Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Supply-chain attacks. Show all posts

'Inception' Attack: Enhanced Due Diligence Measures Essential

In March, 3CX disclosed a supply chain attack that surprised researchers investigating it. They discovered that the attack had an unusual and alarming origin: another company's supply chain attack. This revelation in the "Inception" attack has caused concern among information security professionals. 
 
It has highlighted the unsettling reality that the security of their software may be far beyond their control, even when they follow best practices. In a world with extensive interdependencies, the implications of such attacks are troubling. They can spread like a virus, starting from one point and infecting connected communities. This raises concerns about the hidden presence of malicious actors deeply embedded in one's environment. 

Why such attacks are concerning? 

What made this attack particularly concerning was its origin, which was traced back to another company's supply chain attack. It signifies that even when organizations take all the necessary precautions and follow security best practices, their software's security may still be compromised due to factors beyond their control. 

Such an attack has significant consequences, revealing the complex connections within the digital world. Software and systems depend on various parts from different vendors and suppliers. If any of these parts are compromised, it can have a domino effect throughout the entire supply chain. 

This puts many organizations and their customers in danger of security breaches. In simpler terms, an attack on one component can harm the entire system, affecting multiple businesses and their customers. This incident underscores the challenges faced by information security professionals in maintaining the integrity and security of their systems. 

It reveals that no matter how diligent an organization is in implementing security measures, the actions of external entities can still pose a significant threat. It also raises concerns about the presence of malicious actors operating covertly within interconnected environments, highlighting the need for heightened vigilance and robust security measures at all levels of the supply chain. 

Expanding Threats have Outpaced the Development of Cybersecurity Talent 

A study conducted by (ISC) in January 2022 highlighted a global shortage of 3.4 million cybersecurity professionals. Another survey found that more than four out of five companies have less than five in-house security analysts, which is insufficient to run their security operations center. 

Due to this shortage, organizations have turned to external vendors to fulfill their cybersecurity needs. The attack on 3CX software highlights how vulnerabilities can emerge in an enterprise's software supply chain. 

According to a survey by the Neustar International Security Council, about 73% of information security professionals believe they or their customers are somewhat or significantly at risk due to increased reliance on third-party providers. 

 What is a Supply Chain Ecosystem? 

A supply chain ecosystem is like a big interconnected network that includes all the different parts involved in getting a product from where it is made to the person who uses it. It's made up of businesses, vendors, suppliers, partners, people, processes, data, and resources that all come together to make the supply chain work. 

Third-party Providers Increase the Exposure to Risks 

In simpler terms, there are not enough cybersecurity experts to keep up with the growing digital threats. Many companies have very few in-house security analysts, so they rely on external vendors for cybersecurity services. 

The attack on 3CX software shows that weaknesses can occur in the software supply chain. A significant number of security professionals feel that integrating with third-party providers increases their exposure to risks. 

To Minimize Risks in the Supply Chain Ecosystem, Enterprises Can Take Several Steps: 

 1. Assess security controls: Ask potential partners about their security practices through standardized questionnaires to understand their level of security. 

 2. Seek third-party evaluations: Engage third-party evaluation services during due diligence to gain additional insights into the security capabilities of potential partners. 

 3. Hold suppliers accountable: Include regular audits, at least annually, in contractual agreements to ensure suppliers meet defined security standards. 

 4. Maintain ecosystem awareness: Continuously monitor and understand the partner ecosystem to stay aware of potential risks and vulnerabilities. 

 5. Implement preventive measures: Enforce security standards that align with or exceed the organization's own practices, ensuring partners adhere to them. 

 6. Develop a strong response strategy: Establish a comprehensive plan for detecting, mitigating, and responding to compromised systems, including those introduced by supply chain partners. 

 7. Employ layered security solutions: Utilize advanced security solutions for endpoints, networks, and protective DNS to actively monitor and block suspicious activities or communications from compromised systems. 

Reducing supply chain risk requires cooperation and shared responsibility among stakeholders. Traditionally, the burden has been placed on individual enterprises to protect themselves, rather than on the parties responsible for releasing insecure software. New strategies should aim to shift the burden onto software vendors, promote secure development practices, and encourage collaboration between vendors and clients to enhance cybersecurity.

Can you escape Cybersecurity? Maybe No


Suppose you are part of an organization that has any form of an online presence. In that case, you will ultimately have to take initiative to look after the security of the systems, devices, and data. And if driven criminals, who frequently use cyber weaponry initially created by nation-states, do not make you care about your organization’s cybersecurity, regulators will. 

You Are Only as Safe as Your Suppliers 

In today’s interconnected world, many organizations still do not realize how they are intertwined with their suppliers. 

Almost all the software that organisations employ have its storage elsewhere, which is to say they are no longer in their system. These software are either in other servers, data centers, or cloud storages. 

Moreover, as organization’s security is taking a swift shift to the software-as-a-service (SaaS) model, one’s data becomes more vulnerable to unauthorized foreign access, with the endpoint device – that is apparently located in a place, no one possesses control over, posing as a terminal for the access. 

In the wake of the recent trend of supply-chain attacks, or cyberattacks in general, organizations must realize the seriousness of engaging in efficient cybersecurity. 

We are listing below some of the measures an organization can seek, in order to alleviate the risk of malicious cyber activities in their systems: 

1. Recognize The Impact of a Cyberattack on Your Organization 

These are some of the questions an organization must acknowledge answers to.  

  • How can a cyberattack affect the organization’s goal? 
  • How does it impact the outcomes the organization desires? 
  • Can a cyberattack potentially change the outcomes that they aim to achieve on a monthly, quarterly, or annual basis? 
  • What are the risks introduced by the cyberattack? 
  • What are the organizational assets that are at risk?
If the organization does not acknowledge the impact of a cyberattack, it may assume that ticking only a few boxes of “Ways to boost cybersecurity” would be sufficient in keeping the organization safe. It is until some cybercriminal comes to know about the “crown jewel,” which is critical to your organization but is somehow left vulnerable since the organization ignored its security. 

2. Establish A Cybersecurity Training Process 

An organization can be kept secure by design if cybersecurity is included as early as possible in all business processes. Although, cybersecurity training should not be conducted only once. Security awareness training must be integrated into daily work activities for cybersecurity to become ingrained in the employees' mindsets. 

3. Identify The Potential Misuse of Your System 

In the development roadmap of a company, one may include its customers’ needs. While the organization’s own software are taken no notice of. This way, organizations may not realize how their software could in fact be misused. 

The company can further commence the process of eradicating or minimising possible abuses, once it is recognized. Even at the earliest stages of design, threat modeling can be an effective approach for identifying potential misuse. 

4. Prioritize Cyber Security 

While the buzzword is “shift left,” prioritizing cybersecurity in the initial stage of a product’s life cycle would eventually aid in saving an organization’s time and money. 

While the developers are still adding code into their continuous integration/continuous deployment (CI/CD) platforms, analysis of the issues produced by the code and the third-party libraries used can assist in uncovering issues before they are baked in. 

The remaining vulnerabilities will be eliminated by dynamic inspections of security holes in the finished product. Additionally, having a DevSecOps team that is responsible for cybersecurity is essential when issues are found. 

The organizations thus should be in charge of not only establishing and maintaining code but also resolving any problems with cyber security.