How Separating Data & Network Security Protects Your Supply Chain

Eduardo Rocha Senior Sales Engineer and Security Analyst
5 Min read

Software supply chain security is an enormous concern for businesses today. According to a 2021 Argon cybersecurity report, software supply chain attacks increased threefold in 2021 compared to the previous year. 

The constant race of companies to do things faster while delivering a better, richer user experience adds a multitude of vulnerabilities to the supply chain. Cybercriminals are exploiting these vulnerabilities and finding novel ways to launch attacks. 

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

As a result, supply chain attacks are evolving all the time. So, organizations need to understand the concepts of supply chain security risks and how to mitigate them.

How to Identify If Your Business Needs Supply Chain Security?

Orchestrating a supply chain attack requires sophistication and time. Cybercriminals still invest resources in such attacks because a successful endeavor can have far-reaching effects across multiple organizations.

Modern software and applications are not built from the ground up. Today most businesses use third-party vendors, APIs, and libraries. Cybercriminals use weak points in the software development pipeline to orchestrate supply chain attacks. 

For example, a hacker can compromise a library of a particular vendor or open-source software. When an organization uses that library, it ships products with embedded malicious code or malware to the end-user. A popular library might be in use across hundreds or thousands of organizations. Many products can get corrupted with a single manipulated library. Supply chain attacks have caused disruptions to industries like shipping, financial services, and healthcare. And they have been used to conduct cyber espionage against government agencies.

Any organization with external source dependency is vulnerable to supply chain attacks. Furthermore, cybercriminals like this kind of attack because they can infiltrate multiple organizations and products through a single entry point and use the organization’s reputation to spread the malicious code to unsuspecting consumers. 

Types of Supply Chain Attacks

Cybercriminals have developed multiple methods to take advantage of supply chain vulnerabilities. Here are some of the standard techniques used:

Exploiting Open-Source and Third-Party Code for RCE: Hackers seek opportunities to insert malicious code into open-source and vendor libraries. The corrupted library behaves like the original ones. When organizations use these libraries, hackers can use Remote Code Execution (RCE) attacks to take over systems to steal and destroy data.

Stolen Code-Sign Certificates to Spoof Updates: Code-sign certificates are used to validate the integrity and authorship of code. When cybercriminals gain access to code-sign credentials of a reputable company or vendor, they can use the certificate to insert fake updates into the software supply chain. Users of the code cannot distinguish the counterfeit updates from the real ones, and the final product is corrupted.

Compromised Identity and Access Management to Enter Systems: Maintaining passwords and network security is a high priority for organizations. However, employees often use weak passwords that hackers can easily crack. Moreover, lax audit trails can lead to open accounts of ex-employees. Hackers use the weaknesses in identity and access management to gain access to networks and insert malicious code into the software supply chain.

Formjacking: In a formjacking attack, cybercriminals inject malicious JavaScript code into the form of a website. When a user enters personal information like credit card info, phone number, and address into an online form, the cybercriminals use the malicious JavaScript code to send the personal information to their servers. The collected data can be used for identity theft scams. This kind of man-in-the-middle attack can go undetected as company servers might not detect the intrusion without proper surveillance. You can learn more about how to prevent formjacking from GlobalDot’s webinar “Crush Formjacking – Ensuring Website Protection and PCI Compliance.”

Recent Supply Chain Attack Examples

Over the recent years, supply chain attacks have become more sophisticated with far-reaching effects. Here are some examples of the latest attacks:

SolarWinds Supply Chain Attack: In 2020, the highly publicized SolarWinds attack shook the cybersecurity industry. Hackers infected SolarWinds’ Orion platform with malware (later named SUNBURST) that affected 18,000 customers, including multinational companies and government agencies like Cisco, SAP, Intel, Deloitte, Microsoft, NASA, the US Justice Department, and the US State Department. SUNBURST collected data from user systems and delivered it to hacker-assigned URLs.

Kaseya Supply Chain Ransomware Attack: In 2021, the Kaseya VSA endpoint management and monitoring tool was compromised through a supply chain attack. Russian cybercriminal syndicate REvil orchestrated the attack. It affected 50 of Kaseya’s direct customers, including Managed Service Providers (MSPs), with additional 800-to-1500 businesses affected due to the supply chain effect.

CloudFlare’s CDNJS RCE Vulnerability: In 2021, a vulnerability in CloudFlare’s CDNJS, a free and open-source content delivery network, created a remote code execution (RCE) attack risk for 4,041 JavaScript and CSS libraries. Read GlobalDots’ CloudFlare’s CDNJS RCE report[ to learn more.

LOG4J Vulnerability: In December 2021, the remote code execution vulnerability of LOG4J, a widely used open-source logging API for Java, created a software supply chain crisis. An estimated 3 billion devices might be affected by LOG4J vulnerability. Read GlobalDots’ LOG4J exposure report to learn more.

Improving Your Supply Chain Security

Supply chain risk mitigation requires a multi-dimensional approach.

Monitor and Understand Your Supply Chain

You should have a clear understanding of what components go into your product. Gaining visibility into your software supply chain will help you understand potential vulnerabilities in the development pipeline. A technology partner with knowledge and experience can help you pinpoint weaknesses in your supply chain security.

Software Composition Analysis (SCA) for Supply Chain Vulnerabilities

You can use software composition analysis tools like Synopsis Black Duck, WhiteSource Diffend, or ByteSafe to make sure the dependencies in your supply chain are safe and secure.

Supply Chain Threats Mean Data and Network Security Are Better Off Separated

Network security focuses on keeping the business running and protecting against attacks that stop operations. Data security focuses on keeping data from getting stolen or destroyed. Even though the processes might overlap, the separation of data security and network security makes the supply chain more resilient. 

IT can focus on protecting against attacks, while data security specialists can concentrate on making sure the data is secure even if an attack happens. For example, data security specialists can protect data using encryption at rest.

To hear how it’s done in practice, check out our most recent talk on this topic: 

Privacy by Design – Why Data Privacy & Security Officers Must Collaborate

Better data protection through zero trust principles and auditing vendors separately to protect data are considered more robust supply chain risk mitigation. Data is only valuable to cybercriminals if they can understand it. If you can protect the data during a network breach, your supply chain is safer.

Broaden Your Technology Approach to Supply Chain Security Through Implementing SOC

For more robust supply chain protection, change your approach to protecting your endpoints. Build a security operations center (SOC) to gain more visibility into all the endpoints in your supply chain. You can continuously monitor your network and understand the vulnerable points in the organization, especially the integration points of the software.

Conclusion

You cannot eliminate supply chain threats, but how your security architecture is built significantly impacts your risk level. Separating data & network protection is an excellent idea if applied to work seamlessly by experts. A technology partner who has a holistic view of your infrastructure is highly advised.

Are you having difficulty with your supply chain risk mitigation strategy? Contact GloabalDots to improve your supply chain security today.

Latest Articles

RCE in Cdnjs and What It Means to You

Last week, a researcher named RyotaK shared a clever supply chain vulnerability in Cloudflare’s highly popular hosted module called cdnjs, which runs on around 12% of all sites on the web. The module helps developers consume other popular packages and integrate them safely into their sites.  The vulnerability was in the cdnjs library update server […]

Francesco Altomare Technical Sales Lead for Southern Europe, GlobalDots
19th July, 2021
Making Cloud Compliance Easy

The Challenge: Dealing with the Back-and-Forth There are so many shared challenges when it comes to cloud compliance. The constant back-and-forth with the auditor has become a draining routine. As you dart through digital archives for necessary audit evidence, precious minutes slip away from your actual duties. Each passing hour pulls you further from your […]

Ganesh The Awesome Senior Pre & Post-Sales Engineer at GlobalDots
16th October, 2023
8 best practices to prevent SQL injection attacks

SQL injection is one of the most dangerous vulnerabilities for online applications. It occurs when a user adds untrusted data to a database query. For instance, when filling in a web form. If SQL injection is possible, smart attackers can create user input to steal valuable data, bypass authentication, or corrupt the records in your […]

Ganesh The Awesome Senior Pre & Post-Sales Engineer at GlobalDots
30th June, 2023
Long-Term LastPass Breach Sounds Alarm For Static Credentials

LastPass’ password management service has introduced millions of users to the convenience and security of unique passwords. Across mobile and browser, LastPass promises a near-passwordless experience for millions of individuals and over 100,000 businesses. However, recent news threatens to drop a bombshell on credential-based security.  The Year-Long LastPass Dual Breach  In August 2022, LastPass released […]

Ganesh The Awesome Senior Pre & Post-Sales Engineer at GlobalDots
2nd March, 2023

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser

    CTO

    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni

    CIO

    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services