Cybersecurity for Technology and Software Companies: Threats, Risks, and Best Practices
Table of Contents
Technology and software organizations may seem immune to cyberattacks, being at the coal face of digital. However, even technology companies are at risk from cyberattacks. As technology and software suppliers to industries across the spectrum, this sector is an ideal target for attackers wishing to infiltrate the supply chain. However, the tech sector is also a target in its own right. Software and technology vendors hold a treasure trove of intellectual property and large volumes of customer data. Recently, Dell was a victim of an unauthorized database intrusion that impacted 49 million customers.
MOVEit: How A Zero-Day Became a Supply Chain Nightmare
One of the most high-profile cyberattacks in recent history was Progress Software's MOVEit file-transfer app hack. The hacking group behind the infamous Cl0p (CLOP) ransomware exploited a zero-day vulnerability in the MOVEit platform that allowed an attack known as SQL Injection to be executed. The attack affected over 2,650 organizations that were customers of Progress Software. Companies impacted included financial services and government agencies. During the attack, the personal data of around 93.3 million individuals was exposed. Based on IBM data, estimated costs across the affected companies have been projected to be in the order of $9,923,771,385.
Top Cybersecurity Threats to the Tech and Software Sector
Like other sectors, the technology and software sector is at risk of multiple forms of cyberattacks. Some of the more common sector-focused threats are as follows:
Supply Chain Attacks
Software and technology vendors are typically integral to massive supply chains serving multiple sectors. Software supply chain attacks exploit the trust between customers and the processes used to supply software, such as upgrade processes. Technology suppliers may find that attackers target firmware or manufacturing. Supply chain attackers use spear phishing and social engineering tactics to infiltrate a software or tech vendor to gain unauthorized access to the chain. Compromised login credentials are the attackers' goal, and they then use these to gain higher privileged access, where they can infect the network or inject malicious code into the software upgrade process in the CI/CD delivery pipeline.
Another example of a supply chain attack is the attack on identity vendor Okta. Cybercriminals compromised employee credentials and accessed the Okta customer support management system, which allowed the attacker to gain unauthorized access to customer support files.
Data Breaches
Technology and software companies hold valuable customer data, intellectual property, source code, and company secrets. This makes them ideal targets for cybercriminals looking to steal data for follow-on attacks, sell on the dark web, or sell to competitors. Allegheny Health Network, aHealth Tech vendor that makeshome medical equipment and home infusion therapy services, was a victim of a data breach that affected 292,773 individuals. Stolen data included social security numbers and financial details.
GitHub Attacks
Many software and technology vendors store source code in a GitHub repository. GitHub is very popular, with over 212 million users and 253 million public repositories (or "repos") that hold source code. GitHub is also used to store other types of secrets, like API keys and login credentials. However, GitHub has vulnerabilities, including 80% of GitHub workflows having insecure default permissions. LexisNexis Risk Solutions suffered a data breachthatexposed the personal information of over 364,000 individuals. The breach began with unauthorized access to its GitHub repository.
Ransomware
Like many organizations that rely on data for operations, the tech and software industries are at risk from ransomware attacks. This sector relies heavily on its IT infrastructure to build products and deliver them to customers, making it even more vulnerable to the effects of ransomware. Ransomware is typically associated with data theft, which is then used to leverage the ransom payment.
Ransomware enters an organization using various routes, but phishing is a popular choice to initiate the attack chain by stealing login credentials. NVIDIA was a victim of the ransomware gang Lapsus$, renowned for phishing employees to obtain login credentials and gain unauthorized access to a network. NVIDIA saw 71,000 Employees' Credentials Exposed during the attack.
Cybersecurity Challenges in the Tech and Software Sector
The tech and software sector has unique challenges that feed into security risks. The following are some of these challenges.
- Change management - infrastructure and software: Continuous cycles of upgrades and feature enhancements make software companies targets for supply chain attacks. Any vulnerabilities in a CI/CD delivery pipeline or the underlying infrastructure can be exploited.
- Secure coding: Many software applications depend on third-party libraries and open source, which can make maintaining a secure code base challenging.
- Opportunities and risks in integrating AI: Being at the cutting edge of technology, software, and tech vendors are under pressure to incorporate new and emerging technologies, like AI, to keep up with market expectations. Emerging tech can harbor emerging vulnerabilities. Adding new features and using untested or emergent technologies can add vulnerabilities to a product's general code.
- Speed to market pressures: Software and tech are constantly evolving, which puts pressure on companies to get products to market quickly. If a company moves through the development lifecycle too quickly, insecure code can enter the solution, leaving anyone using the software vulnerable to cyberattacks.
- Valuable intellectual property, such as software code and design documents: Software and tech firms' value lies in their intellectual property (IP), which increases the risk of a cyberattack targeting IP.
- Reliance on cloud systems like GitHub: Software and tech companies often rely on cloud repositories like GitHub. Popular platforms are often targeted by cybercriminals, who use the repository to steal code or insert malicious code.
Regulations Affecting Technology and Software Companies
Software and technology companies are covered under many regulations and standards. In the USA the following are the most well-known:
- Cybersecurity Framework | NIST (NIST CSF): The CSF is a framework that provides guidelines for managing security risk.
- ISO 27001: This information security standard specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system.
- Federal Risk and Authorization Management Program (FedRAMP): This program applies to all cloud services used by U.S. federal agencies. Suppliers must meet security requirements to mitigate the risk of data breaches and cyber threats.
- CISA (Cybersecurity Information Sharing Act): Coversinformation security sharing between private companies and the federal government.
Industry-specific regulations include HIPAA for companies working in the health sector and PCI-DSS for those handling financial transactions.
Mitigating Cybersecurity Risks: Best Practices
Like all sectors, software and technology vendors must take a defense-in-depth approach to security, deploying multiple measures to identify and prevent threats as they arise.
Identity Management
Robust identity measures are an essential and fundamental way to protect against unauthorized access and privilege misuse. The measures should include privileged access management, Zero Standing Privileges, and Just-in-Time (JiT) access. Together, these ensure that employees' access is on a need-to-know basis. Added to these measures should be phishing-proof multifactor authentication (MFA). This mitigates but does not eliminate risk.
Extended Detection and Response (XDR)
Software and tech vendors may use hybrid cloud environments and a wide range of domains. XDR detects, investigates, and responds to sophisticated cyber threats that can come in from multiple sources.
Enforce Encryption Use
Data encryption during storage, transfer, and sharing is essential and should be implemented across all touchpoints.
Anti-Phishing Tools
Phishing is a common form of attack on software and tech companies. Advanced anti-phishing solutions use AI and natural language processing (NLP) to identify and prevent evasive and complex phishing attacks.
Next-Gen Anti-Virus (NGAV)
NGAV is used on endpoints to prevent known and emerging malware threats.
Backup and Restore
Ransomware-resistant backup and restore should be used.
Audit and Monitor
Networks and endpoints should be monitored and audited for unusual behavior that could signal a cyberattack. Monitoring should extend to include GitHub repositories.
Security Awareness Training
Employees across the business should be trained in good security practices, like secure internet and mobile use. Security awareness training modules also include phishing recognition and social engineering awareness. Phishing simulation platforms provide ongoing training in phishing tactic recognition that can be tailored to individual employee needs.
Dark Web Monitoring
Cybercriminals use the dark web to gather intelligence on vulnerabilities in platforms like GitHub and open source code. They also use dark web marketplaces to buy and sell customer data and company IP. Tools like Sentinex offer deep insights into the dark web to detect potential exploits against a company's infrastructure or the sale of company or customer data.
Regular Risk Assessments and Vulnerability Scans
Software or technology companies' infrastructure must undergo regular penetration testing and risk assessments. These assessments should be extended to cover GitHub and other third-party repositories. The entire supply chain should also be assessed to ensure that it meets the required security posture.
Robust Incident Response Planning
If the worst happens and your company suffers from a cyberattack, having a robust incident response plan can help mitigate the attack's impact. NIST offers advice on creating an incident response plan.