Mon. May 23rd, 2022
    en flag
    nl flag
    et flag
    fi flag
    fr flag
    de flag
    he flag
    ja flag
    lv flag
    pl flag
    pt flag
    ru flag
    es flag

    Content Assessment: Strong Security No Longer Enough? The Threat Landscape for Supply Chain Attacks

    Information - 95%
    Insight - 100%
    Relevance - 90%
    Objectivity - 95%
    Authority - 95%

    95%

    Excellent

    A short percentage-based assessment of the qualitative benefit of the recently published European Union Agency for Cybersecurity (ENISA) report on the cybersecurity threat landscape for supply chains.

    Editor’s Note: The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. In July of 2021, ENISA published the report Understanding the Increase in Supply Chain Security Attacks. The report presents findings from an analysis of 24 recent attacks and noted that strong security protection is no longer enough for organizations when attackers have already shifted their attention to suppliers. This overview of the threat landscape may be beneficial for cybersecurity, information governance, and legal discovery professionals operating in the eDiscovery ecosystem as they consider cyber discovery.


    Press Announcement And Report*

    Understanding the Increase in Supply Chain Security Attacks

    The European Union Agency for Cybersecurity mapping on emerging supply chain attacks finds 66% of attacks focus on the supplier’s code.

    Supply chain attacks have been a concern for cybersecurity experts for many years because the chain reaction triggered by one attack on a single supplier can compromise a network of providers. Malware is the attack technique that attackers resort to in 62% of attacks.

    According to the new ENISA report – Threat Landscape for Supply Chain Attacks, which analyzed 24 recent attacks, strong security protection is no longer enough for organizations when attackers have already shifted their attention to suppliers.

    This is evidenced by the increasing impact of these attacks such as downtime of systems, monetary loss and reputational damage.

    Supply chain attacks are now expected to multiply by 4 in 2021 compared to last year. Such new trend stresses the need for policymakers and the cybersecurity community to act now. This is why novel protective measures to prevent and respond to potential supply chain attacks in the future while mitigating their impact need to be introduced urgently.

    Juhan Lepassaar, EU Agency for Cybersecurity Executive Director said: “Due to the cascading effect of supply chain attacks, threat actors can cause widespread damage affecting businesses and their customers all at once. With good practices and coordinated actions at EU level, Member States will be able to reach a similar level of capabilities raising the common level of cybersecurity in the EU.”

    What is a supply chain?

    A supply chain is the combination of the ecosystem of resources needed to design, manufacture and distribute a product. In cybersecurity, a supply chain includes hardware and software, cloud or local storage and distribution mechanisms.

    Why is a good level of cybersecurity not good enough?

    Composed of an attack on one or more suppliers with a later attack on the final target, namely the customer, supply chain attacks may take months to succeed. In many instances, such an attack may even go undetected for a long time. Similarly to Advanced Persistence Threat (APT) attacks, supply chain attacks are usually targeted, quite complex and costly with attackers probably planning them well in advance. All such aspects reveal the degree of sophistication of the adversaries and the persistence in seeking to succeed.

    The report reveals that an organization could be vulnerable to a supply chain attack even when its own defenses are quite good. The attackers explore new potential highways to infiltrate organizations by targeting their suppliers. Moreover, with the almost limitless potential of the impact of supply chain attacks on numerous customers, these types of attacks are becoming increasingly common.

    In order to compromise the targeted customers, attackers focused on the suppliers’ code in about 66% of the reported incidents. This shows that organizations should focus their efforts on validating third-party code and software before using them to ensure these were not tampered with or manipulated.

    For about 58% of the supply chain incidents analyzed, the customer assets targeted were predominantly customer data, including Personally Identifiable Information (PII) data and intellectual property.

    For 66% of the supply chain attacks analyzed, suppliers did not know, or failed to report on how they were compromised. However, less than 9% of the customers compromised through supply chain attacks did not know how the attacks occurred. This highlights the gap in terms of maturity in cybersecurity incident reporting between suppliers and end-users.

    The recommendations, in a nutshell:

    Apply good practices and engage in coordinated actions at EU level.

    The impact of attacks on suppliers may have far reaching consequences because of the increased interdependencies and complexities of the techniques used. Beyond the damages on affected organizations and third parties, there is a deeper cause for concern when classified information is exfiltrated and national security is at stake or when consequences of a geopolitical nature could emerge as a result.

    In this complex environment for supply chains, establishing good practices and getting involved in coordinated actions at EU level are both important to support all Member States in developing similar capabilities – to reach a common level of security.

    The report issues an extensive number of recommendations for customers to manage the supply chain cybersecurity risk and to manage the relationship with the suppliers.

    Recommendations for customers include:

    • identifying and documenting suppliers and service providers;
    • defining risk criteria for different types of suppliers and services such as supplier & customer dependencies, critical software dependencies, single points of failure;
    • monitoring of supply chain risks and threats;
    • managing suppliers over the whole lifecycle of a product or service, including procedures to handle end-of-life products or components;
    • classifying of assets and information shared with or accessible to suppliers, and defining relevant procedures for accessing and handling them.

    The report also suggests possible actions to ensure that the development of products and services complies with security practices. Suppliers are advised to implement good practices for vulnerability and patch management for instance.

    Recommendations for suppliers include:

    • ensuring that the infrastructure used to design, develop, manufacture, and deliver products, components and services follows cybersecurity practices;
    • implementing a product development, maintenance and support process that is consistent with commonly accepted product development processes;
    • monitoring of security vulnerabilities reported by internal and external sources that includes used third-party components;
    • maintaining an inventory of assets that includes patch-relevant information.

    Read the original release.


    Complete Report: ENISA Threat Landscape for Supply Chain Attacks (PDF) – Mouseover to Scroll

    ENISA Threat Landscape for Supply Chain Attacks

    Read the original paper.

    *Shared with permission under Creative Commons – Attribution 4.0 International (CC BY 4.0) – license.


    Additional Reading

    Source: ComplexDiscovery

     

     

    Have a Request?

    If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

    ComplexDiscovery is an online publication that highlights cyber, data, and legal discovery insight and intelligence ranging from original research to aggregated news for use by cybersecurity, information governance, and eDiscovery professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding cyber, data, and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

    ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of cyber, data, and legal discovery organizations. Focused primarily on supporting the ComplexDiscovery publication, the company is registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world. The company operates virtually worldwide to deliver marketing consulting and services.

    Challenged by Leaky Forms? A Study of Email and Password Exfiltration

    The report "Leaky Forms: A Study of Email and Password Exfiltration...

    Automating Incident Response? Considering Artificial Intelligence in Cyberspace

    According to the recent research report from the CCDCOE on Automated/Autonomous...

    Russian Cyberattack Activity in Ukraine: A Special Report from Microsoft

    According to an April 27, 2022 report from Microsoft's Digital Security...

    Informing Business Decisions? Cybersecurity Market Analysis Framework from ENISA

    The ENISA Cybersecurity Market Analysis Framework is designed to improve market...

    Smarsh to Acquire TeleMessage

    “As in many other service industries, mobile communication is ubiquitous in...

    A Milestone Quarter? DISCO Announces First Quarter 2022 Financial Results

    According to Kiwi Camara, Co-Founder and CEO of DISCO, “This quarter...

    New from Nuix? Macquarie Australia Conference 2022 Presentation and Trading Update

    From a rebalanced leadership team to three concurrent horizons to drive...

    Strong Growth? KLDiscovery Inc. Announces First Quarter 2022 Financial Results

    According to Christopher Weiler, CEO of KLDiscovery Inc, “The first quarter...

    On the Move? 2022 eDiscovery Market Kinetics: Five Areas of Interest

    Recently ComplexDiscovery was provided an opportunity to share with the eDiscovery...

    Trusting the Process? 2021 eDiscovery Processing Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    The Year in Review? 2021 eDiscovery Review Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    A 2021 Look at eDiscovery Collection: Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    Five Great Reads on Cyber, Data, and Legal Discovery for May 2022

    From eDiscovery pricing and buyers to cyberattacks and incident response, the...

    Five Great Reads on Cyber, Data, and Legal Discovery for April 2022

    From cyber attack statistics and frameworks to eDiscovery investments and providers,...

    Five Great Reads on Cyber, Data, and Legal Discovery for March 2022

    From new privacy frameworks and disinformation to business confidence and the...

    Five Great Reads on Cyber, Data, and Legal Discovery for February 2022

    From biometric recognition and artificial intelligence to data embassies and processing...

    Feeding the Frenzy? Summer 2022 eDiscovery Pricing Survey Results

    Initiated in the winter of 2019 and conducted eight times with...

    Surge or Splurge? Eighteen Observations on eDiscovery Business Confidence in the Spring of 2022

    In the spring of 2022, 63.5% of survey respondents felt that...

    Types and Shadows? Issues Impacting eDiscovery Business Performance: A Spring 2022 Overview

    In the spring of 2022, 36.5% of respondents viewed increasing types...

    The Tide is In? eDiscovery Operational Metrics in the Spring of 2022

    In the spring of 2022, 46 eDiscovery Business Confidence Survey participants...