A hot topic amongst security researchers for 2018 trends has been “Supply Chain”. This is evident in this article about A.P. Moller-Maersk. What the article does not address, however, is the scope of a Supply Chain attack. Most businesses think of Supply Chain as logistics, but the real target of these attacks are not just logistic organizations, but organizations that focus on B2B and organizations embedded in many other businesses. Sure, retail organizations will continue to be targeted. High-visibility targets will always continue to be priorities for hackers.
What is changing though, is hackers are focusing more on businesses that provide services and products to other businesses. These are the same techniques state-sponsored actors take when procuring intelligence for defense purposes. They, instead of directly targeting Lockheed, would target its vendors, including The Office of Personnel Management( OPM ) and RSA.
Case in point is the recent wide-ranging, and highly-publicized Meltdown and Spectre vulnerabilities. Every organization is at risk due to these vulnerabilities. The public cloud was patched by early January 2018. Most organizations are scrambling to address these issues. The vulnerabilities were first made known to the security community in July 2017. It is unknown if hacks were perpetrated using these vulnerabilities. How do you calculate the risk of unknown vulnerabilities? How quickly can your organization respond to a disclosure of this magnitude?
Every organization relies on vendors to provide services for its clients and perform back-office services. Is your organization capable of assessing the risk your Supply Chain – your vendors – pose to your organization?