This article originally appeared in Journal of Cyber Policy on April 2, 2019.
Carbon Black Reports:
According to Carbon Black’s latest quarterly global incident response threat report, supply chain attacks are getting more prevalent and dangerous. Half of today’s cyber attacks use “island hopping” as an approach, which means attackers are after not only the target network, but all those along its supply chain as well https://www.carbonblack.com/global-incident-response-threat-report/april-2019/.
According to Mike Bittner, digital security & operations manager at The Media Trust, “Supply chains are easy and lucrative targets. In today’s digital environment, they are extremely complex and dynamic, they lie outside the perimeter of the IT infrastructure, and they are,therefore, hard monitor. This supply chain vulnerability is best exemplified by today’s website and mobile apps.
“Over the past decade, website and app publishers have been losing control of their digital ecosystems because of their growing reliance on third-party code suppliers, who enable front- and back-end capabilities to improve the user experience and performance analytics, among others. Anywhere from 50-95% of code that runs on these sites and apps lie outside the company’s IT infrastructure because that chunk of code is provided by third parties. The problem is, these publishers don’t know even half of their third parties, let alone the vendors these third parties frequently bring into their customers’ digital ecosystems.
“This largely hidden supply chain is a glaring security blind spot for any organization that has a website or mobile app or both. If Magecart or Cartthief is any indication, bad actors are gunning for these supply chains, because they are easy and lucrative targets. And the preponderance of insecure third party code facilitates takeovers.”