When thinking about a product or service that is sold by an organization, we don't often think about the individual components that make up that final product. But in reality, it is that supply chain that creates an additional security concern for everything that we do as a company. The supply chain that creates the final product could include raw materials and suppliers of those raw materials. It might include manufacturers and distributors that get those products to you. And it also involves your customers and consumers of your product. Every point of this supply chain becomes a security concern and attackers would like to get their way into the supply chain so that they can eventually make their way into your network. This means that an exploit with a raw material supplier that is used to create a product that you purchase could potentially be a security problem within your organization. You have no control over the security associated with those raw material suppliers. You're not involved with the process, but ultimately this now becomes a security concern for you. So although we have complete control over the IT security of our own organization, we may not have that same visibility for any of our providers. In many cases, these thirdparty providers might already have access to our network because we might have an internal portal that they use to determine what tasks we would like them to perform. This is a perfect opportunity for someone who wants to attack your network. If they can gain access to the provider network, they can then gain access to your network. And if you think about all of the different providers used by your organization, this becomes a very big list. This could be a network provider, a utility, someone who does office cleaning, maybe it's a payroll company that you work with. If any of these third party providers are compromised, the attacker could use that access to begin attacking your network. This is why many organizations are writing into their service contract that they need access to audit the security of their providers. This allows an organization to understand what type of security their providers are using and if there is an opportunity to provide additional security, it would show up during one of these audits. A good example of how security at a provider could affect your organization occurred in November 2013 with the Target Corporation. This allowed for 40 million credit cards to be stolen all because of air conditioning. This started with a heating, ventilation, and air conditioning firm in Pennsylvania that was infected through an email message that contained malware. That malware allowed attackers access to the systems within this HVAC company. And they ultimately were able to gain VPN credentials from that HVAC company that was used to access the target network. This HBAC company used this VPN to gain access to vendor resources on the target network. Unfortunately, at the time, the target network was one large network that did not separate the vendor network from the point of sale network. This meant that once the attacker accessed the target network, they effectively had access to every store in the Target system. They then infected point of sale terminals inside of Target to start collecting credit card numbers and they collected millions of these numbers before they were discovered. This was a significant breach for Target and it was created because of the vendor relationship they had with this HVAC company. In your company, you probably have switches, routers, firewalls, and many other devices that you're putting into your network. But when you install one of these new switches or routers, are you sure there's nothing malicious inside of those components? In order to address concerns with the supply chain, many organizations are limiting who they work with to acquire these types of hardware. If you can trust your vendor, then you can often trust the equipment that you're installing into your network. Many organizations are also performing additional checks of the equipment they receive to ensure that it is legitimate and from the original manufacturer. This is now part of the normal security policies for many organizations and they are performing extensive checks of everything they're bringing in the door. Switches and routers would make an excellent attack point. They're devices that are plugged into the network. They all have an IP address and they're watching every bit of data go through our internal network. But how do you know if the switches and routers that you're receiving are real or if they're counterfeit? This was the problem that was discovered in July of 2022 when the Department of Homeland Security arrested a reseller CEO that had been selling non-legitimate Cisco products. This individual sold more than $1 billion of counterfeit switches and counterfeit routers with the Cisco label. They had created over 30 different companies in order to sell all of this different equipment and had been selling them since 2013. And although we don't believe there was any security concern with the software that was running on these devices, it definitely was not legitimate software. There was certainly the potential for security concern, especially considering how much equipment was sold and how long that equipment had been selling. Ultimately, these were found to be very poorly performing pieces of equipment. They said Cisco on the front, but they were not Cisco inside of the device. And once these devices started breaking and some of them actually catching on fire, did everybody put together that perhaps they weren't receiving legitimate Cisco equipment? Not only do we install a lot of switches, routers, and other hardware, we also install a lot of software. And each time that we install software onto our computers, we have to trust that the code that we're installing is legitimate. Fortunately, much of the software that we install today includes a digital signature. So you know that the code that you're installing is exactly the same code that was sent by the software developer. This also becomes a concern when we think about updates or upgrades. Often these updates are downloaded and installed automatically. But how safe are the update files that we're receiving? We've not only seen this with commercial software, we've also seen malware integrated into open-source software. So even though the source code is accessible and anyone can read through it, attackers can sometimes get their malicious software put into the code itself and ultimately compiled into the software that you use. A significant supply chain attack occurred with software created by Solar Winds, specifically a product named Orion that was used by over 18,000 customers around the world, including many very large companies and the US government. This attack occurred inside the Solar Winds network itself and the attacker was able to get their malicious code put into the software before it was digitally signed and sent to customers. The malicious code was added in March and June of 2020, but it wasn't discovered until December of 2020 and by then it had been distributed to many customers. This malicious code was installed on these Orion systems which then allowed the attackers access to the customers networks. Not only was Solar Winds Orion running in companies such as Microsoft, Cisco, and Intel, it was also in federal government facilities such as the Pentagon, Homeland Security, the State Department, the Department of Energy, and others. This was one of the most significant supply chain attacks that we've ever experienced and it's one that has changed the way that we look at how we receive and update software on our networks.