Two of the greatest threats facing technology-focused organizations are their often-quick adoption of new technologies, such as artificial intelligence (AI), without taking security measures into consideration and a very high reliance on third-party vendors to operate their businesses.
These two facts are reported on in detail in the recently released report Trustwave SpiderLabs' 2024 Technology Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies. For technology organizations especially, building security and testing into the Software Development Lifecycle( SDLC) is imperative to ensure an offensive approach to security. Incorporating a robust offensive security program can help uncover and mitigate many of the issues in this sector before they cause a disruption in service, or worse, halt operations.
Recent breaches illustrate the severity of the threat. In December 2022, multiple cyberattacks on LastPass, a password management company, included one third-party breach, compromising millions of customer password vaults. In October 2023, hackers stole data from US access and identity management giant Okta's entire client base during a breach of its support systems. Finally, Trustwave SpiderLabs identified a case where an AI chatbot exposed sensitive data due to incomplete testing.
When Security Takes a Backseat to Progress
The relentless drive for innovation in the tech industry can sometimes compromise security. Rushing to introduce new features, such as AI, may result in shortcuts like integrating untested components. These components lack thorough evaluation for vulnerabilities, potentially creating backdoors for attackers. Picture a new car boasting a powerful engine but with faulty brakes – it may be speedy, but it's also perilous.
Prioritizing robust security measures shouldn't be an afterthought. It must permeate every stage of the software development lifecycle. Delaying security considerations until later stages is akin to attempting to fortify a house with a shaky foundation – a challenging and costly endeavor.
The case highlighted by SpiderLabs exemplifies this issue, where an AI chatbot exposed sensitive data due to inadequate testing. This underscores a broader problem: the integration of AI into software without a comprehensive analysis of its security implications.
Stringent security practices throughout development are essential. Identifying vulnerabilities during the coding and testing phases is far more manageable than addressing them post-production. The difficulty in patching products reliant on insecure components is evident in the persistence of outdated and vulnerable packages within software repositories.
Despite the immense potential of AI, security concerns persist. For instance, users exploiting a car dealership's AI chatbot to access irrelevant information exemplifies "business logic flaws," which often elude traditional security testing tools. Addressing these flaws necessitates specialized testing approaches that account for the specific logic underpinning the AI component.
- Integrate security practices into every stage of the SDLC, from initial design through coding, testing, deployment, and maintenance.
- Identify and assess potential security threats early in the development process.
- Train developers in secure coding practices to minimize vulnerabilities introduced during coding.
- Utilize automated tools to scan code for vulnerabilities throughout development.
- Conduct regular penetration testing to identify and exploit vulnerabilities before attackers do.
Supply Chain Attacks on the Rise
Supply chain attacks are on the rise, with attackers shifting focus from directly targeting major companies to exploiting a more vulnerable link: trusted third-party vendors. This strategy resembles a domino effect, wherein compromising one vendor can trigger a chain reaction affecting numerous businesses.
Why are these third-party vendors attractive targets? They often have weaker cybersecurity defenses, making them susceptible to attack. Threat actors exploit these vulnerabilities to gain access to the data of larger companies that rely on these vendors. When these vendors have unpatched vulnerabilities and lack robust data breach protocols, they become wide open to exploitation, posing a significant threat to the entire tech industry.
The recent surge in supply chain attacks underscores the lucrative rewards for attackers. But what makes these attacks particularly risky in the tech realm? Unlike other industries, many tech companies play dual roles as both suppliers and consumers. Their products and services serve as building blocks for larger systems, potentially introducing security flaws. Moreover, tech companies heavily rely on a multitude of third-party technologies, further complicating the landscape.
This interdependency raises concerns, particularly in sectors with intricate supply chains, such as software publishing and infrastructure provision. Recent incidents involving Kaseya, MOVEit, SolarWinds, and 3CX illustrate how compromising a single vendor can disrupt entire industries. Ensure supply chain security is top of min by:
- Conducting security assessments before working with vendors and providing accurate security information if you're a vendor.
- Including strict security clauses in contracts requiring regular audits, breach notifications, and data protection compliance.
- Regularly auditing vendor security practices and conducting vulnerability assessments and penetration testing.
- Enforcing access controls, change control, and security checks throughout development pipelines.
- Encrypting sensitive data at rest and in transit, implementing least privilege access, and monitoring access logs.
- Ensuring both parties comply with relevant data privacy regulations based on location and data type.
- Providing regular training on cybersecurity hygiene to empower employees to defend against attacks.
The fact that these two issues stand out as problematical for the tech industry underscores the fact that even the most advanced, tech-savvy firms face the same problem as a mom-and-pop company working out of their basement. Each has flaws that must be found and addressed.
Operating a robust offensive security program, with tactics like penetration testing and red teaming, is one of the best methods for detecting these issues before they become major problems.
As a leading provider of offensive security, Trustwave Consulting and Professional Services possesses all the tools necessary to conduct an effective review of a client's security program. Our team addresses key pain points by efficiently identifying and prioritizing vulnerabilities and offering expert advice and mitigation services. Trustwave CPS provides long-term support that goes beyond simply preventing attacks, helping organizations improve their overall security posture, enhancing resilience and recovery capabilities.
