TAPA EMEA's Vigilant Magazine

orderForm.title

orderForm.productCode

orderForm.description

orderForm.quantity

orderForm.itemPrice

orderForm.price

orderForm.totalPrice

orderForm.deliveryDetails.name

orderForm.deliveryDetails.accountNumber

orderForm.deliveryDetails.phone

orderForm.deliveryDetails.poNumber

orderForm.deliveryDetails.email

orderForm.deliveryDetails.companyName

orderForm.deliveryDetails.billingAddress

orderForm.deliveryDetails.deliveryAddress

orderForm.deliveryDetails.deliveryDetailsDeliveryAddressSameAsBillingAddress

orderForm.deliveryDetails.address1

orderForm.deliveryDetails.address2

orderForm.deliveryDetails.city

orderForm.deliveryDetails.state

orderForm.deliveryDetails.postCode

orderForm.deliveryDetails.country

orderForm.deliveryDetails.additionalInformation

orderForm.noItems

WHO’S NEXT? SUPPLIER Attack Techniques

Used to Compromise the Supply Chain

• Malware Infection • Social Engineering • Brute-Force Attack

• Exploiting Configuration Vulnerability

• Open-Source Intelligence (OSINT)

Supplier Assets Targeted by the Supply Chain Attack

• Pre-existing Software

• Software Libraries • Code • Configurations • Data • Processes • Hardware • People • Supplier

CUSTOMER Attack Techniques

Used to Compromise the Customer

• Trusted Relationship [T1199]

• Drive-by Compromise [T1189]

• Phishing [T1566] • Malware Infection

• Physical Attack or Modification

• Counterfeiting

Customer Assets Targeted by the Supply Chain Attack

• Data • Personal Data • Intellectual Property • Software • Processes • Bandwidth • Financial • People

11

‘A lack of transparency or the ability to investigate poses a serious risk to the trust of the supply chain.’

Organisations need to update their cybersecurity methodology with supply chain attacks in mind and to incorporate all their suppliers in their protection and security verification.

• implement a product development, maintenance and support process that is consistent with commonly accepted product development processes

• implement a secure engineering process that is consistent with commonly accepted security practices

• consider applicability of technical requirements based on product category and risks

• offer Conformance Statements to customers for known standards, and ensure and attest to, to the extent possible, the integrity and origin of open source software used within any portion of a product

• define quality objectives such as the number of defects or externally identified vulnerabilities or externally reported security issues, and use them as an instrument to improve overall quality

• maintain accurate and up-to-date data on the origin of software code or components,

and on controls applied to internal and third-party software components, tools, and services present in software development processes

• perform regular audits to ensure that the above measures are met

• monitor security vulnerabilities reported by internal and external sources that include used third party components

• risk analysis of vulnerabilities by using a vulnerability scoring system

• maintain policies for the treatment of identified vulnerabilities, depending on the risk

• processes to inform customers

• patch verification and testing to ensure that operational, safety, legal, and cybersecurity requirements are met and that the patch is compatible with non-built-in third-party components

The study concludes: ‘As the cost of direct attacks against well-protected organisations

Around 58% of the supply chain attacks were aimed at gaining access to data (predominantly customer data, including personal data and intellectual property) and around 16% at gaining access to people

increases, attackers prefer to attack their supply chain, which provides the additional motivation of a potentially large-scale and cross-border impact. This migration has resulted in a larger-than-usual number of supply chain attack cases reported, with a forecast of four times more supply chain attacks in 2021 than in 2020. The inherent global nature of current supply chains increases the potential impact of these attacks and broadens the attack surface for malicious actors.

‘This report covers a number of known attacks but in reality there may be more supply chain attacks that go undetected, not investigated or attributed to other causes. Particularly in software, supply chain attacks undermine trust in the software ecosystem. The analysis in this report shows that there are still a large number of unknown factors in the incidents investigated. 66% of the attack vectors used on suppliers remain unknown. A lack of transparency or the ability to investigate poses a serious risk to the trust of the supply chain.

‘Improving the process of transparency and accountability is the first step to improving the security of all elements in the supply chain and protecting final customers. Supply chain attacks can be complex, require careful planning and often take months or years to execute. While more than 50% of these attacks are attributed to APT groups or well-known attackers, the effectiveness of supply chain attacks may make suppliers an interesting target for other, more generic, types of attackers in the future. It is therefore critical that organisations focus their security not only in their own organisations, but also on their suppliers.’

DOWNLOAD THE REPORT HERE

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 | Page 10 | Page 11 | Page 12 | Page 13 | Page 14 | Page 15 | Page 16 | Page 17 | Page 18 | Page 19 | Page 20 | Page 21 | Page 22 | Page 23 | Page 24 | Page 25 | Page 26