October 9, 2019
It’s every company’s all-too-real nightmare. You receive an email from your shipping company about a delay. After following a link, and logging into their portal, you see that no shipment was scheduled. You think it was a simple mistake and go to the next issue in your in-box. On average, it takes 197 days to detect that the link lead to an infiltration using your stolen credentials.
Learning that your company’s defenses have been breached (resulting in an average loss of $3.86 million per incident) is bad enough, but knowing the attack abused your trust is worse. This is what happens when a vendor or partner is weaponized against you. Unfortunately, this abuse pattern is so common that it is a top concern for most CISOs.
As companies don’t operate alone, trusted communication is a foundational business requirement. Even CISOs managing highly secure perimeters are increasingly concerned about a recent 78% increase of supply chain attacks. With an estimated 50% of attacks targeting supply chains, it’s time for static security models to evolve. Regardless of your company’s own security posture, the growing complexity of supply chains is forcing security beyond your borders.
Unfortunately, a growing number of breaches are being attributed to supplier vulnerabilities. In January, Managed Health Services of Indiana announced that a phishing attack against a vendor resulted in 31,000 patient records being stolen. More recently, Wipro, a large technology service supplier, was infiltrated in order to attack their customers. Again, the entry point was a phishing scam targeting employees, whose accounts were weaponized against retail customers as part of a gift card fraud scheme.
With the vast majority of modern business conducted via the Internet, securing email is a key aspect of security. And with phishing being the primary attack vector in 2018, accounting for nearly 40% of all data breaches, unsecured email is responsible for 60% of compromised web applications. Applying this to all business partners, it’s clear that email security goes beyond your company, giving rise to “supply chain email security”.
While the security industry has made significant progress thwarting generalized email attack campaigns, more directed business email compromise (BEC) attacks are harder to detect and are increasing in virulence. And since email impersonating a trusted business partner is more likely to trick the target, it’s time to shine more light on the supply chain abuse vector.
Unfortunately, most companies don’t even know who all of their vendors and partners are. Only 35% of companies say that they can identify even their immediate 3rd party vendors, let alone their nth suppliers. Further, deep in the nth level supply chain are SMBs that are prime targets for cybercriminals.
To some degree, though, protection begins at home, and there are some steps companies can take to protect themselves from some obvious supply chain email attacks.
- Email Authentication – Authenticate and send email securely to enable partners to verify legitimate email.
- Email Verification – Enable inbound email verification to ensure email received from key vendors and partners is legitimate.
- Vendor Management – Catalog known vendors and partners, augmented by automated detection of trusted relationships (including “shadow IT” services).
- Protect Vulnerable Employees – Identify employees and departments with privileged access to bolster defenses (e.g. lookalike protection, web limitations, stricter quarantines).
- 3rd Party Contracts – Update contracts to address security requirements related to email security requirements.
- Cloud Protection – Evaluate your company’s use of cloud services and deploy cloud access monitoring and protection.
- Effective Off-Boarding – Add processes that address off-boarding to minimize long-term supply chain risk.
- Security Awareness Training – Employ security awareness training specifically focused on known suppliers.
- Gateway Protection – Configure inbound filtering and data loss prevention to enhance protection against vendor and partner impersonation.
- Incident Response Plan – Update your incident response plan to include your trusted supply chain.
Any company concerned about the state of supply chain email security is encouraged to engage their InfoSec and Risk teams to make the necessary plans. Regardless of the effectiveness of current defenses, supply chain security requires orders of magnitude more data and service integration than companies typically deal with on their own. The dynamic nature of modern supply chains mean that the days of simple whitelists, blacklists, and custom routing rules are numbered. The next frontier is to take the defense from your perimeter and apply it to your full set of vendors and partners.
J. Trent Adams is Director of Ecosystem Security for Proofpoint, a security company that protects your people, data, and brand against advanced threats and compliance risks. He was Chair of the DMARC email security working group, and worked on Trust & Identity Technologies for the Internet Society.