What should 3CX customers be doing now after the supply chain attack?

You can act only if you have planned how to. It is out of question that you will become a victim of a cyber attack one way or the other and there is a big chance that it has already happened. The question is just how affected you will be, due to the attack. There is no way of predicting what will happen, but you can for sure plan for the occurrence of an attack.

In the 3CX case, the overarching attack name is the supply chain attack. It relates to a firm getting attacked through third party software they acquired to aid business needs — in this case VoIP calling functionality. Could the 3CX clients have predicted this attack? I would say no. Could the 3CX customers however prepare for possible situations like this? For sure yes.

How can 3CX customers prepare for attacks?

The hardest part of your cybersecurity and the resilience of your company is to juggle all the moving parts you have in your environment. In the past, this environment was a well-protected castle that had few ways in or out. Today, you find yourself connecting with your cloud provider, the online services of your customers, partners, and your suppliers.

Layered security

You handle all the installed software on your internal IT infrastructure and all the devices your employees use, manage their privileges, authorisations and authentications, roles, and accesses. Your security strategy has to be laid out on several different layers and has to also stand tall in case a ball drops. That said, you must establish a measuring stick that will show you where you have your protection on a good level and where you need to work on it.

Do fire drills

After this, you make a plan on how to combat attacks, how to act in case that you are attacked, or the attack was successful. Only by planning, you will be able to act. Once you have the plan, make sure you do fire drills to test the plan. Cybersec is not a static one-time exercise. In the ever-changing cyberspace, your plans must be tuned to withstand possible attacks and build resilience against them. Make fire drills for your plans and align as needed.

Conduct software inventory

As far as the supply chain goes, you must know what is in it to be able to protect yourself. You must have a detailed inventory of your assets, software and also hardware and the versions of software installed to be able to react on any reported attacks issues on the software you use. Make sure that you have the knowledge about all the installed software.

It is important to get a handle on ShadowIT cases where your employees install software you do not know anything about. It is needless to say that installing endpoint protection and network protection is one of the protection techniques you will not be able to do without.

As far as your own development goes, make sure that your development process has security in mind and uses the needed AST tooling to provide secure software to your customers and partners. The last thing to consider is education. Train your employees how to act in the case of a cyber attack and how to recognise them. Educate the employees on security and they will become your assets on the way to your company’s resilience.

Boris Cipot is the Senior Security Engineer at Synopsys Software Integrity Group.

Boris Cipot, Senior Security Engineer at Synopsys