Access and Feeds

Security: Supply Chain Software Attacks Crack Trust in Vendor Software

By Dick Weisinger

The number of cyberattacks via software supply chains experienced double-digit percentage jumps in 2021, according to a study by the Identity Theft Resource Center (ITRC).

Eva Velasquez, CEO of the ITRC, said that “while the number of data compromises is only up slightly, the rise in supply chain attacks is troubling. Supply chain, phishing, and ransomware attacks reflect a broader trend that cyber criminals want to exploit multiple organizations through a single point-of-attack.”

A supply chain attack occurs via third-party infiltration, usually when a partner or provider inadvertently infects a network or computer system via a virus or malware. The SolarWinds attack in 2021 was an example of how malware embedded into a vendor’s software product can penetrate the networks using the product. In that incident, as many as 18,000 customers were affected.

David White, president of the cybersecurity firm Axio, said that “we’re more and more reliant on internet-connected management tools. These tools have tremendous power and rights inside our network. Are we sure they’re sufficiently protected themselves?”

Historically, malware and security have played a cat and mouse game. Every time hackers find an hole in the software that gave them access, vendors quickly follow up by patching their software to fix the problem. But now even the security of patches is being called into question. Dale Gonzalez, chief product officer at Axio, said that “the advice has always been patch, patch, patch, patch, patch. Do it automatically, do it as fast as you can, because we wanted a vehicle for resolving known security vulnerabilities as fast as we could.”

Nick Weaver, a security researcher at UC Berkeley’s International Computer Science Institute, said that “supply chain attacks are scary because they’re really hard to deal with, and because they make it clear you’re trusting a whole ecology. You’re trusting every vendor whose code is on your machine, and you’re trusting every vendor’s vendor.”

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Leave a Reply

Your email address will not be published.

*

five × 1 =