Domain 2 · 2.2 Threat Vectors & Attack Surfaces

2.2.5 Supply Chain Vectors

MSPs, vendors, suppliers.

13 min

Supply chain vectors represent the risks introduced to an organization through third-party relationships, including vendors, managed service providers (MSPs), and the physical or digital components used to create products.

Third-Party Risk and MSPs Organizations rarely operate in isolation, creating a web of trust that attackers can exploit to bypass primary defenses. - Managed Service Providers (MSPs): These entities often have privileged remote access to a client's network. If the MSP is compromised, the attacker gains a "trusted" gateway into all the MSP’s clients. - Vendor Risk: Every software library, hardware component, or cloud service integrated into a system is a potential vulnerability point. - Direct Access vs. Indirect: While a hacker might use a router for direct access, the supply chain is an indirect vector where the weakness lies in a trusted partner's security posture.

Hardware and Software Lifecycle Risk management requires tracking the lifecycle of components to prevent the use of unsupported technology. - End of Life (EOL): The point at which a vendor stops marketing or selling a product. While the product may still receive patches or support for a limited time, its replacement is already active. - End of Service Life (EOSL): A critical security milestone where the vendor officially ceases all support, including security updates and technical assistance. Systems running EOSL software are highly vulnerable to new exploits. - Asset Disposal: Improperly decommissioned hardware can lead to data breaches if sensitive information is not purged before the device leaves the chain of custody.

The Chain of Trust Security often relies on hierarchical models to verify the integrity of the supply chain and its communications. - Certificate Authorities (CAs): These entities establish trust through a hierarchy. A Root CA issues certificates to Intermediate CAs, which then issue certificates to end entities. If any link in this chain of trust is compromised, the entire branch is invalidated. - Blockchain: Unlike traditional centralized trust (like banks or CAs), blockchain uses a decentralized, peer-to-peer public ledger to verify transactions and records, potentially reducing reliance on third-party institutions.

Emerging Technical Vectors Modern supply chains are increasingly digital and interconnected, expanding the attack surface. - IoT and Mobile: Internet of Things (IoT) devices often lack robust patching mechanisms, providing a "rogue" entry point into a network. - Cloud Vectors: Migrating services to the cloud moves the supply chain risk to the provider's infrastructure and management interfaces.

Quick Recall - MSP Risk: Attackers target the provider to gain access to multiple downstream customers. - EOSL: The "danger zone" where no more security patches are provided. - Intermediate CA: A subordinate entity within the chain of trust that signs certificates for end-users. - Direct Access Vector: Bypassing security via hardware like a router or physical USB thumb drive. - Security Posture: The overall security status of an organization, including external partners and vendors.