REvil, a Russian cybercriminal organization, took down the IT systems of 800 Swedish grocery stores, two New Zealand schools, two Maryland town governments, and thousands of other businesses worldwide able to take down the IT systems of 800 Swedish grocery stores, two New Zealand schools, two Maryland town governments, and thousands of other businesses throughout the world in July. The attackers uncovered many cybersecurity flaws in Kaseya, a program used by IT service contractors to administer corporate networks remotely. Revil acquired access to the IT systems of the numerous firms that used Kaseya by assaulting it. Kaseya was, therefore, a formidable assault vector.
Today, most software products rely on thousands of prewritten packages produced by vendors or dawn from open-source libraries. The most used third-party software supply chain components are highly prized targets for cybercriminals. And they are vulnerable. A 2020 audit by Synopsys found that 49% of commercial codebases use open-source components with high-risk vulnerabilities. The attackers could compromise thousands or even millions of companies by exploiting their vulnerabilities.
Sophisticated threat actors have already targeted widely used – and poorly protected – supply chain components. SVR, a Russian intelligence agency, inserted malicious malware into a SolarWinds cloud management software update. SVR now has a possible attack path into the 18.000 organizations and government entities that faithfully implemented the upgrade. The security firm Sonatype estimated over 400% more supply chain attacks between July 2019 and March 2020 than combined in the previous four years.
Another study made by Verizon found that 60% of small – and – medium–sized enterprises go out of business within six months of a cyberattack. Consequently, it´s incumbent on firms to mitigate their risk.
Companies will soon have access to even more tools that will allow them to determine if they are vulnerable to a vulnerability swiftly. Presently, only a few companies provide software bills of materials (SBOMs), which specify the supply chain components incorporated in the coding of their products. Nevertheless, a new Biden administration executive order mandates all technology companies with federal government contracts to submit SBOMs publicly. The software supply chain will get much-needed transparency because of this. In addition, rather than just uncovering problems, firms must swiftly prioritize and remedy vulnerabilities. Regrettably, many people aren’t.
IT managers should rely more on automated tools to fix simple vulnerabilities.
The online code repository GitHub developed an “automated robot code” that identifies and fixes users´ simple vulnerabilities with one click.
Automated tools can be useful in identifying and fixing simple vulnerabilities in IT systems. They can help IT managers save time and effort by automating routine tasks and providing rapid feedback on potential security risks.
However, few businesses have implemented these novels into their IT workflows. Only 42 of the 1,896 GitHub users contacted about one vulnerability accepted the automated patch. This needs to change.
Businesses should conduct a cost-benefit analysis for vulnerability patching.
Conducting a cost-benefit analysis for vulnerability patching is important for businesses. Vulnerability patching involves fixing security flaws in software or hardware systems to prevent cyber-attacks. While patching vulnerabilities is essential for maintaining the security of a business’s IT systems, it can also be costly in terms of time and resources.
By conducting a cost-benefit analysis, businesses can assess the potential impact of a vulnerability and the costs associated with patching it. This analysis can help businesses determine whether it is worth patching the vulnerability or if the risk posed by it is low enough to justify not patching it.
Businesses can use newly created metrics to triage vulnerabilities. For instance, the Exploit Prediction Scoring System (EPSS), developed by a team of cybersecurity experts and software vendors, estimates the probability that a vulnerability will be exploited based on its inherent characteristics.
Procurers should demand that critical technology vendors implement “hot patching”.
Hot patching is a technique that allows vendors to update their software or systems in real-time without the need for a system reboot or any disruption to ongoing business operations. This technique is beneficial for critical systems, such as those used in finance, healthcare, and government, where downtime or disruption can have serious consequences.
By demanding critical technology vendors implement hot patching, procurers can ensure that any security vulnerabilities or other issues in the vendor’s software or systems can be quickly and efficiently addressed without causing any downtime or disruptions to the procurer’s business operations.
An example is the industrial control systems that run factories and the software that manages power grids and water distribution networks; these are so pivotal that they cannot fail. Thus, businesses should demand that their vendors implement hot patching systems, enabling them to deploy patches without rebooting their software. While implementing this functionality may increase costs, it will also ensure that businesses don´t have to choose between cybersecurity and availability.