Due to shifts in demand, labor shortages, inflation, and capacity issues, the global supply chain is still trying to bounce back from the economic downturn caused by the COVID-19 pandemic. In 2022, the way that top organizations are fighting back against a congested supply chain is to go digital.
A digital supply chain is a set of processes that use emerging technologies to create better visibility, transparency, and insights into each stakeholder represented within the supply chain. The digital supply chain is essential to the global supply chain because it provides up-to-date information about raw materials, logistics, inventory levels, and forecasting. It gives buyers and sellers the ability to make better decisions based on the sources of materials they need and the demand for each product.
However, there is a significant problem with functional digital supply chains – the number of cyberattacks on these supply chains is on a dramatic rise. Cyberattacks have been on the rise in most digital spaces. The last two years have seen an even more dramatic increase in the number of companies falling victim to breaches. The threats are not limited to one particular industry either; a 2021 Gartner Report predicts that 30% of critical infrastructure organizations will experience a security breach within the next three years.
Digital supply chains have been particularly vulnerable, with a recent Forrester Report finding that 55% of cybersecurity professionals reporting that their organization experienced an incident or breach involving either their supply chains or third-party providers within the past 12 months. With the proliferation of open-source software, an increased focus on security in other conventionally vulnerable areas, and multiple exploitation opportunities, supply chain attacks were up by 430% as of 2020 in digital spaces. With increased dependency on global providers, the situation seems only to worsen.
Primary Forms of Attacks on Supply Chains
There are several different attacks specifically targeting digital supply chains. Each exploits vulnerabilities at various stages, with each level bringing new areas for potential breaches. Some of the most common forms of software attacks on digital supply chains are:
- Upstream server attacks, where malicious entities infect a system “upstream” of end users, often through a malicious update, infecting all users “downstream” of the hack as they download it.
- Midstream attacks are fundamentally similar, targeting intermediary elements such as software development tools and software updates, passing on the malicious code from there.
- CI/CD infrastructure attacks introduce malware into the development automation infrastructure at the “continuous integration” or “continuous delivery” steps, often with malicious code inserted into open-source software being used in these stages.
- Dependency confusion attacks are threats of a different nature, with hackers exploiting private, internally-created software dependencies by registering a dependency with the same name in a public repository with a higher version number. The malicious code may then be unsuspectingly pulled into software builds in place of the latest real software version.
- Stolen SSL and code-signing certificate attacks prey on end users, compromising the private keys that authenticate them when using secure websites and cloud services, giving hackers access to those platforms.
The Case of Log4Shell
One of the most dangerous and well-publicized instances of software being vulnerable to attack came in 2021 when an exploit for a severe code-execution vulnerability in Log4j was released. As a ubiquitous open-source logging utility, Log4j is used in countless apps, including Microsft, Amazon, and Twitter servers.
The exploit was first recognized through the popular game Minecraft and reported to Apache by Alibaba last November. The code was also published in a tweet a few weeks later. Almost immediately, numerous forums began warning users that hackers could execute malicious code on servers or clients running the Java version of Minecraft by manipulating log messages. This included chat messages, meaning the code could be executed on other devices by pasting it into chat messages in the game. The malicious code was posted online, allowing malicious actors to quickly and easily exploit the vulnerability.
Responses across the industry and regulatory agencies were immediate and severe. The Apache Software Foundation assigned Log4Shell a CVSS severity rating of 10 (the highest possible rating), with millions of servers potentially being left vulnerable to the exploit. The director of the US Cybersecurity and Infrastructure Security Agency (CISA) called the exploit a “critical” threat, and the German Federal Office for Information Security (BSI) granted the exploit its highest threat level designation as well. However, before the patch, attackers exploited the open-source vulnerability to install blockchain crypto, steal system credentials, and steal sensitive data.
For those in the digital supply chain, Log4Shell was an eye-opener. Once thought secure, it’s clear for organizations utilizing open source software, 3rd party software, and API-driven cloud software, that the threat of breaches and compromised accounts remains very real. So, how can businesses keep the digital supply chain secure?
Mitigating The Danger of Cyberattacks
With threats constantly increasing, detecting cyberattacks is extremely difficult, even for the most sophisticated systems. Simply being aware of the potential threats is often not enough, with new exploits and vulnerabilities being discovered by malicious actors every day. Open-source tools, user permissions, and integrations create a wide perimeter, becoming virtually impossible to secure as it grows in its scope and complexity.
Protecting data against network infiltration is always the first step, but perimeter security alone can’t be relied on to keep sensitive data truly secure. Whether mitigating threats from new outside exploits or eliminating the potential for insider attacks, data needs to be protected at each step where it might be accessed. Truly secure data can recognize all threats, even after a network may be compromised.
Zero Trust with Sertainty
Rather than constantly trying to patch all of the “holes” in a network’s perimeters, Zero Trust Security architecture allows data to protect itself. Unlike traditional perimeter security, where the goal is to keep malicious actors out of the network — yet become vulnerable as soon as the virtual perimeter is breached — Zero Trust systems don’t grant implicit trust or permissions to devices or programs based on details like IP addresses. Instead, Zero Trust systems encrypt and decrypt all relevant information locally, selectively allowing access based on specific credentials.
Maintaining optimum security at each step is critical in supply chains, where each step introduces new opportunities for system breaches. Sertainty’s proprietary system makes the most of Zero Trust security, providing active protection at each level, making data intelligent enough to protect itself. With the Sertainty Data Privacy Platform, you can not only be confident about the privacy of your data at all times, but you can also centrally manage compliance requirements within the data. Sertalnty’s developer tools allow you to bring decision and control functions and centralize protection, authentication, governance, and tracking.