Story image

Palo Alto says supply chain is cybersecurity’s weakest link

18 Jan 2019

Cybercriminals will often scour over a company’s digital fortress, seeking for a weak point to exploit.

And according to Palo Alto Networks, the weakest link is the supply chain, as organisations can’t always control the security measures taken by supply chain partners.

Effectively this creates a hole that cybercriminals can capitalise on by first infiltrating the supply partner to then exploit other members in the chain.

Palo Alto Networks vice president and chief security officer Sean Duca says in light of this, it’s vital partners are aware of this risk and act to protect each other.

"Supply chain organisations are targeted because they often aren’t as aware of potential threats and may not have adequate resources to manage security to a high level,” says Duca.

“Bad actors often start small, waiting in systems for years before striking the target organisation where it’s weak."

Duca says software supply chain attacks are pernicious because they violate the basic trust between software provider and consumer, with hackers evading traditional defences to jeopardise software and delivery processes.

The end result of this is companies using the corrupted software can find themselves victims to ransomware attacks, proprietary information theft, and commercial sabotage.

"Organisations are increasingly interconnected and, while this provides a variety of business benefits, it also comes with security risks. Cybercriminals are very aware of these connections and are using them to access networks that are otherwise well-protected,” says Duca. "In today’s world of Internet of Things (IoT), digital buyer-seller relationships, and robotic process automation, vulnerabilities to cyber damage are increasing. Businesses may have security tools and protection in place but need to ask whether their suppliers, and their suppliers’ suppliers, and so on down the value chain, have the same kind of protection."

Taking all this in account, Palo Alto Networks has provided three key ways to secure the supply chain.

1. Review internal and external security procedures: It’s vital for businesses to not only review their own internal infrastructure, but also vendors’ and partners’. Any new vendors or partners should undergo a thorough vetting process before full integration.

2. Establish written security guidelines and controls: Via a written agreement, organisations should require suppliers to adhere to processes and protocols that minimise the likelihood of attacks (for example, cybercriminals using a supplier’s website to host malware).

3. Training/sharing security best practices with staff and vendors: Human error is still by far and away the primary source of data breaches, which means it’s crucial for organisations to train all staff in security best practices.

"Organisations mustn’t overlook the risks posed by their supply chain when it comes to protecting company and customer information,” says Duca.

“Cybercriminals will look for every vulnerability to attack an organisation so it’s essential to close every gap, down to the last link in the supply chain."

Chillisoft rounds out portfolio with file integrity vendor
Tripwire is the fourth vendor for Chillisoft in six months, adding critical security controls, vulnerability management and file integrity monitoring.
ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Who's watching you? 
With privacy an increasing concern amongst the public, users should be more aware than ever of what personal data companies hold.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Optic Security Group celebrates Axis accolade
Auckland-based business security systems provider Fortlock has picked up an award at Axis Communications’ annual Oceania Axis Partner Summit 2019.
Managing data to comply with privacy regulations - Micro Focus
It’s crucial for organisations to be able to access, understand, and accurately classify the data they have so they know how to treat it.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.