seller relationships, and robotic process automation, vulnerabilities to cyber damage are increasing. Businesses may have security tools and protection in place but need to ask whether their suppliers, and their suppliers’ suppliers, and so on down the value chain, have the same kind of protection."

Taking all this in account, Palo Alto Networks has provided three key ways to secure the supply chain.

1. Review internal and external security procedures: It’s vital for businesses to not only review their own internal infrastructure, but also vendors’ and partners’. Any new vendors or partners should undergo a thorough vetting process before full integration.

2. Establish written security guidelines and controls: Via a written agreement, organisations should require suppliers to adhere to processes and protocols that minimise the likelihood of attacks (for example, cybercriminals using a supplier’s website to host malware).

3. Training/sharing security best practices with staff and vendors: Human error is still by far and away the primary source of data breaches, which means it’s crucial for organisations to train all staff in security best practices.

"Organisations mustn’t overlook the risks posed by their supply chain when it comes to protecting company and customer information,” says Duca.

“Cybercriminals will look for every vulnerability to attack an organisation so it’s essential to close every gap, down to the last link in the supply chain."

Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.
D-Link A/NZ launches new home wireless surveillance kit
The Omna Wire-Free Full HD cameras and accompanying Wi-Fi Hub offer a number of new features, including Alexa/Assistant support.
CSOs - are you prepared for cloud cryptojacking?
A recent report found that almost half of the organisations surveyed have malware in one of their cloud applications.
Cryptomining apps discovered on Microsoft’s app store
It is believed that the eight apps were likely developed by the same person or group.
WhatsApp users warned to change voicemail PINs
Attackers are allegedly gaining access to users’ WhatsApp accounts by using the default voicemail PIN to access voice authentication codes.
Swiss Post asks public to hack its e-voting system
Switzerland’s postal service Swiss Post is inviting keen-eyed security experts and white hats to hack its e-voting system.
Spoofs, forgeries, and impersonations plague inboxes
It pays to double check any email that lands in your inbox, because phishing attacks are so advanced that they can now literally originate from a genuine sender’s account – but those emails are far from genuine.