Managing the Security Risks of Outsourced Software
Imagine if you, a security-conscious homeowner, decided to get new locks installed at your home to keep out potential burglars. You hire a locksmith who installs a brand new front and back door lock, assuring you that it’s one of the best locks available on the market today. But, a few weeks later, your house is broken into; not through a window being broken or a lock being forced, but via your brand new front door lock being unlocked in the middle of the night, allowing thieves into your home.
A later police investigation reveals the shocking truth: That your trusted locksmith kept a master key in their home, which was subsequently stolen, allowing the robbers to access any home that key covered.
That’s not an exact analogy for the 2020 SolarWinds hacking incident. But it’s not a million miles away, either.
Taking place at the end of last year, an “outside nation-state” believed to be Russia targeted SolarWinds, a North American tech company that provides networking monitoring services to several of the largest US government agencies and companies. It broke into SolarWinds’ systems and was able to insert malicious code into the company’s software, which was then sent out to customers this year as seemingly legitimate software updates.
Companies that dutifully installed these updates unwittingly created backdoors to their own systems, which opened them up to future attacks by way of malware distribution and more. In all, potentially 18,000 customers were exposed as a result of the attack.
By comparison, the master key for one single local locksmith suddenly doesn’t sound so bad!
The importance of cyber security platforms
This reminder of the importance of a good cyber security platform was also a reminder of just how common it is for companies to rely on outsourced software. Whether it’s security systems or word processing apps, companies frequently rely on software that they didn’t build from the ground up. While SolarWinds remains one of the more up-to-date reference points, it’s not the only one.
Several years ago, cyber attackers stole 40 million credit and debit card numbers, along with 70 million additional records, by successfully hacking a small air conditioning and heating company that worked with retail giant Target. When the air conditioning and heating company had its system breached via malware originating from a phishing email, this minor breach was used to make possible a much bigger one: remotely connecting to Target’s network and, among others, its PoS (point-of-sale) payment card readers. This is just one more example of an extremely damaging trend of attacks on supply chain companies, whose effects wind up being felt — often very painfully — downstream.
In short, third-party tools carry security risks. Unfortunately, there’s still plenty of room for improvement when it comes to alleviating this concern. A recent survey of 173 cyber security and IT professionals found that 27 per cent — more than one in four — are worried about security issues related to outsourced applications. That is 2 percentage points more than expressed the same concern in a similar survey last year. That suggests that, despite the increased focus on cyber security due to the world’s increased reliance on digital infrastructure during the pandemic, not enough has been done to address this issue. If anything, concern surrounding it is only getting worse.
Use the right safeguards
Organizations should make sure that they take the right precautions when it comes to protecting against vulnerable external software. Fortunately, security platforms exist which can help to effectively manage supply chain security risks. These can help to remediate risk and stop attacks in their tracks before they are able to escalate. There are plenty of tools that users should be aware of — ranging from Runtime Application Self-Protection (RASP) that are able to block attacks on the part of hackers to Data Loss Prevention (DLP) and data security systems that are able to mitigate the exfiltration of data. Seek out cyber security experts who can advise you on the right ones to deploy.
It’s highly unlikely that companies are going to stop relying on outsourced software any time soon. Given the obvious benefits to using these tools, rather than developing everything from scratch, this is no surprise.
Steps can be taken to practice good due diligence when selecting vendors to use, especially when there is a considerable risk associated with a possible hack. However, all it takes is one weak link in a chain and a devastating cyber attack could take place. As a result, it’s essential that organizations step up to the plate and deploy their own security measures rather than assuming that their supply chain of vendors and services will take care of this for you.
It’s an invaluable lesson that, hopefully, companies and other organizations don’t need to learn the hard way.