b'Cyber SecurityFor Union Contractors Only What is a Supply Chain Attack?TheSolarWinds attack in the news has broughtupmanynewtermsthatmay notbefamiliartobusinessowners. Todaywearegoingback-to-basicsto discuss supply chain attacks. Every business uses third party software Jack Gerbsandhardware.Eventhesmallestbusinesshastocommunicatewithvendorsandcustomers,receive,ship,bill,andinventory.A supplychainattackoccurswhencriminalsinfiltrateyoursystem through an outside partner or provider with access to your systems and data. When a supply chain attack occurs, hackershaveaccesstothesamedataandpermissionsthe software infiltrated has access to.Attackers target software developers and suppliers looking for access to source code, or update tools. The goal is to infect a legitimatepieceofsoftwareandusethatsoftwaretodistributemalwaretocustomers.Hackersbreakinto manufacturersserversandhidemalwareinsoftwareupdates.Whentheseupdatesarepushedoutbytrustedvendors, the updates are certified as safe.Customers who are following sound IT practices patch and update their systems regularly, and unknowingly add the malware to theirsystems.TheSolarWindsattackisgreatlyconsequentialfortworeasons.First,theOriontoolisaNetworkManagement System,meaningthehackersgainedaccessat thenetwork level,andhadthesamepermissionsthemanagementtool had. This allowed attackers to change network settings, move laterally through the network, and also target the user level. Second, the Orion tool is used by large corporations, and the USGovernment.TheSolarWindsNetworkManagementSystem is used by 425 of the US Fortune 500.Manyofthelargecyber-attacksthatmakethenewsaresupply chain attacks. The Target breach in 2014 was blamed on a third party vendor, as well as the Equifax breach in 2017. The SolarWinds attack is the largest and most consequential supply chain attack we have seen, but it follows a pattern well established in the cybercrimelandscape. Quanexus 571 Congress Park Dr.Dayton, OH 45459quanexus.com PH: 937.885.7272Page 17CONSTRUCTION JOURNAL'