supply chain control discussed at Positive Hack Days 12

Round table “Attacks on the supply chain: trust in services and technologies in the new world” was held on May 19 at the festival Positive Hack Days 12 . During the event, representatives of the largest Russian companies discussed the industry specifics of such attacks, critically dangerous and unacceptable consequences for their organizations, assessed the cyber risks of interaction with suppliers and the prospects for effective protection.

The round table was attended by Alexei Volkov, Vice President and Information Security Director of VK, Evgeny Rudenko, Cybersecurity Director of Rambler&Co media holding, Kirill Myakishev, Ozon Information Security Director, Pavel Kulikov, Technical Director of CDEK, and Director of the Security Expert Center Positive Technologies (PT Expert Security Center, PT ESC) Alexey Novikov.

Answering a question about the industry specifics of attacks on supply chains, Rambler&Co Cybersecurity Director Evgeny Rudenko noted that in the context of Internet media holdings, compromising content providers through which media receive and transmit data is completely unacceptable. To reduce risks, Rambler&Co creates its own services. However, many Internet companies still rely on third-party resources, making it difficult to identify industry specifics.

Experts highlighted several key points in retrospect and made a prediction regarding attacks on supply chains. In recent years, the number of such incidents has increased significantly: suffice it to recall attacks on US government agencies and Google services, to Russian government websites , compromised records of 3.7 million customers pharmacy chain Dis-Chem Pharmacies (South Africa) due to hacking by a third-party service provider, attacks on real estate websites through a video player and many others.

“The increase in the number of incidents of this kind is explained by the fact that the modern Internet is becoming more and more ecosystem-based: services interact with each other and provide analytical and other services. Integration increases the risk of compromise through suppliers,” comments Evgeny Rudenko.

Given the surge in hacker activity in recent months, Alexey Novikov, director of the Positive Technologies expert center, predicts a further increase in the number of attacks on supply chains. “Russian companies are experiencing increased attention from hackers, whereas earlier it could be called targeted: mainly one-stage attacks were carried out, to which organizations adapted. A range of simple guidelines were developed to avoid such incidents, although leaks still occurred to some extent. Now the situation has changed: the attacks have become targeted. Hackers study the victim, try different tools and techniques to achieve the desired result. Counterparties of a potential victim will inevitably fall into the field of view of attackers, and therefore, the trend of attacks on supply chains will intensify,” says Alexey Novikov.

According to Pavel Kulikov, technical director of SDEK, the number of incidents will grow, among other things, because the IoT segment, which integrates with hardware and software, is at the stage of intensive development.

According to Kirill Myakishev, director of information security at Ozon, the online trading business model attracts not only new customers and entrepreneurs, but also cybercriminals. There is a need to take additional measures to protect platforms from such threats. “Our cybersecurity and antifraud teams are constantly studying the latest public cases of cyberattacks, improving their own systems and adding new measures and protections to secure sites,” the expert noted.

Panellists shared their perspective on the consequences of attacks on third-party vendors that their organizations may find unacceptable. Thus, Evgeny Rudenko named image among the critically dangerous consequences, noting that in order to reduce the risk, support from the state and large market players is needed. “It is necessary to form common standards and formulate a pool of standardized cybersecurity maturity requirements that companies could comply with. For example, when deciding on cooperation with a particular organization, it will be possible to request documents and make sure that the supplier complies with uniform market requirements. The Internet environment must be regulated in terms of cyber security. So far, we have neither the legislative framework nor the resources to check the level of information security maturity, ”commented the expert.

The round table participants also gave their recommendations on how to protect against supply chain attacks. In particular, it was noted that it is important to correctly assess the perimeter where attackers can gain access to the company’s infrastructure.

“Any large business cannot focus solely on protecting critical infrastructure, since data can be accessed in other ways, for example, through contractors and partners,” said Kirill Myakishev. In addition, Ozon’s chief information security officer drew attention to the importance of educating employees, customers and partners in the basic rules of information security: people must understand the possible risks and know the basic precautions that will allow them not to fall for the tricks of scammers.

For his part, Evgeny Rudenko, director of cybersecurity at Rambler&Co media holding, noted that employees of information security departments should participate in all company processes, be included in the coordination of new projects, contracts, and architecture. Among other things, it is necessary to make the market civilized and regulated, we need clear requirements of the state, which organizations must comply with, the expert believes.

Speaking about the concept of zero trust, Alexey Volkov, director of information security at VK, called it correct: with this approach, the most effective way to ensure information security is the same control of all suppliers and counterparties of the company, the initial distrust of each link in the chain. “Zero trust will help strike a balance between security and business interests. To achieve this balance, regulation and the creation of information security regulations by the state will be needed, ”said Alexey Volkov. In turn, Pavel Kulikov, Alexey Novikov and Evgeny Rudenko called such a concept ideal in many ways, not found in its pure form, but emphasized that it should be strived for.

Overall, the roundtable at the 12th Positive Hack Days paved the way for further discussions and development of strategies to protect against supply chain attacks. The experts noted the importance of taking security measures in the modern Internet ecosystem, as well as the need for active cooperation and exchange of experience between companies in order to make the digital world more secure and reliable for all users.