This is the second in our ongoing series of blog posts discussing the seven key trends identified in the Gartner report released last March to its clients, “Top Trends in Cybersecurity 2022.” You can read the previous post here.
In December of 2021 there was widespread reporting on a vulnerability discovered in Log4J, a widely implemented Java-based event-logging utility. This was the first time that the general public became aware of digital supply chain risk. The compromise of SolarWinds’ Orion product was another supply-chain attack that affected a huge number of public- and private-sector organizations.
From the attackers’ point of view, supply chain attacks are brilliant, efficient, and — it turns out — highly profitable. The idea is that if you can compromise a bit of code that is commonly used by developers as a building block for their own apps and other digital products — such as open-source libraries, utilities, and so on — you can gain access to a wide variety of target networks.
An analogy might be if terrorists were able to poison the supply of high-fructose corn syrup at the manufacturing stage. That’s not something consumers buy directly, but it’s used as an ingredient in a vast number of processed foods that many millions of people consume every day. The results would be catastrophic.
Client-side attacks are a specific type of supply chain threat that is particularly difficult to combat. It results from the very common practice of developing web apps that call external, third-party scripts, libraries, or other software components as they are run — meaning, after they have been downloaded into a client browser. If these external components have been compromised, the resulting attack takes place entirely within the user’s system. On the server side, there is no indication of compromise, making detection challenging.
According to Gartner’s predictions, by 2025, 45% of organizations worldwide will have experienced digital supply chain attacks, compared to 15% in 2021. This makes it imperative for every organization that participates in these supply chains to implement measures to mitigate risks. Unfortunately, that is not so easy.
From a purely technical standpoint, it is possible to reduce risk through the use of an advanced web application and API protection platform such as Barracuda Cloud Application Protection. When integrated into the development process, these solutions can monitor your apps to prevent the use of third-party components that are known to be compromised, based on frequently updated threat intelligence data. They can also automate complex Content Security Policy (CSP) and Subresource Integrity (SRI) configuration tasks to reduce errors and increase protection on the client side.
In the long run, however, technical solutions alone will not be sufficient to effectively combat supply chain attacks. The ultimate goal is to significantly reduce the chances of a successful attack for all bad actors — to the point where the balance of effort to payoff is such that they are no longer motivated to pursue them.
Evolving business practices
The U.S. National Institute of Standards and Technology (NIST) has recently updated its publication “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations”. Intended for an enterprise audience, it provides a long list of recommendations for how to manage software supply chain risk. Effective cybersecurity controls and practices such as advanced access security, automated incident response, frequent security audits, etc., are fundamental.
Just as important, however, are recommendations that amount to a significant enhancement to procurement practices. Basically, security considerations must be built into every contract and agreement between suppliers and their customers, so that a high degree of confidence can extend all the way up the supply chain. This also requires developing a dependable system for rating the reliability and security of potential business partners.
At the more granular level of app development teams, awareness of the potential risks has to be built into every process. As Gartner’s press release puts it:
“Digital supply chain risks demand new mitigation approaches that involve more deliberate risk-based vendor/partner segmentation and scoring, requests for evidence of security controls and secure best practices, a shift to resilience-based thinking and efforts to get ahead of forthcoming regulations.”
The end of siloed security
As we’ll see repeatedly as we go through Gartner’s seven key cybersecurity trends, the highest-level takeaway is that security can never again be conceived as a matter of simply identifying potential attack vectors and applying individual point security solutions to each of them.
Going forward, every business unit must build security and resilience into all its processes, and all employees must be aware of the security and resilience implications of their roles.
Tony Burgess is a twenty-year veteran of the IT security industry and is Barracuda’s Senior Copywriter for Content and Customer Marketing. In this role, he researches complex technical subjects and translates findings into clear, useful, human-readable prose.
You can connect with Tony on LinkedIn here.