https://www.americancityandcounty.com/wp-content/themes/acc_child/assets/images/logo/footer-logo.png
  • Home
  • Co-op Solutions
  • Hybrid Work
  • Commentaries
  • News
  • In-Depth
  • Multimedia
    • Back
    • Podcast
  • Resources & Events
    • Back
    • Resources
    • Webinars
    • White Papers
    • IWCE 2022
    • How to Contribute
    • Municipal Cost Index – Archive
    • Equipment Watch Page
    • American City & County Awards
  • About Us
    • Back
    • About Us
    • Contact Us
    • Advertise
    • Privacy Statement
    • Terms of Service
American City and County
  • NEWSLETTER
  • Home
  • Co-op Solutions
  • Hybrid Work
  • Commentaries
  • News
  • In-Depth
  • Multimedia
    • Back
    • Podcasts
  • Resources/Events
    • Back
    • Webinars
    • White Papers/eBooks
    • IWCE 2022
    • How to Contribute
    • American City & County Awards
    • Municipal Cost Index
    • Equipment Watch Page
  • About Us
    • Back
    • About Us
    • Contact Us
    • Advertise
    • Cookie Policy
    • Privacy Stament
    • Terms of Service
  • newsletter
  • Administration
  • Economy & Finance
  • Procurement
  • Public Safety
  • Public Works & Utilities
  • Smart Cities & Technology
  • Magazine
acc.com

Commentaries


CoolVid-Shows from Pixabay

Commentary

The growing threat of supply chain attacks

The growing threat of supply chain attacks

  • Written by Carlos Perez and Tyler Hudak
  • 13th August 2021

Cyber attacks pose a growing threat to local governments, but one risk that is often overlooked is the supply chain attack.

Criminal hackers are increasingly targeting software supply chains because these attacks allow them to compromise hundreds or even tens of thousands of victims through a single breach, while also affording them extensive internal access through the trusted systems.

The July 2021 breach of Kaseya is a prime example. Up to 1,500 businesses were affected after hackers found a flaw in the Kaseya remote management software that allowed them to spread ransomware through the company’s software update process and ultimately to the end users of this product. Similar attacks have occurred through other widely used software products, such as SolarWinds, Microsoft Exchange and Avast’s CCleaner.

Supply chain attacks are extremely difficult to detect, which means the attacker has more time to infiltrate the network, steal data and install malicious tools like ransomware.

Here is what local governments need to know about this growing threat:

 

What is a supply chain attack?

A supply chain attack occurs when a criminal hacker deliberately targets organizations through a third-party service they rely on.

These service providers can be small business vendors, like the insecure HVAC vendor which allegedly led to Target’s 2013 data breach, or through widely used software services like network monitoring tools (ex: SolarWinds), ecommerce platforms (ex: Magento), file-sharing (ex: Accellion) and other services such as accounting software (ex. M.E. Doc). Even security tools can be breached in order to target their users, as in the case of Avast’s CCleaner tool and the operation by “Fxmsp” group, which targeted top antivirus companies.

This method of attack is increasingly popular among sophisticated hackers because it allows them to target many victims through a single breach, rather than having to attack each of these organizations individually. It also allows them to blindside the victim by bypassing their network security tools and essentially slipping in through the backdoor directly onto their network, and often with elevated privileges.

 

How the attack unfolds

In a software supply chain attack, there are two ways the criminal can breach an organization.

The first occurs when the attacker compromises an organization that has access into their intended targets. This access may be through software managed by the organization or through credentials the organization has to log in to the target’s network. The attacker then uses this access to move through the victim organizations and wreak havoc. This often happens with managed service providers (MSPs) who are IT administrators for many organizations. There have been many recent examples where attackers use an MSP’s access to deploy ransomware to all the MSP’s clients. This allows the ransomware attackers to encrypt dozens to hundreds of organizations at the same time.

The second method is even more devious. In this case, the attacker will infiltrate the software company’s own infrastructure and compromise customers through the legitimate software program. The software, or its updates, are modified to include backdoors that allow the attacker to access organizations when the compromised software is installed. The attacker then only has to wait for the software to be deployed.

 

Why these attacks are worse than traditional breaches

While any breach can be damaging, a supply chain hack can be exponentially worse because the attacker often has a higher level of access to the network and is harder to detect.

This combination of factors greatly increases the risk for a government agency. The longer an attacker has inside a victim’s network, the more damage they can cause—either through data theft, ransomware, other types of malware or network disruptions. According to a recent report by IBM Security, software supply chain attackers have on average286 days inside the victim’s network before being detected. Additionally, because the attacker is exploiting a trusted IT service, they are essentially walking in through the front door—this means they will be able to gain access to a larger slice of the network and will often have admin-level privileges when they do.

 

The software attack surface is growing

Most government agencies today rely on a myriad of software and IT services to manage their daily operations.

These range from email and cloud services to web applications, remote desktop protocols (RDP), virtual private networks (VPN), antivirus, ecommerce platforms, point-of-sale systems, HR management, network admin tools, collaboration apps like Microsoft Teams and Slack and much more, not to mention a growing roster of IoT devices.

Every one of these services depends on a complex codebase to operate, and yet within that codebase there often exists numerous vulnerabilities. The level of software security varies by vendor, but even the largest IT companies in the world struggle to ensure security throughout their products. We have only to look at recent vulnerability disclosures inWindows, Oracle, McAfee, Apple, Cisco and other major vendors to see how widespread these security problems really are.

As the software attack surface grows, so do the risks. Supply chain attacks won’t diminish anytime soon. In fact, the problem is likely to get much worse in the next few years as software services continue to grow.

 

How do you protect against it?

There is no way to prevent a supply chain attack from ever occurring, so local governments need to make post-breach damage control a key part of their overall security strategy.

Preventive measures are important—such as carefully vetting software vendors and keeping all software up to date—but a greater emphasis should be placed on creating a layered defense within the network that will limit the overall damage of a successful breach.

Standard defensive measures include: segmenting the network, so that a breach through one system won’t necessarily expose the entire network; establishing rigorous data encryption practices; and using monitoring tools like SIEM and IDS/IPS, which will detect suspicious behavior such as a remote login from a foreign IP or transferring large files outside of the network.

Organizations should also protect and limit the total number of “privileged accounts” in the network, through a Privileged Access Management (PAM) framework, as these accounts will give the attacker the greatest level of access to sensitive data and systems if they are compromised.

Additionally, third-party partners or suppliers should be required to notify organizations when they are breached so the organizations can take appropriate action. This is often done by adding clauses into third-party contracts that add mandatory notification within 48-72 hours of any breach of the third-party’s network or that includes the organization’s data.

Lastly, organizations should engage outside security firms to regularly test their network security and post-breach defenses, in what is known as a “penetration test” or “red team” test. Third-party incident response retainer services should also be engaged to provide guaranteed response to any breach that may occur. While there is no silver bullet to fully prevent supply chain attacks, proactively performing these steps will decrease the impact of an attack and ensure any successful attack is quickly recovered from.

 

Carlos Perez, research practice lead for TrustedSec, has more than 20 years of IT security experience. He specializes in developing tools for offensive simulation and incident response.

Tyler Hudak, incident response practice lead for TrustedSec, specializes in cyber attack/breach response and remediation. He is the former Security Operations Center (SOC) team lead for a major medical destination center and held senior security positions at multiple fortune 500 organizations.

Contacts for both: [email protected], (877) 550-4728

 

Tags: homepage-featured-2 homepage-featured-4 Administration Public Works & Utilities Commentaries Commentaries Public Works & Utilities Commentary

Most Recent


  • Supreme Court ruling on EPA greenhouse gas regulation will impact cities
    On Thursday, the U.S. Supreme Court handcuffed the Environmental Protection Agency (EPA)’s regulation power by ruling that the federal government cannot use the 1970 Clean Air Act to restrict greenhouse gas emissions from power plants. By a 6-3 decision, the decision is notable for city and county administrators because greenhouse gas emissions aren’t contained within […]
  • Report: Reforming emergency dispatch won't be easy, but it's necessary
    Over the last several years, reforming law enforcement has been a primary topic of discussion in communities across the nation. Discourse has mostly centered around the challenges agencies face in addressing the complex needs of those in mental health crisis, and the disparity of experience among community members depending on their race. But in this […]
  • The growing threat of supply chain attacks
    Take American City & County's budgeting survey
    With the recently passed infrastructure-related legislation by the federal government, local administrators across the United States are poised to make historic investments into their communities.  Given the generational precedence of this action, we’re curious about the state of local budgets—what expense lines are increasing the fastest year-over-year? In what area has federal funding been the […]
  • Atlanta, Ga.
    Six cities and counties will take stock of underutilized assets in Rethinking Revenue incubator
    The Government Finance Officers Association in collaboration with various organizations including Urban3 and the Sorenson Impact Center has been spearheading a forward-looking approach to public financing, the Rethinking Revenue Project, an investigation of the foundational structure of government revenue and underutilized assets, for about a year now. A new initiative launched by the collaboration is […]

Leave a comment Cancel reply

-or-

Log in with your American City and County account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

Related Content

  • Defending and understanding city and county digital infrastructure—Congress takes a serious look
  • The growing threat of supply chain attacks
    GovSec Preview 2006
  • The growing threat of supply chain attacks
    GOVSEC SHOW PREVIEW

Twitter


AmerCityCounty

Supreme Court ruling on EPA greenhouse gas regulation will impact cities dlvr.it/STBwkw

1st July 2022
AmerCityCounty

Sustainability initiatives take center stage in Florida county dlvr.it/STBvwN

1st July 2022
AmerCityCounty

10 best cities for July Fourth celebrations dlvr.it/STBfHt

1st July 2022
AmerCityCounty

The Missing Link in Cloud Security dlvr.it/STBXNL

1st July 2022
AmerCityCounty

Improving Productivity with Employee Engagement | Aug. 4, 2022 at 2 PM ET dlvr.it/STBCD5

1st July 2022
AmerCityCounty

We want to hear from you! Please take this brief survey and let us know how your organization is managing your budg… twitter.com/i/web/status/1…

30th June 2022
AmerCityCounty

Report: Reforming emergency dispatch won’t be easy, but it’s necessary dlvr.it/ST7kQ5

30th June 2022
AmerCityCounty

Three U.S. cities to adopt Bloomberg Philanthropies Mayors Challenge-winning project to combat climate change dlvr.it/ST4bjk

29th June 2022

Newsletters

Sign up for American City & County’s newsletters to receive regular news and information updates about local governments.

Resale Insights Dashboard

The Resale Insights Dashboard provides model-level data for the entire used equipment market to help you save time and money.

Municipal Cost Index

Updated monthly since 1978, our exclusive Municipal Cost Index shows the effects of inflation on the cost of providing municipal services

Media Kit and Advertising

Want to reach our digital audience? Learn more here.

DISCOVER MORE FROM INFORMA TECH

  • IWCE’s Urgent Communications
  • IWCE Expo

WORKING WITH US

  • About Us
  • Contact Us

FOLLOW American City and County ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X