Supply chain issues
“The supply chain is the weakest link and the easiest to get to,” says Deloitte's Bissell. “If a company is vigilant about protecting itself from cyber attacks, actors will go after their suppliers, as there is likely to be a weakness. Suppliers aren't always as secure and don't provide the appropriate level of control, especially the smaller ones.”
For instance, American automobile and aircraft manufacturers use thousands of foreign parts. The supply chain can easily be compromised. “If products are manufactured in other countries, there is little control over what is going into the product,” says Damballa's Demar. A 2012 Senate Armed Services Committee investigation cited instances of suspect parts identified in U.S. military systems and accused China of being “the dominant source country for counterfeit electronic parts that are infiltrating the defense supply chain.” As well, counterfeit computer chips have been found in American fighter aircraft. Too, the Chinese stole a new radar system that the U.S. Navy spent billions of dollars to develop. China has also accused – and even arrested – individuals on charges they spied for the United States.
Bissell says that over the past five years, companies have been requiring more of suppliers in contracts – liability, auditability and accountability clauses. Deloitte has a dedicated team that reviews such contracts for large companies and this is taking up more and more of its time. However, it is expensive to dedicate the resources to actually monitor this.
In the private sector, the defense industry is the most advanced in terms of best practices, according to Brody. The costs of a breach within this sector could be the loss of government contracts. The Defense Security Information Exchange online portal accommodates sharing of attack information among security personnel without the government getting involved. Brody says the financial services industry also does a credible job of protecting networks, but the energy industry is weaker, with SCADA systems being at particular risk.
Andy Purdy, CSO of Huawei USA – whose parent company, Shenzhen, China-based Huawei Technologies, has itself been accused of tampering with the supply chain – says that companies have to watch for intentional insertion of malicious code in products. He recommends they identify best practices or standards within their industries to prevent and mitigate cyber espionage in a way that is financially reasonable. He also recommends that organizations conduct both internal and external audits. Third parties should be hired to perform penetration testing. Too, companies should periodically review employee's compliance with security policies and practices. Further, he says companies would benefit from participating in public-private partnerships. ISACs (Information Sharing and Analysis Centers) are voluntary industry groups that do not share information with government agencies. They exist in IT, public transportation, financial services, higher education, state and local governments, and help members learn from cyber attacks.
If companies find that they have been breached, they need to immediately shut down the network and conduct a forensic exam, says Brody. The incident team has to find out what happened, while getting the operation of the company back up as soon as possible.
In addition, security experts recommend that companies learn which data is critical and which is not. They should then focus on protecting “the crown jewels,” rather than trying to shield everything.
However, state-sponsored malicious actors are too often competent at covering their tracks. According to Ferraro, the adversaries move laterally across the enterprise, collecting email addresses and passwords of everyone in the organization. Mitigation is expensive because it is time-consuming to shut down the entire network, sanitize it and bring it back in a clean state. Having a good incident response team is critical.
Ferraro recommends placing specific controls on data at rest and applying tools to prevent data leakage. Companies must be vigilant too about the insider threat, he adds, because this is a key element in cyber espionage. Foreign nationals or disgruntled employees can easily steal IP or trade secrets. Nation-states target these employees to exfiltrate information.
Meanwhile, Demar says too much attention is paid to host-based precautions, such as anti-virus and firewall protection. He recommends using “defense-in-depth,” multiple layers of security controls. He also suggests looking outside of traditional security measures and employing advanced threat detection.