Story image

Palo Alto says supply chain is cybersecurity’s weakest link

18 Jan 2019

Cybercriminals will often scour over a company’s digital fortress, seeking for a weak point to exploit.

And according to Palo Alto Networks, the weakest link is the supply chain, as organisations can’t always control the security measures taken by supply chain partners.

Effectively this creates a hole that cybercriminals can capitalise on by first infiltrating the supply partner to then exploit other members in the chain.

Palo Alto Networks vice president and chief security officer Sean Duca says in light of this, it’s vital partners are aware of this risk and act to protect each other.

"Supply chain organisations are targeted because they often aren’t as aware of potential threats and may not have adequate resources to manage security to a high level,” says Duca.

“Bad actors often start small, waiting in systems for years before striking the target organisation where it’s weak."

Duca says software supply chain attacks are pernicious because they violate the basic trust between software provider and consumer, with hackers evading traditional defences to jeopardise software and delivery processes.

The end result of this is companies using the corrupted software can find themselves victims to ransomware attacks, proprietary information theft, and commercial sabotage.

"Organisations are increasingly interconnected and, while this provides a variety of business benefits, it also comes with security risks. Cybercriminals are very aware of these connections and are using them to access networks that are otherwise well-protected,” says Duca. "In today’s world of Internet of Things (IoT), digital buyer-seller relationships, and robotic process automation, vulnerabilities to cyber damage are increasing. Businesses may have security tools and protection in place but need to ask whether their suppliers, and their suppliers’ suppliers, and so on down the value chain, have the same kind of protection."

Taking all this in account, Palo Alto Networks has provided three key ways to secure the supply chain.

1. Review internal and external security procedures: It’s vital for businesses to not only review their own internal infrastructure, but also vendors’ and partners’. Any new vendors or partners should undergo a thorough vetting process before full integration.

2. Establish written security guidelines and controls: Via a written agreement, organisations should require suppliers to adhere to processes and protocols that minimise the likelihood of attacks (for example, cybercriminals using a supplier’s website to host malware).

3. Training/sharing security best practices with staff and vendors: Human error is still by far and away the primary source of data breaches, which means it’s crucial for organisations to train all staff in security best practices.

"Organisations mustn’t overlook the risks posed by their supply chain when it comes to protecting company and customer information,” says Duca.

“Cybercriminals will look for every vulnerability to attack an organisation so it’s essential to close every gap, down to the last link in the supply chain."

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
WatchGuard announces A/NZ partners awards
Four Australian companies were named partner award winners at the WatchGuard conference in Vietnam.
Telstra’s 2019 cybersecurity report
Cybersecurity remains a top business priority as the estimated number of undetected security breaches grows.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Why cybersecurity remains a top business priority
One in two Australian businesses estimated that they will receive fines for being in breach of new legislation.