Tag Archive for: Basics

Software Supply Chain Security: The Basics and Four Critical Best Practices

/in


What is software supply chain security?

Modern enterprise software is typically composed of some custom code and an increasing amount of third-party components, both closed and open source. These third-party components themselves very often get some of their functionality from other third-party components. The totality of all of the vendors and repositories from which these components (and their dependencies) come make up a large part of the software supply chain. But it’s not just code, the supply chain for a software product also includes all of the people, services, and infrastructure that make it run. Adding it all up: the software supply chain is an often large and complex web of various sources of code, hardware, and humans that come together to make, support, and deliver a larger software product.

Using third-party and open source software saves your organization time and money and frees up your developers to create novel software instead of reinventing the wheel, but it comes with a cost. These components are created and maintained by individuals who are not employed by your organization, and these individuals may not have the same security policies, practices, and quality standards as you. This poses an inherent security risk, because differences and inconsistencies between policies can create overlooked areas of vulnerability that attackers may seek to exploit.

Attackers can compromise the security of the software supply chain in a number of ways including:

  • Exploiting bugs or vulnerabilities in third-party components
  • Compromising the development environment of a third party and injecting malware
  • Creating fake components that are malicious

Software supply chain security seeks to detect, prevent, and mitigate these threats and any others that stem from an organization’s third-party components. In this blog post, one of a series of guides about continuous integration and delivery (CI/CD), we look at software supply chain attacks, and how best to thwart them.

What is a software supply chain attack?

According to the U.S. National Institute of Standards and Technology (NIST), a software supply chain attack occurs when a threat actor “infiltrates a software vendor’s…

Source…

Asset risk management: Getting the basics right

/in


In this interview with Help Net Security, Yossi Appleboum, CEO at Sepio, talks about asset risk management challenges for different industries and where it’s heading.

asset risk management challenges

Cyberattacks show no signs of slowing down. What do organizations need to do to boost their asset risk management?

They need to understand what’s in their environment. You can’t do anything to manage risk if you don’t know what assets you have and their associated risk posture. Increased spending on cybersecurity tools is a waste if those tools cannot see every asset in your infrastructure. And, unfortunately, that is where a lot of enterprises fall short. So, the number one thing enterprises need to do is get back to basics and focus on what builds the foundation to robust asset risk management – and that is visibility and understanding of risk.

What are the most common threats plaguing the financial sector, and how can asset visibility mitigate the risks?

The first threat that comes to mind is ransomware. The finance industry, by nature, has access to substantial amounts of money, and disruptions to financial services can have a tremendous impact on society and the economy. These two factors make financial institutions the perfect target for a ransomware attack as the tolerance for downtime is low and the funds needed to pay the ransom are there. Ransomware can get introduced to the environment through IT assets, and asset visibility mitigates the risks by accounting for anomalies that could indicate a possible threat.

Social engineering is another threat faced by the financial sector. The thousands of employees that work for large financial corporations each act as a gateway into the organization through simple methods of manipulation. A bad actor can convince a member of staff to bring in an unwanted asset by means of bribery or blackmail or have them unknowingly do so by enticing them with free handouts. Who can refuse a free iPhone charger? Asset visibility mitigates the risks by accounting for these novel connections, which security teams can subsequently investigate.

What about healthcare institutions? How are they vulnerable, and what must they do to ensure service continuity and avoid…

Source…

SecureWorks : 3 Cybersecurity Basics and Why They’re Essential

/in


Cybersecurity, believe it or not, is one of the most important issues of our time. That’s because:

  • Digital technology has become pervasive, touching every aspect of our personal, economic, cultural, and political lives.
  • This pervasiveness has resulted in a virtually infinite threat surface that extends from the device on your wrist to the biggest, gnarliest datacenters on the planet.
  • Criminals are always going to commit crime.
  • Due to our connectedness, a breach anywhere is a threat to businesses everywhere.

Unfortunately, the media has done an inadequate job of framing the cybersecurity issue. For one thing, news organizations only cover cybersecurity when some new global threat emerges, or worse yet – after a significant breach has occurred. This skewed coverage gives the false impression that the only thing we have to worry about-and defend ourselves against-is the next high-profile zero-day exploit.

That, of course, is untrue. Most breaches are far more mundane. As they say, it’s not the lion you have to worry most about in the jungle. It’s the mosquitoes.

Even worse may be the way hackers are portrayed in movies and on TV. If you only learn about cybersecurity through popular entertainment, you probably believe that hackers are evil geniuses capable of sliding past even DoD-quality cyber defenses with a single torrent of lightning keystrokes-which means you’re basically helpless against their inexorable brilliance.

This is also patently untrue. Most hacking is literally that: hacking. Cybercrime is mostly brute force trial-and-error perpetrated by bad actors who often don’t need to have Hollywood-level hacking skills, but have learned that with enough time and effort they can earn a decent living stealing stuff.

Our cyber defenses-both individual and collective-thus depend, to a large degree, on simply making life harder for hackers. After all, hackers have the same constraints of time, budget, and payoff. In fact, I’ll go even further and say…

Source…

Going Back to Basics to Fix Our Broken Approach to Cybersecurity

/in


Cybersecurity has garnered plenty of mainstream attention lately—but for all the wrong reasons. The past year has been marked by a seemingly unending stream of major companies and organizations coming forward to admit they were the victim of a data breach or malware attack. When cybersecurity measures are working well, the end users are never even aware of them. So when ransomware suddenly becomes a household term, you know something is seriously broken with our approach to cybersecurity.

The extent of the problem is borne out in the statistics. The total number of companies that suffered data breaches in 2020 was 1,108, a high that was already exceeded by the end of September, when the total rose to 1,529 (a 17-percent increase)—and the year isn’t even over! Supply chain attacks are also on the rise, but are often a woefully overlooked attack vector in an organization’s security stack. A recent survey revealed that 83 percent of organizations suffered an operational technology breach during the previous three years.

The uptick in major breaches and ransomware incidents has already affected spending priorities, prompting 91 percent of organizations to increase their security budget in 2021. While this is a positive development overall, it underscores the futility of simply throwing more money at a broken system. If a fundamental change isn’t made to their existing security stack, these companies will continue to fall victim to the same threats they always have. It’s a cat-and-mouse game that they will always lose.

So that’s the bad news. The good news is that by augmenting our cybersecurity focus on a fundamental feature of internet architecture, we can start protecting ourselves in a proactive manner. Organizations often view cybersecurity as a wall around their organization’s network, keeping all of the nasty bits of the internet at bay while their critical data stays safely protected within. Unfortunately, in the modern landscape, a determined threat actor will eventually find a way to bypass their target’s defenses—whether by taking advantage of an unpatched exploit, successfully carrying out a phishing scam, or exploiting a…

Source…