Supply Chain Attacks – SY0-601 CompTIA Security+ : 1.2

Supply chain attacks are designed to affect many victims from one broad attack vector. In this video, you’ll learn about supply chain attacks and how companies are managing their supply chains.

<< Previous Video: Adversarial Artificial Intelligence Next: Cloud-based vs. On-Premises Attacks >>



The supply chain is the chain of manufacturing that gets a product from the very beginning to the very end of its process. This includes the raw materials, suppliers, manufacturers, distributors, customers, and consumers. With all of these different points along the chain, there’s a lot of opportunity for someone to be able to attack any one of these and affect anybody else who might be downstream in that chain.

One of the reasons this works so well is that we tend to trust what we receive from our suppliers, not realizing, of course, that somewhere up the chain there was an attack that now has shown itself in the equipment, the software, or the technology that we’re now putting onto our network. And with so many other steps before that technology arrives on our doorstep, there are plenty of places for an attacker to be able to infect that supply chain.

A notable supply chain breach occurred in November of 2013 with the Target Corporation where 40 million credit card numbers were stolen. This attack did not start at Target. It instead started in Pennsylvania for an HVAC company. That’s a Heating, Ventilation, and Air Conditioning company.

This is an organization that had people that took care of and maintained the HVAC systems for many of the Target locations. To be able to interact with Target, there was a VPN connection that these technicians would use to be able to send and receive information about these HVAC systems. There was an email with malware that was delivered to this firm in Pennsylvania, and that malware was able to obtain the VPN credentials so that the attackers were able to access the VPN themselves.

This was the breach of the supply chain. The attackers were able to take advantage of the HVAC suppliers and gain access to the inside of the Target network. Unfortunately, the Target network did not have any additional security on the inside to prevent vendors from gaining access to other parts of the network. So once the attackers got onto the Target network, they then had access to every single register at all 1,800 Target stores. This is a good example of how a supply chain attack can occur because the attack vector isn’t one you were expecting. The folks that are on the roof taking care of the air conditioning and heating are not where you would expect a breach to come that would then attack and steal over 40 million credit cards.

Supply chain cybersecurity has become a significant concern for organizations. You have to know and trust that your server, your router, your switch, your firewall, or any of the software you’re installing is something that you can trust to put on your network. Many organizations are narrowing down the number of vendors they work with so that they can do more testing and more auditing and make sure that what they’re receiving from those suppliers is trusted. Organizations are also requiring that those suppliers have very strict controls over everything that they’re doing and that audits can occur within the suppliers network so that everybody can trust exactly what’s being delivered to the end user. If you have relationships with your suppliers, this is a good chance to team up with them and make sure that everyone is able to get a safer product all the way through the supply chain.