Attackers breached supplier systems to steal Airbus secrets
Thursday, September 26, 2019
ImmuniWeb founder and CEO and penetration testing specialist Ilia Kolochenko observed that the act of targeting large enterprises through their suppliers and other trusted partners was not new.
“There is no need to undertake an expensive, time-consuming and risky assault of a castle if you can quickly get in via a loophole,” he said. “The problem is that most of the suppliers struggle to win bids in a highly competitive and turbulent global market, often in conscious disregard of cyber security fundamentals. Implementation of information security at a level comparable to their VIP customers will boost their internal costs, thereby considerably increasing their market prices, making them uncompetitive.
“Worse, large global companies such as Airbus have such a great wealth of countless trusted third parties across the globe that it would be virtually unfeasible to keep an eye on how cyber security is implemented at their suppliers without skyrocketing monitoring and compliance costs.
“Third-party risk management is still nascent in most of the organisations and is frequently composed of paper-based superfluous control. Nonetheless, we cannot rebuke these companies in doing so, as shareholders will unlikely agree to spend many millions on surveilling third parties at their own cost,” he said.
Kolochenko went on to explain that different national and regional security standards would make a tricky situation trickier still for the likes of Airbus. While globally recognised standards can ensure a baseline of security practice is in place, these standards would by no means guarantee protection, and additional monitoring of suppliers is needed. Read Full Article
SC Media: Reports: Actively exploited zero-day found in vBulletin forum software
The Daily Swig: vBulletin zero-day: Critical exploit leaves forum sites open to attack