Preventing Cyberattacks in Government Supply Chains

Recent research shows that more than 1 million pairs of emails and passwords for corporate accounts at the 27 largest companies in the defense industrial base are in the hands of cybercriminals. That staggering number doesn’t even account for compromised credentials from hundreds of thousands of smaller businesses that contract with government agencies. Securing these companies in the defense supply chain from cyberattacks is critical to protecting controlled unclassified information that resides on industry systems and networks.  

The Defense Department recently introduced the Cybersecurity Maturity Model Certification, or CMMC. Eventually, all contractors and suppliers doing business with the DOD must meet a minimum level of requirements for a given security level and undergo a certification process based on review by an accredited assessment organization. 

A critical domain of the new certification standards is access control, requiring appropriate tools and processes be in place to prevent unauthorized individuals from accessing sensitive networks and company information. Verizon recently published its annual Data Breach Investigations Report, which indicates that stolen credentials remain the No. 1 hacking tactic used by malicious actors to gain access to “secure” networks and wreak havoc within organizations—and potentially up the supply chain.  

Corporate passwords, particularly for government contractors, should be strong given the assets they protect and organizations involved, but problems arise when employees reuse their company credentials for personal accounts. SpyCloud research found that 79% of passwords at the largest defense industrial base suppliers were reused across corporate and personal accounts.

New breaches happen every day, and the spoils from these breaches will become available to anyone who wants to buy them. Passwords reuse is a gift to cybercriminals because once someone acquires exposed login credentials from one breach, they could use it to unlock more lucrative accounts. 

Cybercriminals test breached credentials against a variety of other logins, taking over other accounts protected by the same username and password. If stolen credentials contain a corporate email domain, criminals have an obvious clue that they could gain access to the corporate network and potentially sensitive government information.

To protect controlled unclassified information in industry systems and networks, defense contractors must take strong measures to continuously detect and remediate credential exposure. Implementing often suggested multi-factor authentication and password managers aren’t enough.

To truly prevent account takeover attacks, organizations must stop criminals before they act. Here are three best practices suppliers can implement to meet CMMC requirements and manage risk within the government supply chain:

1. Stop rotating passwords every 90 days. 

This provides a false sense of security and frustrates people, so they end up recycling passwords or simply adding a character at the end of a well-worn password. Instead, educate users on credential hygiene and guidelines for creating strong passwords.

2. Implement a layered strategy for malware detection. 

'Keylogger' botnet-infected machines recording employee's keystrokes and screens are something we consistently detect at SpyCloud. Criminals have creative ways to convince unsuspecting users to download and install credential-stealing malware. While antivirus and endpoint protection solutions can help detect infections on corporate systems, some malware strains can slip through the cracks—plus, employees' personal systems may not be protected. 

Malware can siphon credentials, browser data, system information, and files that may contain corporate data or sensitive information. These "infected users" are at the highest risk of account takeover, identity theft, and online fraud. In addition to antivirus protection, organizations should implement an early warning solution that flags employee infection so your incident response team can mitigate before criminals cause harm. 

3. Continuously monitor your credentials and PII—both work and personal. 

While criminals often use previously breached data to access accounts, we can use that same data to protect ourselves. There are services available to continuously check whether user credentials show up in third-party breaches and underground marketplaces, so you can quickly secure your accounts and prevent criminals from monetizing the data at the cost of your business.

During the ongoing pandemic, cybercriminal activity has increased and government supply chains have become a lucrative target. The CMMC is a good start to encourage DOD suppliers to get security in proper shape, but regardless of regulation, every organization should strive to attain the highest level of protection possible.

Douglas Lingenfelter is the director of federal at SpyCloud.