3CX Supply Chain Attack Reveals a Deeply Buried Threat in Your Environment
In March 2022, 3CX disclosed a supply chain attack, which was later found to have an unusual origin – another company’s supply chain attack. The root of the “Inception” attack was further removed than anticipated, and this scenario has rattled information security professionals. The implications of such attacks are that the security of the software may be far from their control, despite doing everything right. This realization is worrisome, especially with the many interdependencies in today’s world. A large-scale attack can propagate like a virus, spreading from one origin point and moving from one connected community to another. This report dives deep into how this came to be, the aftermath, and the measures that organizations can take to reduce the associated risks.
The Accelerating Rate of Digitization and the Expanding Threat Landscape
The rate of talent development has not kept up with the accelerating rate of digitization and an expanding threat landscape in recent years. (ISC) 2’s 2022 “Cybersecurity Workforce Study” reveals a “worldwide gap of 3.4 million cybersecurity workers.” In another survey, over 80% of organizations had fewer than five in-house security analysts or not enough to run their security operations center (SOC). These gaps led organizations to external vendors to provide essential services. The 3CX attack highlights how vulnerabilities can arise in an enterprise’s software supply chain. In addition, a recent Neustar International Security Council survey shows that almost 73% of information security professionals believe they or their customers were somewhat or significantly exposed due to increased integration with third-party providers.
New Rules for Managing Supply Chain Security Risks
There are several ways enterprises can reduce risk in their supply chain ecosystem. Standardized information-gathering (SIG) questionnaires can be utilized to understand the security controls potential new partners have in place. Third-party evaluation services can be engaged to provide additional perspective during due diligence. Suppliers that win a contract must adhere to clearly defined security standards, with regular audits required at least annually. This ensures that suppliers meet their obligations and maintain the necessary controls to reflect current best practices. Organizations must maintain a complete picture of their partner ecosystem by implementing more rigorous preventive measures and contractually obligating partners to hold themselves to security standards equal to or greater than those applied to your business. While these preventive measures are effective, they do not eliminate risks. Sound strategies for visibility, detection, and mitigation around compromised systems are vital since compromised machines will periodically beacon out to their masters for further instruction. Layered endpoint, network, and protective DNS security solutions can be useful in proactively monitoring beaconing and blocking it, thus providing notifications to security operations.
Cooperation is Required to Continue Making Progress
Historically, the victim bears the burden of responsibility for reducing supply chain risk. Individual enterprises are responsible for preventing their fate, rather than the parties liable for releasing insecure software. However, it’s time for that paradigm to shift. The Biden Administration’s National Cybersecurity Strategy aims to recalibrate this dynamic and elevate security responsibility to vendors. The strategy has five pillars, with the third focusing on “shaping market forces to drive security and resilience.” Software makers can claim full disclaimer liability by contract, reinforcing the strategy’s observation that development life-cycle practices are improving to include security at an earlier stage in product development. The strategy’s objective is to compel investment and encourage vendors to follow secure-by-design principles and engage in pre-release testing.
Conclusion
In today’s hyperactive threat landscape, it is essential for supply chain vendors to work together with enterprise clients to identify and address breaches. Vendors investing in sound design and committing to transparency will help their clients reduce their risk exposure and operate with confidence. Good cybersecurity hygiene is everyone’s responsibility, and forging a shared accountability dynamic is not only a good idea but the right thing to do.
<< photo by Tima Miroshnichenko >>
You might want to read !
- Gigabyte’s BIOS Update Seeks to Eliminate Backdoor Vulnerabilities
- The Grave Implications of the Mass Exploitation of a Zero-Day Bug in MOVEit File Transfer
- Why Microsoft Made SMB Signing Default in Windows 11: Prioritizing Security for SMBs
- University Cybersecurity Clinics: A New Weapon to Combat Ransomware in Cities
- “Idaho Hospitals Ramp Up Efforts to Recover from Crippling Cyberattack”
- Why Maintaining a Strong Data Security Posture is Essential for Businesses