Large organizations in both the public and private sector routinely work with subcontractors for everything from the supply of manufactured components to the supply of custom computer code. For example, government agencies may contract with software development companies for the supply of code used in U.S. defense systems. In some cases, a software supplier may be a large company with its own information security department, but in other cases the supplier may simply be a small group of highly specialized coders. Smaller organizations like this often lack robust cybersecurity and present a true vulnerability. Cyber criminals hack into the systems of smaller suppliers as means of gaining access to government and large corporate networks. Often cyber criminals may insert malicious code into software that is then subsequently supplied to government agencies or large private corporations.
Supply Chain Vulnerabilities
A software supply chain breach can occur when a malicious code is added to what is considered a “friendly” or trusted application. When the seemingly innocuous trusted program is opened, the malicious code is unwittingly uploaded to the network. In this way, hackers gain access to the network by contaminating the trusted application. In late 2018, the Department of Defense's travel record system was breached, exposing the personal information of 30,000 employees. This breach was ultimately attributed to the hacking of a third-party vendor that managed the system. In another example, smartphones manufactured by ZTE and Huawei were found to be pre-loaded with intelligence-gathering software. These malware-infected phones were thought to be developed as a means of gaining entry to U.S. government systems.
Some cyber criminals will exploit defects within software to gain access to networks. Software assurance is a strategic initiative of the U.S. Department of Homeland Security to promote integrity, security and reliability in software. Software assurance continues to grow in importance due to the increasing number of reported cyber attacks attributed to exploitable software or system dependence on compromised software. New vulnerabilities can also result from the use of legacy software in combination with other applications or in new environments.
Game Plan for CISOs
In today’s third-party supplier-filled landscape, CISOs must be extra diligent in fortifying their companies’ cyber defenses. A 2018 report by the Ponemon Institute indicated that 61% of surveyed U.S. organizations experienced a data breach caused by a third-party vendor. In the current environment of ever-growing cyber threats, it is only practical to assume all components of your organization’s supply chain are at risk. The National Institute of Standards and Technology (NIST) recommends implementing a comprehensive roadmap for cyber defense comprised of the following five critical functions: 1) identify 2) protect 3) detect 4) respond and 5) recover.
Preventing cyber attacks largely depends on having ready access to the right tools at the right time. Supply chain vendors need cyber solutions that are robust but affordable and easy to set-up and deploy. GoSilent is highly flexible and does not require specialized support to deploy or operate. GoSilent technology works with any IP-enabled device from the newest applications to legacy systems and reliably locks down access to corporate networks. Learn more about Attila’s GoSilent products and next-generation edge security.