CA advisory on grim statistics of supply chain risks in third-party software

The Communications Authority of Kenya (CA), through the National Computer Incident Response Team Coordination Center issued an advisory on supply chain risks in third- party software stating that ICT users should make informed and risk-free decisions on the choices of their products by engaging Cybersecurity experts.

This follows a growing global concern and trend that shows, cyber criminals going forward will exploit the vulnerability within the supply chains to hit their targets. Though Kenya has not been adversely affected by such attacks as at now, the trend depicts a serious concern in cybercrime management and thus a precaution should be taken when dealing with outsourced products and personnel.

According to security reports in 2017, the one problem that many companies have discovered is that third-party data breaches are the weakest link in their data management chain, citing over 60% increase in the breaches in the last two years.

A supply chain attack, also called the value-chain or third-party attack occurs when someone infiltrates a system through an outside partner or provider who validly has access to the systems and data. The attacker takes advantage of the inherent trust between users and their software providers.

This has dramatically changes the attack surface of the typical enterprise in the past few years, with more suppliers and service providers touching sensitive data than ever before.

According to an article on CSO, there’s no end to major cyber breaches that were caused by suppliers and named a few,the 2014 Target breach was caused by lax security at an HVAC vendor. This year, Equifax blamed its giant breach to a flaw in outside software it was using. It then blamed a malicious download link on its website to yet another vendor. Then there were the Paradise Papers, over 13 million files detailing offshore tax avoidance by major corporations, politicians, and celebrities. The source? Like last year’s Panama Papers, it was a law firm that was the weakest link.

It is estimated that a majority of cyber-attacks originate from the supply chain or from the external parties exploiting security vulnerabilities within the supply chain. Supply chain attacks are now moving into the mainstream of cybercrime, and with a number of successful attacks in 2016 and 2017, cyber criminals will focus on this method in 2018 and beyond.

Ponemon Institute, conducts independent research on privacy, data protection and information security policy stated in their survey that 56 percent of organizations have had a breach that was caused by one of their vendors.

The trend is gaining momentum with the increased offers of free anti-malware products by vendors.  The free anti-malware are used as a bait to lure the unsuspecting users, while the real intention is to have the anti-malware installed into a system, then use it to capture personal and confidential data. Such vendors later monetize the data collected or use it to their political or business advantage. This trend applies not only to anti-malware solutions but also any other third party software.

In most instances, vendors introduce complex disclosure statements that are in part designed to obscure intent as to what data is being collected and whether it can be sold or any other breach.

Though this might try to curb the breaches there have been instances that the risks don’t end when the supplier relationship is terminated. Domino’s Australia had a security breach and says a former supplier’s system had leaked customer names and email addresses. “Most contracts I review don’t include adequate details for managing the tricky process of vendor termination,” says Brad Keller, senior director of third party strategy at Prevalent, Inc.

The Authority is therefore advising the public as follows:

1. a)That end users treat free or low cost cyber security software as potential threats and where possible refrain from the usage. They should strive to determine their monetization methods and their policies. To this end users should endeavour to read the terms and conditions of their usage however lengthy they are.
2. b)That organizations and government institutions properly vets software vendors in order to ascertain any concealed motive that might work against their interests especially with products interacting with organization’s critical infrastructure. Products or vendors with tainted history should be dealt with as a risk, and constant reviews carried out.
3. c)Kenyan ICT consumers should be concerned about the safety of their data more than ever before. Cyber criminals have changed tact and are now using third party software to deliver threats to unsuspecting users in an attempt to comprise their personal data. Consumers should thus avoid “they will do it” approach but should rather collaborate with theservice providers in securing the services.