An article in Forbes by Tony Bradley, “Supply Chain Attacks Increase as Cybercriminals Focus on Exploiting Weak Links,” concerns the results of a recent survey sponsored by CrowdStrike® and conducted by independent research firm Vanson Bourne. The global study surveyed 1,300 senior IT decision-makers and IT security professionals in the United States, Canada, United Kingdom, Mexico, Australia, Germany, Japan and Singapore, across major industry sectors.
The article states that because organizations have invested more heavily in technology to protect their data and networks, cybercriminals must find innovative ways to circumvent those defenses — including exploiting vulnerabilities in the software supply chain. The article cites numerous findings in the survey that support this argument, such as:
- Eighty-seven percent of organizations that suffered an attack had either a full security strategy or a response plan in place.
- 90 percent confirmed financial loss because of an attack — those losses averaged $1.1 million.
- Despite the losses, only 37 percent of respondents in the U.S., U.K. and Singapore reported vetting all software suppliers.
The article also discusses why software supply chain attacks are such an attractive vehicle for threat actors. One factor is that smaller software vendors are more likely to bypass the robust security processes used by larger manufacturers, such as the security development lifecycle (SDLC). Yet, organizations continue to assume that the smaller vendors they use are adhering to the same security practices as large enterprises. As Bradley points out — this isn’t always the case.
The risk of a supply chain attack in DevOps and container environments is also addressed in the article, as cybercriminals exploit the use of open source code in DevOps and containerized applications. As the article points out, traditional security tools and best practices focus primarily on detecting and stopping unwanted applications. This makes it easy for attackers to slip malicious code into an app that’s already trusted by the organization. This can be seen in several attacks last year, including the PyPI attack targeting Python developers.
The article closes with some tips for defending against software supply chain attacks including the following:
- With 71 percent of survey respondents indicating their organizations don’t fully vet software suppliers, companies need to compensate by ensuring they invest in next-gen technologies that use behavioral analysis.
- Organizations need to use more proactive measures to evaluate the effectiveness of their cybersecurity, such as pen testing and tabletop exercises.
- Finally, organizations need to recognize how sophisticated the adversaries are and be vigilant about applying cybersecurity best practices and the right technologies.
The author closes with wise advice for any organization: “It’s up to you to implement sufficient due diligence to ensure that the code and tools you use meet the same standard for security that you expect inside your own network.”
- Read the article in Forbes.
- Get the supply chain survey report, Seizing Control of Software Supply Chain Security.
- Learn more about the CrowdStrike Falcon platform.
- Get a full-featured free trial of CrowdStrike Falcon Prevent™ and learn how true next-gen AV performs against today’s most sophisticated threats.