In the U.S., October is officially National Cybersecurity Awareness Month, a month “for the public and private sectors to work together to raise awareness about the importance of cybersecurity.”
To kick off Cybersecurity Awareness Month, we wanted to share some lingering thoughts and perspectives gleaned from Black Hat 2024. We’re still thinking of Danny Jenkins’ keynote at Black Hat 2024, where he highlighted how the software supply chain is now a prime target for malicious actors. (Our technical SMEs also talked about the session in our Zero Day to Every Day podcast.)
Organizations heavily rely on third-party software to streamline operations, enhance productivity, and drive innovation. From cloud-based applications to open-source libraries, these external components have become integral to modern IT infrastructure. However, this reliance also introduces a significant and often underestimated risk: supply chain security. By exploiting vulnerabilities in third-party components, attackers can gain unauthorized access to sensitive data, compromise critical systems, and disrupt business operations. The consequences can be devastating, ranging from financial losses and reputational damage to regulatory penalties and legal liabilities.
Understanding the Risks: Shadow IT and Supply Chain Vulnerabilities
One key contributor to supply chain risks is the rise of shadow IT, where employees use unauthorized software and applications without the IT department’s knowledge or approval. A Gartner study found that 36% of technology spending in organizations is now outside the control of the IT department. This proliferation of unmanaged and unvetted software increases the attack surface and makes it challenging to maintain visibility and control over the software ecosystem.
Still, some of the most famous supply chain attacks are not from shadow IT. The 2020 SolarWinds breach remains a famous supply chain cyber-attack, where malicious actors infiltrated the software development process and injected malware into the SolarWinds Orion software updates. This allowed them to gain access to the networks of numerous high-profile organizations.
A more recent example is the MOVEit vulnerability exploit. Though it was discovered, and patches were released in 2023, the vulnerability continues to persist: the Centers for Medicare and Medicaid Services (CMS) just last week confirmed that they are a victim from the vulnerability, with data belonging to more than 3 million people being compromised. The persistence of unpatched or unremediated vulnerabilities is one reason supply chain cyber-attacks can be so devastating.
The Long-Term Implications of Ignoring Supply Chain Risks
The reputational damage and loss of customer trust can be difficult to recover from. Even more, compliance or regulatory failures can result in significant financial penalties and legal liabilities, such as fines up to 4% of global annual turnover under the EU’s Cybersecurity Act.
As noted earlier, agencies and department within the U.S. government have found themselves victims of these supply chain attacks, too. While there are not yet monetary fines in U.S. regulations, the federal government has released several executive orders and memoranda to guide government contractors and officials when purchasing IT.
In the long run, the impact of supply chain attacks can undermine an organization’s key objectives and ability to innovate. The disruption to operations, data loss, and diversion of resources can hinder agility and flexibility, making it harder to adapt to changing market conditions.
Mitigating the Risks: Application Control and Vulnerability Management
There are several ways to mitigate the risks from supply chain attacks. One key approach discussed in Danny Jenkins’ presentation at Black Hat 2024 is to implement application control measures, which restrict unauthorized software and applications from being installed or executed. This can help prevent shadow IT and limit the attack surface.
Another crucial step is implementing vulnerability management practices, including regular scanning for vulnerabilities in third-party software and prompt patching or remediation of any identified weaknesses. Organizations should also have a process in place to monitor for potential indicators of compromise and respond quickly to any suspected attacks. By proactively addressing these vulnerabilities, organizations can reduce the attack surface and minimize the risk of exploitation.
Furthermore, organizations should prioritize partnering with trusted vendors who have strong security measures in place throughout their software development lifecycle and production environments. This includes robust testing processes, code reviews, and supply chain risk assessments. By carefully vetting and selecting third-party software, organizations can reduce the chances of falling victim to supply chain attacks.
Syxsense: Your Partner in Proactive Vulnerability Management
Syxsense can strengthen your supply chain security through automated vulnerability management. You can gain real-time visibility into your endpoints, identify and prioritize vulnerabilities across your OS and software applications, automate remediation, and implement granular application control policies.
Take a more proactive approach to your cybersecurity strategy with Syxsense, reducing your attack surface and mitigating the risks posed by vulnerable third-party software and shadow IT. Contact Syxsense today to learn how we can help you safeguard your critical assets.
