This insight comes from a study by the Croatian Chamber of Economy conducted on more than 200 companies, presented at the first strategic workshop of the Cybersecurity Academy. As seen in Lider, Maja Šporčić shares her view on the current state of software supply chain attacks and discusses how these attacks are carried out.
Attacks on software supply chains have surged by 742 percent between 2021 and 2023. Gartner predicts that by 2025, 45 percent of companies globally will experience such attacks. Instead of directly targeting the main company, attackers often compromise a third-party software product used by the company. This means targeting software manufacturers and suppliers, infiltrating malicious code or security weaknesses into their software. When this compromised software reaches end-users, attackers gain access to their systems, potentially affecting hundreds or thousands of organizations.
Maja Šporčić, product manager at ASEE, emphasizes the severity of these attacks.
"Attackers target software producers and suppliers, embedding malicious code or security weaknesses into their software. When this compromised software reaches the end-users, the attackers gain access to their systems. This strategy allows them to attack not just one organization but potentially hundreds or thousands using that software."
Ransomware has been a persistent threat for years. This type of attack typically involves malicious software encrypting company data, making it inaccessible until a ransom is paid. Exploiting supply chain vulnerabilities is also becoming more prevalent. The SolarWinds incident is a prime example where attackers infiltrated a trusted software manufacturer to breach many government and corporate networks. Such attacks highlight the need for companies to ensure that their suppliers adhere to cybersecurity standards and best practices. Identity theft and phishing attacks, which are increasingly personalized and often crafted to mimic regional languages or use generative AI technology, also remain significant threats.
Artificial intelligence is being used more frequently to automate attacks, create malicious code and content, and facilitate the work of cybercriminals. This speeds up their attack campaigns and aids them in executing social engineering attacks. One tactic showcasing the power of AI in cyberattacks is cloning or voice modulation, where attackers imitate authoritative figures during phone calls to gain access to organizations or extract financial gain. While cybercriminals are getting smarter, so are legislative bodies, which have realized the importance of robust cybersecurity measures.
Regulators and state authorities are increasingly aware of the importance of cybersecurity. The European Union's NIS2 framework aims to strengthen cybersecurity and operational resilience. Unlike its predecessor, NIS2 covers more sectors, prescribes stricter security measures, and imposes harsher penalties for non-compliance, affecting both organizations and managers responsible for protecting the company. In Croatia, the provisions of NIS2 have been incorporated into the new Cybersecurity Act, which came into force in February. This legislation is prompting many companies to reassess their level of cybersecurity.
"NIS2 encompasses more sectors and prescribes more demanding security measures and stricter penalties for non-compliance, which apply not only to the organization but also to managers responsible for company protection. This move, integrated into Croatia’s new Cybersecurity Act, forces many companies to start considering their cybersecurity levels seriously." – Maja Šporčić
Human error remains one of the greatest vulnerabilities in cybersecurity. Continuous employee training is crucial. Research shows that 88 percent of cybersecurity breaches occur due to human error. Companies should develop training programs that cover basic security practices, recognizing phishing attacks, and password management. This education should be ongoing and regularly updated to address new threats.
Šporčić reiterates the importance of ongoing education, "Research shows that 88 percent of cybersecurity breaches happened due to human error. A training program should cover basic security practices, recognizing phishing attacks, and managing passwords. This education should be continuous and regularly updated to address new threats."
By understanding and addressing these challenges, companies can better protect themselves and their clients in an increasingly digital world.
Third-party attackers frequently exploit weak authentication measures and inadequate access control to compromise authentication infrastructures. This approach allows them to infiltrate organizations and insert malicious code into software. Highlighting this tactic emphasizes the robustness of our security solutions and their effectiveness in preventing such breaches. ASEE provides innovative solutions tailored to address specific cybersecurity challenges, effectively mitigating risks and enhancing overall security. Here’s how ASEE can assist your organization in overcoming these challenges:
Organizations often struggle with compromised mobile applications and failing penetration tests. ASEE’s App Protector solution tackles this issue by reducing vulnerabilities and actively detecting and responding to threats in real-time. Through application hardening techniques such as code obfuscation, anti-tampering, and integrity checks, it becomes significantly more difficult for attackers to exploit vulnerabilities. Additionally, Runtime Application Self-Protection (RASP) technology monitors the application’s behavior and context, effectively blocking malicious activities like jailbreaking, rooting, debugging, hooking, emulator detection, and screen recording. This comprehensive approach minimizes the attack surface and ensures the security of your mobile applications against emerging threats.
Inadequate authorization mechanisms can expose organizations to unauthorized data breaches. ASEE’s Identity and Access Management (IAM) system enforces strict access controls, managing and authenticating the credentials of employees and third-party entities alike. This system ensures that only authorized personnel can access critical systems and data while maintaining detailed audit trails for enhanced security and compliance.
Weak authentication measures leave organizations susceptible to unauthorized access. ASEE addresses this by implementing Multi-Factor Authentication (MFA) and Adaptive Authentication. MFA adds an extra layer of security, making it difficult for unauthorized users to gain access even if credentials are compromised. Adaptive Authentication goes further by analyzing factors such as user behavior, location, device, and time of access to dynamically assess the risk level of each authentication attempt. This real-time analysis allows the system to respond immediately to potential threats, providing a smarter, more responsive security layer.
Unsafe password management by employees can lead to significant security risks. ASEE’s Passwordless authentication solution moves away from traditional password-based security, utilizing biometric authentication methods instead. This not only simplifies and secures the login process but also reduces security fatigue among users. With biometric credentials that cannot be easily stolen or replicated, organizations can ensure a higher level of security with less user friction.
By integrating ASEE’s tailored solutions, your organization can significantly enhance its security posture, protect critical data, and maintain compliance with industry standards.
Feel free to contact us – zero obligation. Our ASEE team will be happy to hear you out.