Why the Consumer Goods Supply Chain is a Target for Cyber Attackers
The truth is, all industries are targets for cyber attackers or some form of cybercrime. With 2018 moving at a frenzied pace, the cyber threat predictions range from complications in how to regulate cyber activities, increased attacks by state sponsored adversaries, smarter attackers and increases in the Internet of Things (IoT) attacks.
Think of it this way: if you were an attacker, would you want to rob a bank that has advanced security measures, or go after hundreds of individuals whose assets might, in the aggregate, equal the worth of that one bank? Oh, and by the way, the chance of getting caught is a lot lower. That scenario alone should illustrate why the end consumer is more at risk than ever.
Additionally, the rise of IoT exposes vulnerabilities in consumer goods like wearables or connected dolls, for attackers.
What to Look For
One of the largest Distributed Denial of Service (DDoS) attacks was carried out by the recruitment of IoT devices, which is more common than you may realize. They range from CCTV video cameras, Digital Video Recorders (DVR), and even your home router. If you recall the details of the Mirai botnet back in 2016, the attack took out HALF of the US Internet. The result of these denial of services created very meaningful loss of revenue for some.
In 2017, a series of consumer data breaches have impacted millions of individuals and unfortunately, it’s not over, the data that was compromised will power and drive future targeted attacks.
Unique Challenges in the Supply Chain
Consumer organizations have a unique challenge. Often not at the center of an attack, they are in a unique position of enabling attacks. Although consumer goods companies are not a direct contributor to the security or insecurity of a device they might be selling, they are a link in the chain.
The supply chain is crucial for a consumer goods manufacturer or retailer. The source of your product should be a top priority. Making deals or sacrificing quality could lead to a downstream problem. Again, think Mirai. If retailers refused to do business with an upstream supplier who did not conform to good security practices or code reviews of their products, one of two things could happen: the supplier may look to another distributor OR real change could be had—translating into better and more secure consumer products. Educating consumers on what to look for, or possibly, demand from their products might just drive vendors to design for security from the inception of the technology.
3rd Party Vendors and Contractors
Another area of insecurity that is often neglected is 3rd party vendors and contractors. Target, the second-largest discount store retailer in the United States, suffered massively from this oversight, which led to a large breach of credit card and personal information. Today, the effects are still being felt by consumers. Arguably, the end consumer is still being impacted, with little recourse other than credit monitoring. In many instances, online retailers are moving their systems to a cloud provider or 3rd party to sell the end product. This form of risk transference can be beneficial if the security implications are realized.
Securing the Supply Chain
So, what can be done? All hope isn’t lost and there are practical steps that can be taken for a consumer goods organization. It starts with the basics and approaching the basics with a formulated strategy, specific to your organization.
If you sell goods to consumers, there’s a chance you have certain regulatory requirements e.g. SOX, PCI, etc. Whether that is a new or old challenge, it can be overwhelming. One recommendation is to start with what you’re trying to protect and work out from there. Secondly, look at who your adversaries are and what would happen to your organization if they were to be successful. For example, if you were to be breached and lost credit card information, how do you report that activity? How do you know if you’re even at risk in the first place? Will you lose business to your competitor?
The Center for Internet Security (CIS) Critical Security Controls (CSC) is one of best places to start, especially if you are new to the game. These controls are mainly technical, but are mapped to many larger frameworks e.g. ISO 27001, NIST and PCI DSS. The Center serves as a starting place for the 20 basics of security. Get this checklist of areas down and you’re well ahead of your competition.
Another area to consider that can help to understand the areas where attention is needed is to conduct a comprehensive vulnerability assessment. This isn’t a penetration test! This assessment takes an open and comprehensive look at some of the most basic security areas that should be addressed. When the findings are remediated and you’re confident in the changes, another assessment can be conducted to verify or validate that the changes made were adequate. With a baseline, it becomes easier to show the progress the security initiatives are making—and hopefully for the better. For example, reviewing the third-party connections in your organization’s networks, how accounts are provisioned (if at all), and what vulnerabilities are present. If the end product is your only worry, conducting a code review or supply chain review could reveal areas where risk wasn’t realized in the past.
Only time will tell and reveal what 2018 has in store for security and consumer goods organizations. It’s a fair bet to say that attackers are becoming more capable and efficient at what they do. Compounding the problem is a supply chain where vulnerable systems are introduced from the day they are created. It’s time to look at the upstream problem, but it starts with the basics. Security isn’t always glamorous, but the mundane and methodical are what can keep your organization out of the breach headlines.
Matt Hosburgh is a passionate security practitioner, currently working as a Cyber Threat Hunter. He has over 14 years of experience in a variety of security disciplines, which includes experience supporting systems and networks for the Intelligence Community and as a Senior Security Analyst for United States Citizenship and Immigration Services (USCIS).
Matt holds a graduate degree from the SANS Technology Institute, and maintains several GIAC Certifications, to include the GSE.