Vincent Smyth, senior vice president EMEA, Flexera Software
Vincent Smyth, senior vice president EMEA, Flexera Software

These days, it seems we can't go very long living in bliss without hearing about another cyber-attack with some catchy nickname to gain our attention. Just last month, Krebs on Security blogged about yet another facet of this hot mess industry problem that most of us were not aware of before this post. And, with good reason.

An unnamed-software vendor that provides tools for Windows administrators, had the server hosting its software compromised. Hackers then used the compromised site to attack customers of this vendor. Shamefully, the vendor only posted a note on its website, and did not proactively inform its customers. Its poor disclosure was, of course, criticised, given the exposure of large organisations to this supply-chain attack – dubbed, drum roll please…Kingslayer. 

Supply-chain attacks 

RSA calls these types of intrusions supply-chain attacks, because one compromise vector is used for multiple targets.  It is not difficult to see from the customer lists why an attacker might crave the idea of hacking an entire suite of software designed for corporate system administrators.

As Kent Backman and Kevin Stear wrote in RSA's recent report, “Supply-chain exploitation attacks, by their very nature, are stealthy and have the potential to provide the attacker access to their targets for a much longer period than malware delivered by other common means, by evading traditional network analysis and detection tools. Software supply-chain attacks offer considerable ‘bang for the buck' against otherwise hardened targets. In the case of Kingslayer, this especially rings true because the specific system-administrator-related systems most likely to be infected offer the ideal beachhead and operational staging environment for system exploitation of a large enterprise.”

Dysfunctional software supply chain

This is yet another example of how the dysfunctional software supply chain continues to endanger enterprises. Organisations absolutely need to obtain proper alerts associated with the security of the applications they have installed. Thankfully, there is an answer. Software Vulnerability Management (SVM) helps enterprises combat these hackers head on, enabling companies to not only have access to accurate vulnerability alerts and patches that are available – but those that affect their environment – without having to rely on vendors' alerts and notifications or proactively go out to all their vendors' sites to – hopefully – find them.

Businesses rightly fear exposing customers to internet criminals without a way to fix the problem. Indeed, the reputational damage and loss of trust resulting from these break-ins cuts far deeper than the cost of repairing the damage.  According to PwC's 2016 Global Economic Crime Survey, executives considered reputational damage the most devastating impact of cyber-breach, followed closely by legal, investment and enforcement costs.

The cost is massive for enterprises when a hacker is successful in gaining entry. An organisation's first line of defence to minimise cyber-criminal threats should be to shrink the attack surface by decreasing the number of vulnerabilities on its devices. Taking this preventative measure will considerably lower the likelihood that a hacker can do any real harm. 

Software vulnerability management 

This is why Software Vulnerability Management is so important – it is preventative. Most successful cyber-attacks use known vulnerabilities to gain access or escalate privileges inside corporate IT infrastructures. Once hackers have successfully exploited a vulnerability, they have a base to roll out their attack – moving around systems, gathering information and deploying malware (an umbrella term referring to a variety of hostile or intrusive software including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware and other malicious programs) to steal or terminate business-critical information or cause disruption. 

The problem created by vulnerabilities is more broad-based than most enterprises realise. Vulnerability Review 2017 presents global data on the prevalence of vulnerabilities and the availability of patches. In 2016 alone, 17,147 vulnerabilities were recorded in 2,136 products from 246 vendors. These findings illustrate the challenge faced daily by security and IT operations teams trying to protect their enterprises against security breaches.

The good news is that 81 percent of vulnerabilities in all products had patches available on the day of disclosure. This means that by implementing a proper Software Vulnerability Management strategy, enterprises can significantly minimise their attack surface, and the likelihood of a successful breach.

Time to face facts 

We simply can't ignore that as software gets smarter, so the criminals' options increase. Technology is only going to continue to advance, but as we have seen, innovation almost always comes with inherent risks. Enterprises need to take reasonable precautions to help ensure their software does not become easy prey for criminals.

Contributed by Vincent Smyth, senior vice president EMEA, Flexera Software

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.