According to the Nation, cyber attacks have increased by 100% due to poor detection and lack of capacity to respond to crime. Due to this growing global concern, The Communications Authority of Kenya (CA), through the National Computer Incident Response Team Coordination Center (National KE-CIRT/CC), wishes to issue an advisory on supply chain risks in third-party software. This follows cybercriminals going forward will exploit the vulnerability within the supply chains to hit their targets.
Kenya is yet to be affected by the adverse attacks as at now but the trend depicts a serious concern in cybercrime management and thus a precaution should be taken when dealing with outsourced products and personnel. The advisory, therefore, is to enable ICT users to make informed and risk-free decision on the choices of their products by engaging Cybersecurity experts. A supply chain attack also called the value-chain or third-party attack occurs when someone infiltrates a system through an outside partner who validly has access to the systems and data. This can lead to the loss of critical data and even financial assets. The attacker takes advantage of the inherent trust between users and their software providers.
Banks, Saccos, Hospitals, Telecommunication companies would be at high risk in any case of cyber-attacks. Majority of cyber-attacks originate from the supply chain or from the external parties exploiting security vulnerabilities within the supply chain. There have been successful attacks in 2016 and 2017 with cybercriminals focusing on the 2018 and beyond. With Supply chain attacks moving into the mainstream of cyber-attacks it is best to be on the lookout.
There has been an increase of offers of free anti-malware products by vendors with complex disclosure statements that are in part designed to obscure intent as to what data is being collected and whether it can be sold or any other breach. The free anti-malware is then used as a bait to lure the unsuspecting users, while the real intention is to have the anti-malware installed into a system, then use it to capture personal and confidential data. These vendors later monetize the data collected or use it to their political or business advantage. This trend applies not only to anti-malware solutions but also any other third party software.
The Authority is, therefore, advising the public as follows:
- That end users treat free or low-cost cybersecurity software as potential threats and where possible refrain from the usage. They should strive to determine their monetization methods and their policies. To this end, users should endeavour to read the terms and conditions of their usage however lengthy they are.
- That organization and government institutions properly vet software vendors in order to ascertain any concealed motive that might work against their interests especially with products interacting with organization’s critical infrastructure. Products or vendors with tainted history should be dealt with as a risk, and constant reviews carried out.
- Kenyan ICT consumers should be concerned about the safety of their data more than ever before. Cybercriminals have changed tact and are now using third-party software to deliver threats to unsuspecting users in an attempt to compromise their personal data. Consumers should thus avoid “they will do it” approach but should rather collaborate with the service providers in securing the services.
Always keep your data safe wherever you are. 8 ways of keeping safe while using public Wi-Fi hotspots
Featured image via https://logicalhacking.com.