Black Hat 2021 took place online and in Las Vegas this month, the first hybrid event in its 24-year history. Unsurprisingly, a major topic of conversation was supply chain security. Why are supply chain attacks on the rise, and what steps can organizations take to protect themselves?
Thanks to the increasing complexity of software environments, supply chain attacks have been a major challenge for cybersecurity professionals over the last several years. Third-party dependencies, the enormous depth and scale of modern tech stacks, and the new requirements of cloud-based business have all contributed to this complexity. As your business expands, you risk exposing entry-points for bad actors seeking to compromise your network.
Of course, the untold complications of the pandemic have made it even more difficult to ensure the integrity of the software supply chain. During this year’s event, numerous sessions and keynote speakers focused on the importance of preventing supply chain attacks.
A question worth asking is: Who is responsible for supply chain attacks? Remote work, BYOD policies, and internationally distributed teams demand a whole new approach to cybersecurity that focuses on securing applications and resources rather than network perimeters. In these conditions, everyone bears part of the responsibility for an organization’s cybersecurity posture. The real question is: Who’s responsible for security when everyone’s responsible?
Supply chain attacks are on everyone’s mind
Incidents like the SolarWinds breach, the Colonial Pipeline attack, and the Kaseya attack remind us that supply chain attacks can have devastating and far-reaching consequences, from brand erosion to heavy fines for noncompliance with data security laws.
Supply chain attacks can also threaten national security. The White House’s Executive Order on Improving the Nation’s Cybersecurity called on organizations to implement Zero Trust security as soon as possible. Government agencies are already following President Biden’s directive to implement Zero Trust security through network segmentation, and the White House has urged private companies to follow suit.
Supply chain attacks have become more common and more devastating since the beginning of 2020, but they’ve always been a threat. In conversation with Black Hat Founder Jeff Moss and several members of the Black Hat Review Board, cybersecurity expert Kymberlee Price pointed out that companies have understood the need to secure the supply chain and protect open-source environments since at least 2014, but until more recently, these risks seemed more theoretical than concrete.
Protecting against supply chain attacks has been seen as complicated, resource-intensive, expensive, and slow to deliver ROI, further discouraging companies from investing in their cybersecurity infrastructure. As a result, most organizations are behind where they need to be when it comes to supply chain attacks and vulnerabilities in their open-source networks.
New and expanding attack surfaces introduce vulnerabilities
Another topic of conversation across sessions at Black Hat 2021 was addressing new and expanding attack surfaces: for instance, Microsoft Exchange Servers exposing new and much larger attack surfaces with Client Access Services (CAS). Exhange architecture is wildly complex, so vulnerabilities proliferate. Legacy protocols like those employed by CAS, including some extremely outdated protocols like IMAP4 and POP3, contribute to the expansion of the surface area, exposing new weak points that attackers hurry to exploit.
Another refrain at Black Hat was the multitude of risks inherent in open-source software (OSS) environments. OSS has the potential to introduce so many risks that not all vulnerabilities can be patched promptly—or at all. Vendors along the supply chain have been making their own tweaks and customizations, thereby introducing vulnerabilities. To effectively secure their businesses, organizations that rely on OSS environments need to secure a huge number of diverse OS vulnerabilities. Without a mechanism to seal these gaps, organizations are spending vast time and energy on risk management.
How do organizations address these challenges? Asset management is a great place to start.
Asset management is a cybersecurity must
You’ve probably heard the expression “You don’t know what you don’t know.” By extension, it’s true that you can’t protect assets in your network if you don’t know they’re there. During a discussion between Moss and several Review Board members, asset management emerged as a critical consideration for organizations trying to prevent supply chain attacks resulting from OSS or Microsoft Exchange vulnerabilities.
Plenty of companies—at ColorTokens, we’d venture to say most—don’t know exactly what’s in their software environments. With mergers and acquisitions, a fact of life in many industries, you might acquire different parts of various systems piecemeal without carefully vetting or even noticing what you’re adding to your network.
As new business needs arise, you add new tools, systems, and users—all of which have the potential to introduce vulnerabilities. And what about third-party vendors, partners, and even customers who might have access to your network? There’s no way of knowing how secure their networks are today or will be tomorrow.
The bottom line: As your business grows and scales, you inevitably introduce vulnerabilities. That’s why asset management is an integral part of any modern cybersecurity architecture, along with micro-segmentation solutions that reduce attack surface, restrict lateral movement, and contain breaches.
Black Hat 2021 made it clear that recent events have spurred government organizations and companies alike to pay more attention to supply chain attacks and other threats. As a result, many organizations have already begun implementing Zero Trust security to protect their environments, whether on-prem, cloud-based, hybrid, or multi-cloud.
Zero Trust security is one of the most talked-about approaches in 2021, with good reason: implementing Zero Trust can secure your hybrid, multi-cloud, OS, or on-prem environment without disrupting business operations or compromising ease of use. And implementing Zero Trust might be easier than you think, especially with our award-winning Zero Trust platform.