BACKGROUND:
The European Union Agency for Cybersecurity (ENISA) has found that 66 percent of supply chain attacks focus on the supplier’s code. Supply chain attacks have been a concern for cybersecurity experts for many years because the chain reaction triggered by one attack on a single supplier can compromise a network of providers. Malware is the attack technique used in 62% of attacks, according to the new ENISA report Threat Landscape for Supply Chain Attacks, which analyzed 24 recent attacks. ENISA says strong security protection is no longer enough for organizations when attackers have already shifted their attention to suppliers. This is evidenced by the increasing impact of these attacks such as downtime of systems, monetary loss, and reputational damage.
<p>Traditionally, cybersecurity incidents have involved direct attacks between malicious actors and their victims. The Threat Landscape for Supply Chain Attacks report highlights an important shift in cybercriminals’ tactics – indirectly targeting victims through the software of their trusted third-party suppliers and service providers. With businesses becoming increasingly reliant on complex software supply chains, this is an important trend to follow, and one that should be factored into any cyber-risk management plans. The importance of this is underscored in the report which found that 2/3 of the software suppliers were unaware that they’d been compromised. Considering the importance of application security practices in most software companies, this lack of awareness points to a gap in the process. A gap where threat models likely need revising to account for how software supply chains work and one where an objective review of security initiatives such as the taxonomy maintained by the BSIMM community.</p>