Chapter 36 Β· Quiz

Supply Chain Vulnerabilities Quiz

Multiple choice, matching, analysis, and evaluation questions.

Part A β€” Multiple Choice

Q1
What is the fundamental reason supply chain attacks are effective against well-secured organizations?
βœ… Correct: B. Supply chain attacks succeed because they exploit trust rather than breaking security controls. A vendor with legitimate VPN access using stolen legitimate credentials looks exactly like normal authorized activity. The intrusion detection system sees "authorized vendor account accessed permitted systems during business hours" β€” not an attack signature. The attacker bypasses the security perimeter entirely by entering through a door that was already open for business reasons. This is why vendor credential compromise is so dangerous: the access control system is doing its job correctly β€” it's the underlying trust model that has been exploited.
Q2
In the November 2013 Target Corporation breach, which organization was the initial entry point for the attackers, and what access did it hold?
βœ… Correct: B. Fazio Mechanical Services was the HVAC contractor that monitored refrigeration and environmental systems in Target stores. To provide remote monitoring, Fazio technicians had VPN credentials for Target's network. Attackers compromised Fazio via phishing, harvested those VPN credentials, and used them to access Target's internal network. Because Target's network was not properly segmented between vendor access and production systems, the attackers reached point-of-sale infrastructure across 1,800 stores. The lesson: an HVAC company that seems irrelevant to payment security held the keys to 40 million credit card numbers.
Q3
The SolarWinds SUNBURST attack compromised approximately 18,000 organizations through a single malicious software update. What made the update so difficult to detect and so widely trusted?
βœ… Correct: C. The attackers compromised the build pipeline β€” the process that compiled source code into an installable package. By the time the code was compiled and signed, it already contained the malicious SUNBURST backdoor. SolarWinds' own code-signing process then applied a genuine, cryptographically valid signature to the malicious package. Every customer's verification check confirmed "this update was signed by SolarWinds" β€” which was true. The signature didn't lie. The problem is that code signing only proves provenance (who signed it), not safety (that the signed code is benign). If attackers can modify code before the signing step, the signature becomes a false assurance.
Q4
An organization discovers that twelve network switches purchased 18 months ago from an online marketplace contain internal components that do not match the manufacturer's documentation and run different firmware than the official product. What supply chain risk does this represent, and what is the primary security concern beyond physical failure?
βœ… Correct: C. This is a hardware supply chain attack β€” counterfeit networking equipment. The physical failure risk (unexpected device failure, fire in extreme cases) is real but secondary to the security concern. All network traffic flows through switches. A counterfeit switch with unknown firmware could be silently logging, copying, or redirecting traffic. The organization has been operating under the assumption that its network infrastructure is trustworthy, when the actual devices may have been designed to behave otherwise. The immediate response is to remove the suspect devices from production, replace with hardware from authorized sources, and review network traffic logs for evidence of unexpected data flows or exfiltration during the period these devices were in service.
Q5
An organization's vendor management policy requires a security review of all new vendors at onboarding. A long-term vendor relationship with a managed service provider has been in place for six years without any subsequent security review. Why is the one-time onboarding review insufficient from a supply chain security perspective?
βœ… Correct: C. Security is not a static property β€” it changes as organizations grow, lose key personnel, change ownership, take on technical debt, or face budget pressure. A vendor that was a 10-person company with strong security culture at onboarding may be a 200-person company acquired by a private equity firm six years later, with very different security practices. The trusted access granted at onboarding based on a one-time review remains in force regardless of how the vendor has changed. Periodic security reviews (annual for high-access vendors) ensure the trust relationship remains appropriate to current reality. Note: security certifications (D) represent a point-in-time assessment under a specific framework β€” they are useful evidence but not a substitute for ongoing relationship-specific reviews.

Part B β€” Matching

Match each supply chain attack type to its correct example or description.

TERM

Island Hopping
SolarWinds SUNBURST
Counterfeit Hardware
Target/HVAC Breach

DESCRIPTION

Malicious code injected into build pipeline before code signing; distributed to 18,000 customers via legitimate update channel
Compromising a weaker supplier to gain trusted access to a better-defended final target
Service provider supply chain attack: HVAC contractor phished β†’ VPN credentials stolen β†’ POS systems at 1,800 stores infected
Hardware sold as genuine but manufactured without authorization; may contain backdoors or monitoring capabilities

Part C β€” Analysis

Q6 β€” Analyze
A financial institution requires all software to be signed with a valid code-signing certificate before installation. A vendor delivers a software update with a valid signature from a trusted certificate authority. Unknown to the institution, the vendor's build server was compromised two weeks earlier and malicious code was injected before compilation. The institution installs the update. Analyze whether the code-signing policy protected the institution and what additional controls might have helped.
βœ… Correct: B. This is precisely the SolarWinds SUNBURST scenario. Code signing answers one question: "was this signed by the claimed entity?" It does not answer "is this code safe?" If the vendor's build process was compromised before signing, the malicious code is compiled into the product and the vendor signs it with their legitimate key. The signature is authentic β€” the code is malicious. These are independent properties. Additional controls: (1) Staged deployment β€” run the update in an isolated test environment for several days and observe behavior before pushing to production; SUNBURST had a dormancy period but behavioral anomalies during activation would be detectable. (2) Behavioral monitoring β€” network connections made by the software after installation should match its documented behavior. (3) Reproducible builds β€” a process where the binary can be independently re-compiled from source to verify it matches the distributed package. None of these is perfect, but together they provide layers of detection that pure signature checking cannot.

Part D β€” Evaluation

Q7 β€” Evaluate
A CISO argues: "We only need to worry about supply chain security for our large enterprise software vendors β€” small vendors like cleaning companies and facilities managers have no meaningful access to our systems and are not a supply chain risk." Evaluate this claim.
βœ… Correct: C. The CISO's framing is the exact misconception that the Target breach demolished. The risk is not the vendor's industry or size β€” it is what access that vendor holds. An HVAC company, cleaning contractor, payroll processor, or facilities manager that has VPN credentials, service accounts, or remote access to internal systems holds attack-enabling access regardless of their primary business. Supply chain risk assessments should be driven by a simple question: "Does this vendor have any credentials or access to our internal systems?" If yes, they are a supply chain risk and require appropriate controls β€” network segmentation, least-privilege access, credential monitoring, and periodic security reviews of their practices.
0/7
Questions Answered Correctly