Avatar

Third parties remain a critical source of security risk.  The recent discovery of malware embedded within the consumer application CCleaner, discovered by Cisco’s Talos cybersecurity research team, reminds us that cyber hygiene lies not just within ourselves.

Talos stated in its September 18th Update: “Supply chain attacks are a very effective way to distribute malicious software into target organizations. This is because with supply chain attacks, the attackers are relying on the trust relationship between a manufacturer or supplier and a customer. Therefore, as we leverage the capabilities of third party software, this trust relationship is then abused to attack organizations and individuals.”

Those who seek to gain access to information for control, economic gain or espionage are capitalizing on the benefit of attacking the ‘weakest link of the chain.’  The value chain, that third-party ecosystem to which each of us is intimately connected in a digital economy, must be part of your security hygiene.

How, then are end users, both consumers and enterprises alike, to protect themselves?
While deploying a lock on the front door to your systems via antivirus protection is a basic hygiene mandate, attacks can still succeed via your third-party providers—as illustrated by CCleaner.

Consider these essential third-party hygiene steps:

  1. Know who is supplying you with what
  2. Assess the assurance practices used by those third parties and how transparent they are about their security practices
  3. Seek public information on how those suppliers measure up against cybersecurity benchmarks.

Vigilance will not always succeed, but not turning a blind eye to exactly who you are letting “touch your stuff” and how they address security is now an imperative!  Cisco drives a comprehensive value chain security architecture across our ecosystem.  In collaboration with our third parties, we (i) reduce risk via protection techniques, (ii) monitor security practices and (iii) ensure swift sharing of by third parties of their security incidents in order to minimize impact and foster swifter mitigation collectively.