Supply Chain Vulnerabilities
Within the computer security envelope, some industries refuse to admit their vulnerabilities. My job requires me to see vulnerabilities from the attackers perspective. Sometimes I see vulnerability discussions in hacker forums, sometimes when vulnerabilities are reported by computer security companies and occasionally when breaches or hacks make it into the media
Recently I was asked to document risks to law firms. My example was the attacks on Canadian law firms during the Chinese interest in acquiring potash (2011-2012). I saw one estimate that as many as 250 law firms were breached and data mined for information on potash companies. When is the last time you heard a lawyer or law firm talk about their computer security?
As the industries who were receiving the brunt of cyber attacks tighten their security, the attackers are looking for easier targets, targets that will provide them with revenue over time. Some attackers have identified supply chain vulnerabilities and in particular the transportation industry has attractive potential (to hackers). 2015 an American computer security company identified one criminal group that ran five major attacks in the maritime transport industry supply chain.
The attackers are not pizza eating high school or university students. The serious attackers are sophisticated criminals operating in an almost corporate manner, who calculate their return on investment (ROI). These groups think long term – not smash and grab. They also have a number of financial models they use, meaning they can do different things depending on what they find.
Despite evidence of increasing threats, many companies and organizations won’t discuss computer security. An international conference on computer threats to the maritime transportation industry was recently shelved. The organizers tried to convene the conference to promote improving computer security because of threats already discovered. Prospective participants did not want to attend because attending might have a negative impact on their business!
One estimate is that there are four to six Russian criminal hacker groups that have accumulated more than one Billion dollars (USD) in revenue from hacking. They want more and they are looking for new targets. If you don’t think they can make money off you, its because you don’t think like a thief. If your company or organization is not ready, you will get the same treament that the law firms got. Its an unpleasant and expensive experience.
For more information or to contact the author please contact CSCIS external relations.