In March, 3CX disclosed a supply chain attack that surprised researchers investigating it. They discovered that the attack had an unusual and alarming origin: another company's supply chain attack. This revelation in the "Inception" attack has caused concern among information security professionals.
It has highlighted the unsettling reality that the security of their software may be far beyond their control, even when they follow best practices. In a world with extensive interdependencies, the implications of such attacks are troubling. They can spread like a virus, starting from one point and infecting connected communities. This raises concerns about the hidden presence of malicious actors deeply embedded in one's environment.
Why such attacks are concerning?
What made this attack particularly concerning was its origin, which was traced back to another company's supply chain attack. It signifies that even when organizations take all the necessary precautions and follow security best practices, their software's security may still be compromised due to factors beyond their control.
Such an attack has significant consequences, revealing the complex connections within the digital world. Software and systems depend on various parts from different vendors and suppliers. If any of these parts are compromised, it can have a domino effect throughout the entire supply chain.
This puts many organizations and their customers in danger of security breaches. In simpler terms, an attack on one component can harm the entire system, affecting multiple businesses and their customers.
This incident underscores the challenges faced by information security professionals in maintaining the integrity and security of their systems.
It reveals that no matter how diligent an organization is in implementing security measures, the actions of external entities can still pose a significant threat. It also raises concerns about the presence of malicious actors operating covertly within interconnected environments, highlighting the need for heightened vigilance and robust security measures at all levels of the supply chain.
Expanding Threats have Outpaced the Development of Cybersecurity Talent
A study conducted by (ISC) in January 2022 highlighted a global shortage of 3.4 million cybersecurity professionals. Another survey found that more than four out of five companies have less than five in-house security analysts, which is insufficient to run their security operations center.
Due to this shortage, organizations have turned to external vendors to fulfill their cybersecurity needs. The attack on 3CX software highlights how vulnerabilities can emerge in an enterprise's software supply chain.
According to a survey by the Neustar International Security Council, about 73% of information security professionals believe they or their customers are somewhat or significantly at risk due to increased reliance on third-party providers.
What is a Supply Chain Ecosystem?
A supply chain ecosystem is like a big interconnected network that includes all the different parts involved in getting a product from where it is made to the person who uses it. It's made up of businesses, vendors, suppliers, partners, people, processes, data, and resources that all come together to make the supply chain work.
Third-party Providers Increase the Exposure to Risks
In simpler terms, there are not enough cybersecurity experts to keep up with the growing digital threats. Many companies have very few in-house security analysts, so they rely on external vendors for cybersecurity services.
The attack on 3CX software shows that weaknesses can occur in the software supply chain. A significant number of security professionals feel that integrating with third-party providers increases their exposure to risks.
To Minimize Risks in the Supply Chain Ecosystem, Enterprises Can Take Several Steps:
1. Assess security controls: Ask potential partners about their security practices through standardized questionnaires to understand their level of security.
2. Seek third-party evaluations: Engage third-party evaluation services during due diligence to gain additional insights into the security capabilities of potential partners.
3. Hold suppliers accountable: Include regular audits, at least annually, in contractual agreements to ensure suppliers meet defined security standards.
4. Maintain ecosystem awareness: Continuously monitor and understand the partner ecosystem to stay aware of potential risks and vulnerabilities.
5. Implement preventive measures: Enforce security standards that align with or exceed the organization's own practices, ensuring partners adhere to them.
6. Develop a strong response strategy: Establish a comprehensive plan for detecting, mitigating, and responding to compromised systems, including those introduced by supply chain partners.
7. Employ layered security solutions: Utilize advanced security solutions for endpoints, networks, and protective DNS to actively monitor and block suspicious activities or communications from compromised systems.
Reducing supply chain risk requires cooperation and shared responsibility among stakeholders. Traditionally, the burden has been placed on individual enterprises to protect themselves, rather than on the parties responsible for releasing insecure software. New strategies should aim to shift the burden onto software vendors, promote secure development practices, and encourage collaboration between vendors and clients to enhance cybersecurity.