By Idan Wiener, Co-founder and CEO of illustria
The world of cybersecurity was rocked by The SolarWinds hack was a significant event as it demonstrated the potential for supply chain attacks to be used to gain access to a wide range of organizations.
With these kinds of attacks, hackers target a company or service that is used by many other organizations in order to gain access to those organizations through the compromised company or service.
In the case of SolarWinds, the attackers were able to gain access to the networks of various organizations by compromising the software updates that were provided by the company.
The Rise of Supply Chain Attacks
Supply chain attacks have been on the rise in recent years, with an increasing number of articles and cases highlighting this new form of cybersecurity threat. As Shaun McAlmont, CEO of Ninjio, says: “Because today’s supply chains are highly interconnected, a threat to one partner (a third-party vendor, for instance constitutes a threat to the entire supply chain”.
However, many companies are still unprepared to address these risks, with fewer than half having identified their most vulnerable third-party systems and components.
According to a recent study by Ivanti, 35% of organizations plan to address these vulnerabilities in the next year, while 46% rate supply chain threats as “high” or “critical” for 2023. It is clear that we must act now to fortify our supply chains and protect against these threats, and collaboration will be key to achieving this goal.
Supply Chain Attacks Predicted by Gartner’s Crystal Ball
Gartner has ranked supply chain attacks as the top threat for 2023 and emphasizes the importance of building effective security controls to manage these risks. In 2023, supply chain cybersecurity risks must be addressed as a socio-technical challenge.
Ivanti Report — Growing Area of Concern
According to Ivanti’s 2023 Cybersecurity Status Report, only 47% of organizations have identified the third-party systems and components that are most vulnerable in their software supply chain. However, 35% plan to address this risk in the next year. In addition, 46% of organizations rate supply chain threats as “high” or “critical” for 2023.
This highlights the need for companies to prioritize addressing vulnerabilities in their supply chains and take steps to protect against potential threats.
ENISA Top Emerging Cybersecurity Threat
According to a report by ENISA, supply chain compromise of software dependencies is ranked as the number 1 emerging cyber security threat for 2030. This highlights the importance of protecting against attacks in the software supply chain, particularly with regard to software dependencies, in order to mitigate potential threats in the coming years.
Software Supply Chain Attacks Aren’t Vulnerabilities
“So, supply chain attacks are not vulnerabilities?” I heard fewer CISOs asking this question in 2022 than in 2021, which is a good sign.
However, there is still a need for market education here as well. We are in a new era in which developers themselves are already under attack.
Vulnerabilities are flaws in software or systems that can be exploited by attackers to gain unauthorized access or perform malicious actions. They can occur in both proprietary and open-source software and can be identified by hackers or security researchers. On the other hand, malicious code embedded in software should be urgently removed.
Supply chain attacks and vulnerabilities are both tactics used by hackers to gain access to systems or organizations, but they differ in their methods and potential impact.
Supply chain attacks can potentially affect a large number of organizations at once, while vulnerabilities may only impact a single organization or a small group of users. It is important for organizations to be aware of and protect themselves from both supply chain attacks and vulnerabilities.
We’re All In This Together!
In 2023, when CISOs will begin to rely heavily on open-source software while their organizations don’t have robust processes in place for verifying the authenticity and security of software updates and other products, they may be particularly concerned about supply chain attacks.
To defend against such supply chain attacks, CISOs may recommend implementing additional safeguards, such as updating and patching vulnerabilities regularly and implementing strong authentication protocols.
Unfortunately, it is already too late.
The leading open-source security vendors combine top-tier technology with a mindset of a potential attacker to predict the next attack via open-source. The power of joint forces became apparent to me after a long research project with another vendor.
More and more vendors should come to the table and work together as hackers do, and that’s the only way to win the war at this point.
Idan is the Co-founder and CEO of illustria, which offers a proactive security solution that repels malicious code components and prevents them from compromising development processes and company computers. Idan has vast experience in both startup and corporate environments, with exposure to international markets. Idan served seven years as a Captain at the Israeli Naval Academy, leading soldiers and officers in complex classified operations.