sb-au logo
Story image

Palo Alto says supply chain is cybersecurity’s weakest link

18 Jan 2019

Cybercriminals will often scour over a company’s digital fortress, seeking for a weak point to exploit.

And according to Palo Alto Networks, the weakest link is the supply chain, as organisations can’t always control the security measures taken by supply chain partners.

Effectively this creates a hole that cybercriminals can capitalise on by first infiltrating the supply partner to then exploit other members in the chain.

Palo Alto Networks vice president and chief security officer Sean Duca says in light of this, it’s vital partners are aware of this risk and act to protect each other.

"Supply chain organisations are targeted because they often aren’t as aware of potential threats and may not have adequate resources to manage security to a high level,” says Duca.

“Bad actors often start small, waiting in systems for years before striking the target organisation where it’s weak."

Duca says software supply chain attacks are pernicious because they violate the basic trust between software provider and consumer, with hackers evading traditional defences to jeopardise software and delivery processes.

The end result of this is companies using the corrupted software can find themselves victims to ransomware attacks, proprietary information theft, and commercial sabotage.

"Organisations are increasingly interconnected and, while this provides a variety of business benefits, it also comes with security risks. Cybercriminals are very aware of these connections and are using them to access networks that are otherwise well-protected,” says Duca. "In today’s world of Internet of Things (IoT), digital buyer-seller relationships, and robotic process automation, vulnerabilities to cyber damage are increasing. Businesses may have security tools and protection in place but need to ask whether their suppliers, and their suppliers’ suppliers, and so on down the value chain, have the same kind of protection."

Taking all this in account, Palo Alto Networks has provided three key ways to secure the supply chain.

1. Review internal and external security procedures: It’s vital for businesses to not only review their own internal infrastructure, but also vendors’ and partners’. Any new vendors or partners should undergo a thorough vetting process before full integration.

2. Establish written security guidelines and controls: Via a written agreement, organisations should require suppliers to adhere to processes and protocols that minimise the likelihood of attacks (for example, cybercriminals using a supplier’s website to host malware).

3. Training/sharing security best practices with staff and vendors: Human error is still by far and away the primary source of data breaches, which means it’s crucial for organisations to train all staff in security best practices.

"Organisations mustn’t overlook the risks posed by their supply chain when it comes to protecting company and customer information,” says Duca.

“Cybercriminals will look for every vulnerability to attack an organisation so it’s essential to close every gap, down to the last link in the supply chain."

Story image
Revealed: The behaviours exhibited by the most effective CISOs
As cyber-threats pile up, more is being asked of CISOs - and according to Gartner, only a precious few are 'excelling' by the standards of their CISO Effectiveness Index.More
Story image
OT networks warned of vulnerabilities in CodeMeter software
Manufacturers using the Wibu-Systems CodeMeter third-party licence management solution are being urged to remain vigilant and to urgently update the solution to CodeMeter version 7.10.More
Link image
What's new in Genetec Security Center 5.9
The platform supports physical security that empowers organisations with greater situational awareness.More
Story image
Cryptomining trojan malware discovered by ESET researchers
The malware, primarily targeting victims in Czechia and Slovakia, prioritises subterfuge through deployment of multiple techniques to avoid detection, and leans heavily on the Tor network and BitTorrent protocol to achieve its goals.More
Story image
Why securing IoT installations will be ‘do or die’ in post-pandemic Australia
Unless IoT technology is visible on the network, organisations will find themselves at risk with an unmanageable high-tech morass, warns ExtraHop A/NZ regional sales manager Glen Maloney.More
Story image
Video: 10 Minute IT Jams - The benefits of converged cloud security
Today, Techday speaks to Forcepoint senior sales engineer and solutions architect Matthew Bant, who discusses the benefits of a converged cloud security model, and the pandemic's role in complicating the security stack in organisations around the world.More