Close Menu

    Supply chain and API risks are greatly underestimated

    The risks associated with these attacks have never been higher, says CYBER1 Solutions' Jayson O'Reilly.
    By
    The author, Jayson O’Reilly

    When it comes to cybersecurity, many South African businesses keep on doing the same thing yet expecting a different result.

    They have no real understanding of today’s threat vectors, or the attack surface they are dealing with. This is unfortunate, because having an understanding of what bad actors are doing in the market, how they’re behaving and what their motivations are is a critical step in the cybersecurity process.

    It is also one which can help companies map out their defences and possibly even outmanoeuvre cybercriminals successfully.

    For example, although any given organisation might have implemented a range of cybersecurity measures and have a solid remediation plan, third-party partners, such as vendors, suppliers and others may not have the same levels of protection in place. These third-party relationships can dramatically increase the risk to a company by offering bad actors an easier way to gain a foothold on the target’s network, even if that target has the most sophisticated and expensive security systems money can buy.

    These supply-chain attacks happen when an attacker infiltrates an organisation’s system through an outside partner or provider that has access to its systems and data. Over the past few years, this has understandably significantly increased the attack surface of your average company, as a greater number of suppliers and service providers have access to sensitive data and systems than ever before.

    In fact, the risks associated with these attacks have never been higher, due to the increased sophistication of malicious tools, a more stringent regulatory framework and hybrid workforces, which have seen the attack surface widen even further.

    Chain of trust

    The biggest issue is the degradation of the chain of trust. All companies rely on third-party partners at some point, meaning that no company can keep everything in-house these days. Businesses in every industry must rely on third parties to establish this trust, and there’s no real way of doing that — if anything, the problem is getting worse as organisations depend more and more heavily on outside providers. The entire ecosystem of the industry needs to address this challenge, but there is no established, global set of tools, standards and practices, or a clear way forward.

    If we look at the slew of third-party breaches that have littered the headlines, as well as the successful attacks against large financial institutions, one of the key things that we’ve seen in all these cases is that businesses believe they can solve these problems through governance. They can’t. This is not a governance problem. All entities are at varying levels of maturity in their cybersecurity journeys, so what is key here is learning how to identify, protect, respond and recover.

    Many customers simply don’t understand the threat vector that is posed by having APIs in their environment

    South African companies in particular are at varying levels in their NIST framework journeys and many are unsure of what to do, or how to move forward. They share information with their customers, and in turn, these customers have no real knowledge of what information has left their organisation. They don’t think about data security when sharing this information, which introduces more vulnerabilities, as threat actors are only too aware that many organisations lack the foundations, or don’t have the fundamentals in place to securely transact with their data and with third-party partners.

    Another critical observation that adds to the supply-chain security conundrum, is that many third parties are connecting to customers’ environments through application programming interfaces or APIs. In essence, an API enables applications or components of applications to communicate with each other over the Internet or a private network. At first, most companies either used them within a secure private network or accessed them through secure communications channels. However, more and more, businesses have begun using APIs to open up access to internal applications, as well as data to third-party partners, suppliers, customers and others. In fact, APIs are viewed as foundational to enabling digital transformation and powering the new generation of mobile apps that businesses depend on today.

    Unfortunately, these APIs running in their environment, and running on their apps, have become embedded in their organisation, and are needed to enable the organisation to function. Unfortunately, no governance process would be able to pick up a technical risk in this situation; nor would all the technologies that they have in place today. Threat actors know that this plays below layer seven, which is the top layer of data processing that happens just below the surface or behind the scenes of the software applications that users interact with. Many customers simply don’t understand the threat vector that is posed by having APIs in their environment. They’re just all happy that everything appears to be functioning correctly.

    In truth, much like supply chains, the APIs that connect enterprise applications and data to the Internet are subject to the same vulnerabilities as regular Web applications and must be addressed with the same focus and vigour. And perhaps even more so, because the transaction updates and mass data that APIs enable put them at a greater risk, and subject them to more threats that Web apps rarely have to deal with. However, getting past the point of the customer’s maturity and their capabilities, and the fact that they don’t understand this threat vector, is the real challenge.

    About CYBER1 Solution
    CYBER1 Solutions is a cybersecurity specialist operating in Southern Africa and East and West Africa, Dubai, and Europe. Our solutions deliver information security, IT risk management, fraud detection, governance and compliance, and a full range of managed services.

    We also provide bespoke security services across the spectrum, with a portfolio that ranges from the formulation of our customers’ security strategies to the daily operation of endpoint security solutions. To do this, we partner with world-leading security vendors to deliver cutting-edge technologies augmented by our wide range of professional services.

    Our services enable organisations in every sector to prevent attacks by providing the visibility into vulnerabilities they need to rapidly detect compromises, respond to breaches, and stop attacks before they become an issue.

    • The author, Jayson O’Reilly, is cybersecurity risk officer at CYBER1 Solutions. Connect with him on LinkedIn.
    • This promoted content was paid for by the party concerned


    Share.

    Related Posts

    Add A Comment

    Comments are closed.