The recent warning posted by US National Counterintelligence and Security Center (NCSC) for software supply-chain attack risk draws attention to software used by companies in their supply chain. Every 3 out of 4 professionals acknowledge that they are not fully prepared for supply-chain attacks (aka third-party attacks or value-chain attacks) in responses given to a survey conducted by CrowdStrike. Similar figures appear in a study conducted by Ponemon Institute stating that 56% of the companies have experienced a 3rd-party breach in 2017.

Software supply-chain attacks

Supply-chain attacks may originate from one of your third parties that has access to your system, which includes data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, subcontractors, any external software or hardware used in your system (even the javascripts added to your website to collect analytics) and list goes on. When a supply-chain attack is executed through an external software used in the system, it may difficult to detect and consequences can be very high as happened in NotPetya attacks.

software integration

NotPetya spreads a ransomware to many companies used major accounting program widely used in Ukraine. Recently, we have seen some very disturbing software supply-chain attacks. A very short list is provided below:

  • In June 2018, an attack to online survey tool Typeform exposed passwords, e-mail addresses, and personal contact information of millions of people who are customers of major brands such as Monzo, Adidas, TicketMaster, Harvey Norman, Fortnum & Mason, Research4Me.
  • Recent TicketMaster breach of more than 40 thousands of UK citizens’ data that is caused by an web application operated by Inbenta is also an example of software supply-chain attack.
  • In April 2018, an attack to online chat application [24] used by large companies such as BestBuy, Sears, Kmart, and Delta expose hundreds of thousands customer data (per company).
  • In June 2018, it is revealed that more than a dozen US cities suffer a data breach of over 10 thousand individuals’ names, credit card numbers, card expiration dates and security codes because of an attack to online payment system called Click2Gov.
  • Same month, any data submitted in the course of recruitment submitted to large UK company Whitbread is exposed due to an attack to online recruitment system provided by PageUp.

How to prevent software supply chain attacks

prevent software supply chain attacks

  • Limit use of external software by avoiding use of software that you do not require.
  • Most of the attacks come from widely-used “freewares”. Determine if you really need that software. If not, do not allow to use it. This rule also applies to web browser extensions and plugins.
  • Monitor your cyber risk for third-party attacks. The victim of software supply-chain attack might be one of your third-party vendor and attack may spread to you.
  • Use IDS/IPS systems to detect anomalies in your system.
  • Patch management is also crucial to avoid such attacks.

Learn your supply-chain risk before it’s too late

Supply-chain risks are usually invisible to companies and the discovery of those risks requires gathering data of your third parties and providing a risk assessment. With recent supply-chain attacks, companies would be more aware of supply-chain attacks. However, self-assessment of supply-chain risk is very challenging. Using services such as Black Kite Cyber Risk Scorecard would ease the assessment of third-party risk. Learn your cyber risk score, create your ecosystem, and discover your supply-chain risk before it is too late. To schedule a demo, visit