Hafnium and SolarWinds shake up attitudes to supply chain risk management

Who do you trust?

That’s the big question facing companies around the world in recent months. In the wake of a wave of epic vulnerabilities, and equally massive compromises, affecting businesses and government institutions across the US and pretty much everywhere else, the reliability of our suppliers and providers has come into sharp focus.

Everyone wants to avoid the all-too-common inefficiency of “reinventing the wheel”, building things in-house rather than buying them in. Even the largest and most well-resourced companies quite rightly balk at the idea of creating their own versions of complex software when specialist firms with decades of experience offer to meet any need with well-respected, widely deployed, and generally trusted applications at much lower cost. 

While we may gripe about usability issues, get annoyed by integration gaps, or wrangle over pricing, the trust part is generally taken for granted. These providers are the experts, we tend to think, let them handle the hard stuff and let me get on with my job.

Solarwind attacks

The unveiling of the SolarWinds hack at the end of 2020 was a landmark moment for trust in providers. The fact that rogue code inserted into the updates of a popular network monitoring tool, SolarWinds’ Orion product, could lead to total compromise at tens of thousands of networks, including many US government departments and leading companies such as Microsoft and FireEye, opened a lot of eyes to the potential risk of placing so much trust in third-party suppliers.

The SolarWinds incident, described as “one of the biggest cybersecurity breaches of the 21st century”, made many of us think, perhaps for the first time, that simply finding a tool that met our needs, buying a license or subscription, and letting it loose in our networks was not good enough; anything we grant access to our most sensitive data is a potential danger, and the risk involved needs to be carefully weighed and measured before we dive in.

Hafnium attacks

This lesson has been hammered home in recent weeks by a second, even bigger wave of compromises, this time thanks to holes in Microsoft’s pivotal Exchange Server software. The ”Hafnium” attacks, so named after the Chinese state-sponsored hacking group claimed to have led the charge to exploit the newly-discovered vulnerabilities, leveraged Outlook Web Access much as the SolarWinds attacks did.

The flaws let them gain access to vulnerable servers and escalate privileges to admin level, enabling them to drop web shells and from there do just about anything they wanted. With tens of thousands of companies large and small deploying Exchange to manage their email connectivity, and just about all of them exposed to attacks from any of a large set of attackers scanning the internet for targets, the list of victims is once again enormous, covering everything from mom-and-pop businesses to major government agencies, energy providers, and banking authorities. The damage done ranges from theft of sensitive data and spearphishing to cryptomining and ransomware attacks.

In the longer term though, there is hopefully a silver lining to all this devastation. It should finally make clear to everyone the pivotal importance of managing supply chain risk. Simply relying on major providers to supply software that not only does its job but does it in a secure, safe way is no longer good enough. Any provider, regardless of size or reputation, is a potential risk; obviously, we can’t simply blacklist any provider which has ever suffered a vulnerability, or we would quickly run out of potential providers.

The only route left open is careful management of the risk involved – weighing the possible dangers and how an issue might affect a business, tracking the record of a proposed provider in terms of both quality and speed of response to emerging problems, choosing the right providers and ensuring that the right contracts are in place for implementation and ongoing support, mitigating potential hazards with technical or financial protections, these are all vital stages in acquiring any software or service, but can be time-consuming and require significant expertise. 

If you can find the right partner for this process, you can rest easy knowing that a trusted expert is doing the work for you and making sure your risk is not just properly understood, but kept to a bare minimum.

Give us a call if you want to discuss how you can verify your environment is as resilient as possible. 

Previous ArticleTakeaways from the British Mensa Security Drama Next ArticleIoT device makers wanting to better security standards