Supply Chain Risks
- Hijacking software updates: In addition to adding malware to updates to potentially affect numerous victims, as in the SolarWinds attack, the attackers may also alter the update so they can take control of the software’s functionality.
- Undermining code signing: Code signing validates the identity of the software code author or the integrity of the code. Attackers can undermine this process by self-signing certificates or by exploiting misconfigured account access controls. This helps enable attackers to hijack software updates by impersonating a trusted vendor so they can insert malicious code into an update.
- Compromising open-source code: In these attacks, the attackers insert malicious code into publicly accessible code libraries, which are then downloaded by unsuspecting developers.
Key Recommendations
- Establish a set of security requirements or controls for all suppliers based on the criticality of the supplier and the permissions granted to the information and communications technology.
- Use supplier certifications to ascertain whether a supplier incorporates secure software development practices throughout all life cycle phases, actively identifies and discloses vulnerabilities and maintains a product vulnerability response program.
- Ensure that vendors enforce supply chain security requirements that meet the standards used by the purchasing organization.
- Perform in-house and third-party code review, analysis and testing.
- Use properly configured build processes to improve the security of executable code.
- Configure software so that it is secure at the time of installation. This should involve avoiding the use of hard-coded passwords, enabling firewalls and ensuring mechanisms for verifying software integrity so that the software has not been subjected to tampering.
Additional Advice
Enterprises need to follow a layered defense approach to protect their assets when a breach occurs via supply chain vendor. They need to have zero-trust security built in with necessary controls to prevent lateral movement of threats and egress filtering to prevent data exfiltration.
Organizations also need to conduct code reviews. These types of tests explore the likelihood that software contains embedded malware, through malicious code commits or by compromised third-party dependencies.
Companies should make sure to monitor user activity at the application, network and device levels to ensure they can detect any suspicious behavior that may be linked to intruders who have discovered a vulnerability which is a zero-day exploit and has not yet been found by researchers or product vendors. Read More
iTM covers all aspects of cybersecurity from Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations, Cloud security best practice and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information