The recent SolarWinds compromise has thrust the issue of supply chain attacks into the limelight and exposed just how devastating and insidious these attacks can be. Although not new, threats like these highlight the raw underbelly of an industry entirely based on trust – if you can’t trust the thing that is supposed to be securing your network, how can you possibly be secure?
Supply chain attacks take roughly two forms: the first involves compromising special access granted to a service supplier, and the second involves taking over trusted tools and services used in the target environment. A good example of the first type is the Target breach of 2013, in which it is believed that the attacker stole credentials from an HVAC supplier to gain access to Target’s network and plant malware in over 1800 stores.
The SolarWinds takeover is an example of the second type, but there are plenty of precedents: CCleaner, a popular utility available online, was replaced by a malicious variant in 2017 resulting in the infection of 2.3 million PCs. And more recently, researchers at the University of Minnesota were permanently banned from contributing code to the Linux kernel after successful attempts to insert potentially malicious “bug fixes” (thankfully, their changes never actually made it to production code).
MSPs, ITSPs, and MSSPs are particularly at risk for supply chain attacks: they have highly sensitive access to many potential victims’ networks, they use many security tools which require high levels of access, and they are increasingly a target of threat groups. If an attacker could compromise an MSSP to insert malicious implants into the tools the MSSP uses, they can multiply their ill-gotten gains versus targeting each individual tenant.
And this is not theoretical: the US Secret Service notified MSPs last year of an increased threat level and dozens of MSPs are known to have been compromised. As trusted providers, MSPs have a special obligation to ensure that their own environments are secure and protected, and to prevent the possible spread of any attack on their own infrastructure. But where should a service provider focus their efforts to be as secure as possible? Basic security best practice lists are a dime a dozen – keep your software patched, configure least-privileged access, etc – but what special considerations apply to service providers in particular?
Here are some suggestions:
- Awareness: Good security requires a serious security culture. Invest in a high-quality security awareness training program for your employees – all of them – so that they can recognize phishing attempts and other suspicious behavior. You can always resell the program to your customers too!
- Security layers: Although consolidation of security solutions can be more efficient and reduce cost, a monoculture also introduces risk and a single point of failure. Build a layered security architecture that does not trust any single tool exclusively to secure or monitor your own environment as well as your customers’ environments. Email security on your perimeter, endpoint security inside, SIEM/XDR for monitoring, and security training all contribute to reinforce each other.
- Assume credentials can be stolen: Passwords are a truly terrible form of security, and yet that’s our starting point for virtually all security systems despite efforts such as SQRL to replace them. Make sure that all access has a second form of authentication, particular when accessing tenant environments. And of course, don’t use shared passwords or re-use passwords across accounts.
- Vet your suppliers: When engaging suppliers who will have access to your network or to your customers’ data, vet them carefully and ensure they also have a strong security culture. This goes double for any supplier that is selling you software tools. Make sure that you will get early notice of any suspected breaches or compromises – you may need to sign an NDA with the vendor and set up special back-channel communication – so that you can react quickly to any potential problems.
Service providers have a critical role in the success of their clients and have to be trusted in order to be effective. But with this trust comes the need to be as secure as possible against supply chain attacks. What special steps have you taken to secure your environment against this threat?
David is the Director of Product Management for VIPRE, a top-rated, award-winning internet security product for channel partners and businesses worldwide. For the past decade, David has worked with customers and partners to design and build best-of-breed IT security using innovative threat detection and response solutions. He has broad experience in advanced threat, SIEM, networking, cloud services, security standardization, open source, agile development and technology policy. He chaired the Distributed Management Task Force, a computer software trade group which works to simplify the manageability of network-accessible technologies and holds an A.B. in Electrical Engineering from Harvard University.