Many organizations still depend on a traditional approach to cybersecurity, relying heavily on perimeter protection to defend against external cyberattacks. One of the reasons for this is that threats have grown in number and sophistication, and consequently CISOs and IT managers have been forced to dedicate much of their workload just to mitigating them.
Yet this approach has been shown to be insufficient, as threats don’t just come from external cyberattackers or even from insiders such as the company’s own personnel, as we have discussed previously, but malware can even be present in the organization’s own supply chain.
A wide range of vectors_
The supply chain consists of the system comprising the entities, personnel, activities, information, and resources involved in delivering a product or service and, therefore, is often more than a single organization, as it is unusual for one company to cover all the links in the chain (from the collection of resources or information to the final sale). That’s why cybersecurity threats in the supply chain can take many forms depending on the element they use as an attack vector. Some of the most common are:
- Network computer or system hardware that an organization purchases but is fake and contains malware.
- Legitimate hardware that a third-party has installed malware on before it reaches the organization.
- Vulnerabilities on apparently secure applications and networks that are exploited by attackers.
- Third parties from outside the organization, but that legitimately have partial or total access to its systems as they are responsible for part of the organization’s processes (suppliers of goods or services, partners, etc.).
This last point is one of the most common. In fact, according to a study by Ponemon Research, Cost of a Data Breach Report 2020, for 51 percent of organizations that made an insurance claim after a cyberincident, there was a third-party involved which was generally an organization such as a partner or technological service provider. One recent example was the cyberattack through hospital suppliers of the UK’s National Health Service.
In order to address these threats and considering the challenge that having so many links in the chain represents, the US National Institute of Standards and Technology (NIST) has set out three basic principles for cybersecurity across the supply chain:
- Cybersecurity is never simply a technological problem, it is a problem that involves people, processes, and information, which is why in many cases there is human error rather than technological failures. That is why all members of the supply chain should aim to implement sound cybersecurity practices.
- Security in the broad sense of the word includes the physical environment. There shouldn’t be a great divide between physical and digital security, as cyberattackers sometimes exploit physical vulnerabilities and security holes to carry out cyberattacks in the digital environment.
- Defenses must be developed on the principle that any defense can be breached. Starting out from the premise that incidents are inevitable, an organization will be better prepared, both in terms of prevention and in its capacity for mitigation if an attack finally occurs.
Defense in depth and zero trust_
The concept of defense in depth is detailed in the last point of the principles developed by the NIST. Though, as Daniel Zapico, CISO of Globalia, explained, defense in depth ties in strongly with the concept of zero trust, in that not trusting the security of running applications is also starting out from the premise that all elements of a system may be vulnerable.
For these reasons, for Cytomic, it is the only valid approach to countering new cybersecurity threats, and it is the core of the Zero-Trust Application service, which is present in all Cytomic’s advanced endpoint security solutions, and which prevents the execution of any application that has not previously been verified and certified by the service. In this way, anything that comes from a link in the supply chain, no matter how reliable or apparently secure, will be analyzed, therefore ensuring that the supply chain will have far less chance of becoming an attack vector.