Digital Supply Chain: Data Privacy and Security Considerations
What is Digital Supply Chain?
Digital Supply Network (DSN) is another name for Digital Supply Chain. It is an intelligent value driven network that leverages new approaches with technology and analytics to create new forms of revenue and business value. Given the digital economy, the global market place is increasingly making way for growing data security concerns.
Digital Supply Chain Explained:
There’s an emerging kind of threat called software supply chain attacks. Attackers target software developers and suppliers, seeking access to source codes, build processes, or update mechanisms.
The attacker’s goal is to infect a legitimate app to distribute malware.
Attackers hunt for unsecured network protocols, unprotected server infrastructures, and unsafe coding practices. They break in, change source codes, and hide malware in the build and update processes. Because software is built and released by trusted vendors, these apps and updates are signed and certified.
In software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious code when they’re released to the public. The malicious code then runs with the same permissions as the app, and the number of potential victims is significant, given the popularity of some apps.
Imagine if a free file compression app was poisoned and was deployed to customers in a country where it was the top utility app. That actually happened in an attack several years ago.
Supply chain attacks have steadily increased since. A new cyber criminal operation discovered by Windows Defender ATP highlights the complexity of supply chain attacks.
Attackers targeted a popular PDF editor app. They worked out the installation process and carefully probed the app vendor’s server infrastructure. They figured out that the vendor uses one of the partner vendor’s server.
Attackers made a replica of this server, and then modified a single component of the installation package, a fonts pack, to insert coin miner code. They then tricked the vendor’s website to connect to their server. As a result, the poisoned fonts pack file with malicious coin miner code was silently installed with the app.
It gets worse because this attack compromised a multi-tier supply chain. It could pose a threat to customers of the six other app vendors that use the same partner vendor. This is the multiplier effect of software supply chain attacks.
Software supply chains are fast becoming a popular way to distribute malware. The following ways are some methods that software vendors and developers can take to ensure apps are not compromised:
- Maintain a secure and up-to-date infrastructure and restrict access to critical build systems.
- Build secure software update processes as part of the software development life cycle.
- Develop an incident response process for supply chain attacks.
Meanwhile, organizations can protect networks against these attacks by:
- Deploy strong code integrity policies to allow only authorized apps to run.
- Use endpoint detection and solutions that can automatically detect and remediate suspicious activities that can indicate software supply chain attacks.
- Attacks are constantly upping their game and your software is their next target.
- Protect yourself, your customers, and your partners by strengthening your protections against software supply chain attacks.
Why think about supply chain security?
When your equipment reaches its end of life or end of lease, it is important to consider data security and the next step in electronic data destruction. Depending on the size of the organization, one can go about approaching asset disposition method and see what works best for you.
While downloading erasure software may be one option, it does not always guarantee the complete erasure of information on the hard drive. This is where data degaussing comes into the picture, because the data is completely unretrievable and physically no longer exists on the disk itself. Degaussing machines such as Datastroyer 105 Hard Drive Degausser by Whitaker Brothers has the hard drive erasure capabilities of up to 5,000 Oe. Using 240 Volts, the machine takes less than one minute to zap a drive with 20,000 Gauss. This efficiently destroys hard drives with top secret and classified information.
When it comes to cyber security, suppliers are still your weakest link. The world is changing. Supply chains of the future will look very different from today as businesses constantly review their logistic strategies to achieve greater efficiencies and to meet changing customer and consumer demands. Data security professionals will need to adapt to manage the supply chain of the future, but you won’t be alone. Organized criminal gangs will continue to see supply chains as easy targets with low risk and rich rewards and their threat is becoming increasingly sophisticated.