Understanding How Service Provider Inventories Can Help Prevent Supply Chain Attacks

Where are Your Meat Trimmings Coming From?

Written By Cybersecurity Engineer Brice Dickinson

Hotdogs are the quintessential summertime-pool-party-grill-out food. At every BBQ in America, especially in July, you can find these cylindrical meat sticks of joy on the grill or lukewarm in a tub on the table, 4 hours after being cooked. In fact every year 20 billion hot dogs are consumed by Americans. That’s an incredible amount of hot dogs. But do you remember when you were a kid and you asked someone what a hot dog was? Adults would tell you all kinds of stuff to keep away the horrible truth of the grilled meat sticks. This was mostly to make sure you ate your hotdog and baked beans for dinner but was almost always a lie. Then as a teenager, you learn the truth about how hot dogs are made up of various parts of the “pig” and realize that it was probably better to not know it in the first place. But, just like how hot dogs are made up of many different parts, our districts are also made up of many different parts to make them function on a day-to-day basis. However, we call these parts service providers and not meat trimmings. In this article, we will explore why it is important for a district to know what service providers it’s made up of, in the context of cybersecurity. 

In December 2020, security researchers discovered the largest software supply chain attack in history. This attack was so massive that you may have even heard about it on the nightly news. As the story unfolded what we learned is that at least two Russian APTs (Advanced Persistent Threats, essentially a very advanced group of hackers often working with or alongside governments) compromised the SolarWinds Orion software with a “secret” backdoor. This “backdoor” is particularly problematic because the SolarWinds Orion software is a centralized monitoring, and management software that allows for management of servers and other IT infrastructure. With this software compromised, the Russian APTs were able to sneak into various targeted networks such as fortune 500 companies and US Governmental agencies. Then, through extensive investigations, researchers found that these Russian APTs may have been inside compromised networks since March 2020. That’s between 9 and 10 months of an attacker actively inside a compromised network!

While the SolarWinds Orion hack was unlike anything we have seen before, it may be surprising to learn that supply chain attacks aren’t new. They have been known for some time now. What was different about the SolarWinds Orion hack was both the size and reach it had compared to other supply chain attacks of the past. To better understand what a supply chain attack is, let’s consider how CISA, The Cybersecurity and Infrastructure Security Agency, defines a supply chain attack. CISA states that a software supply chain attack occurs when a cyber threat actor infiltrates a software vendor’s network and deploys malicious code to compromise the software before the vendor sends it to their customers. The compromised software then compromises the customers’ data or system. So in the case of the SolarWinds Orion attack, Russian APTs somehow accessed the Orion source code, engineered a backdoor into the software, then published the new code as a new “update”, customers then updated their software, and once “updated” the Russian APTs could then compromise the networks through the software.

To better understand this type of attack and put it in simpler terms, let’s think back to the hot dogs we talked about earlier. If an attacker added a toxic chemical to their “meat trimmings” and sold those trimmings to a hot dog-producing company, people who ate those toxic dogs could potentially get sick and maybe even die as a result of a compromised hot dog. This is an example of a hot dog-based supply chain attack and it highlights that as consumers when we buy hot dogs we are trusting that the company and people who made those hot dogs have made them safely so we can enjoy them on the 4th of July. Every day we are constantly relying on various trusted sources for just about everything in our world. This is why supply chain attacks can be so frightening.

Now that we have a better idea of what a supply chain attack is, the question remains, how do we protect our districts from them? Unfortunately, there is no silver bullet to completely protect us from this kind of attack, but there are ways to both help prevent and respond to supply chain attacks. District IT leadership should keep up with basic cyber hygiene such as maintaining IT asset inventory, enforcing strong password policies, regularly updating software, controlling admin privileges, regularly backing up data, managing end-of-life systems, and implementing an incident response plan.  All are critically important in preventing and responding quickly to a supply chain attack. Additionally, district IT leaders should coordinate with the district’s Fiscal leadership to create and maintain an inventory of your district’s service providers that can also go a long way in preventing and responding to supply chain attacks. 

Just as IT leaders maintain hardware and software inventories, districts should also be maintaining an inventory of their various service providers used throughout the district. This inventory should include the name and enterprise contact information of the service provider as well as a detailed description of what services are being provided. Additionally, you can also include the cost of services provided if necessary. This inventory can either be a master inventory with all service providers on one inventory or multiple inventories broken up by departments with a central district administrator, like the district treasurer, who has access to all inventories. Specifically for the technology service providers, included in your inventory should be your Internet Service Provider, Managed Services Providers, VOIP Service provider, Managed [Cyber]Security Provider, Cloud Service Providers, Gradebook Service Provider, Library System Service Provider, and Online Textbook Providers. Additionally, any applications or software that those service providers use or any data that is accessed by the service providers in your environment should be documented.

Maintaining a service provider inventory allows for easy access to knowing exactly what third parties, services, and software are in your district at all times. If a supply chain attack is detected in a piece of software, like the SolarWinds attack, districts can immediately understand whether or not they are affected by referencing the service provider inventory. Then, if your district is affected, you will be able to follow remediation guides to mitigate the threat as well as communicate to other service providers about the attack so they can respond appropriately. Additionally, in a different supply chain attack scenario, if one of your service providers has been compromised through a data breach or ransomware, by referencing your service provider inventory you can quickly know the scope and size of that service provider’s footprint in your district. Once you understand the size of their footprint in your district, you can work with that service provider to swiftly isolate or remove any affected systems, devices, or services from your environment and remediate any potential threat.

By creating and maintaining a service provider inventory we can better defend ourselves against supply chain attacks and other potential threats. However, any inventory is only beneficial if it is constantly being kept up to date with accurate information. In addition to creating a service provider inventory, make sure to implement a policy that covers when and how that inventory is updated. Make sure that policy is communicated clearly to any staff who may be involved in creating or maintaining this inventory. With an accurate inventory and a clear policy for updating the inventory, we can ensure that we in fact know how our district’s hot dogs are made.