One of the cardinal rules of hackers is that they always choose the path of least resistance. As little as a year ago, this meant going after people with weak passwords, or lacking two-factor authentication on their key accounts. But as hacking as grown in its prevalence, consumers have by and large been taking the advice from experts, meaning that hacking methods are becoming ever more sophisticated, and going far beyond low hanging fruit.
Third Party Vulnerability
The latest of these newer methods is known as a “supply chain attack”, which exploits the existing trust a user has with a known software provider. The reason this is possible is often because of the prevalent use of third party vendors—including manufacturers, suppliers, handlers, shippers and purchasers—used by trusted software vendors hoping to maximize operational efficiency by using a supply chain network, rather than doing everything in-house. Investopedia noted this damning statistic: “More than 60% of cyberattacks originate from the supply chain or from external parties exploiting security vulnerabilities within the supply chain, according to a 2016 survey by Accenture.”
Once a hacker has infiltrated the supply chain, they can introduce malware into the system, thereby gaining access to a company’s data and intellectual property. Or they can exploit weaknesses in the vendor’s credentials to gain access to the big fish. This was the case with the infamous Target hack, which resulted in the theft of data from 70 million customers. Another example was the Microsoft attack in February, where the company reported that hackers exploited a third-party editing tool’s update, using “their access to deliver an unsigned malware executable as an update for the tool, which the program then downloaded and executed.”
Exploiting Security Protocols
As Investopedia went on to explain, the supply chain attack is a troublingly sophisticated evolution of former methods that hackers used: “Because the target company may have a security system that may be impenetrable for even the sophisticated cyber criminals, supply chain attacks are carried out on the third party businesses on the chain who are deemed to have the weakest internal measures and processes in place. Once one member’s security protocols are found to be weak, the member’s vulnerabilities become the target company’s risk.” In a sense, hackers are still going after the weakest link, but they are doing it in a more sophisticated way that’s harder to prevent.
So what can the average consumer do to protect themselves from falling victim to these more sophisticated attacks? Unfortunately, not a whole lot. As Motherboard reported: “’Supply chain attacks are almost impossible to detect by regular consumers because of their complexity,’ Bogdan Botezatu, a senior analyst at antivirus vendor Bitdefender, said. ‘Depending on the security solution installed on the victim’s machine, an attack could be stopped or not. Supply chain attacks that target hardware vendors though, are impossible to detect because malicious firmware can compromise the operating system or the locally installed security solutions.’”
Companies, on the other hand, do have more recourse, and hopefully the more outrage that consumers demonstrate over these kinds of attacks, the more these companies will begin taking action. Precautions include more rigorous vetting of the third party vendors big, trusted companies choose to work with. In essence, they need to ensure every third party’s security standards are as high as their own. In addition, developers need to pay special attention to all software updates they are pushing out to consumers, taking care to have “strong internal auditing and code review practices in place in order to ensure that the products they release perform as originally intended.”