9th May, 2022 5 Min read
Book a Demo
Software supply chain security is an enormous concern for businesses today. According to a 2021 Argon cybersecurity report, software supply chain attacks increased threefold in 2021 compared to the previous year.
The constant race of companies to do things faster while delivering a better, richer user experience adds a multitude of vulnerabilities to the supply chain. Cybercriminals are exploiting these vulnerabilities and finding novel ways to launch attacks.
As a result, supply chain attacks are evolving all the time. So, organizations need to understand the concepts of supply chain security risks and how to mitigate them.
Orchestrating a supply chain attack requires sophistication and time. Cybercriminals still invest resources in such attacks because a successful endeavor can have far-reaching effects across multiple organizations.
Modern software and applications are not built from the ground up. Today most businesses use third-party vendors, APIs, and libraries. Cybercriminals use weak points in the software development pipeline to orchestrate supply chain attacks.
For example, a hacker can compromise a library of a particular vendor or open-source software. When an organization uses that library, it ships products with embedded malicious code or malware to the end-user. A popular library might be in use across hundreds or thousands of organizations. Many products can get corrupted with a single manipulated library. Supply chain attacks have caused disruptions to industries like shipping, financial services, and healthcare. And they have been used to conduct cyber espionage against government agencies.
Any organization with external source dependency is vulnerable to supply chain attacks. Furthermore, cybercriminals like this kind of attack because they can infiltrate multiple organizations and products through a single entry point and use the organization’s reputation to spread the malicious code to unsuspecting consumers.
Cybercriminals have developed multiple methods to take advantage of supply chain vulnerabilities. Here are some of the standard techniques used:
Exploiting Open-Source and Third-Party Code for RCE: Hackers seek opportunities to insert malicious code into open-source and vendor libraries. The corrupted library behaves like the original ones. When organizations use these libraries, hackers can use Remote Code Execution (RCE) attacks to take over systems to steal and destroy data.
Stolen Code-Sign Certificates to Spoof Updates: Code-sign certificates are used to validate the integrity and authorship of code. When cybercriminals gain access to code-sign credentials of a reputable company or vendor, they can use the certificate to insert fake updates into the software supply chain. Users of the code cannot distinguish the counterfeit updates from the real ones, and the final product is corrupted.
Compromised Identity and Access Management to Enter Systems: Maintaining passwords and network security is a high priority for organizations. However, employees often use weak passwords that hackers can easily crack. Moreover, lax audit trails can lead to open accounts of ex-employees. Hackers use the weaknesses in identity and access management to gain access to networks and insert malicious code into the software supply chain.
Over the recent years, supply chain attacks have become more sophisticated with far-reaching effects. Here are some examples of the latest attacks:
SolarWinds Supply Chain Attack: In 2020, the highly publicized SolarWinds attack shook the cybersecurity industry. Hackers infected SolarWinds’ Orion platform with malware (later named SUNBURST) that affected 18,000 customers, including multinational companies and government agencies like Cisco, SAP, Intel, Deloitte, Microsoft, NASA, the US Justice Department, and the US State Department. SUNBURST collected data from user systems and delivered it to hacker-assigned URLs.
Kaseya Supply Chain Ransomware Attack: In 2021, the Kaseya VSA endpoint management and monitoring tool was compromised through a supply chain attack. Russian cybercriminal syndicate REvil orchestrated the attack. It affected 50 of Kaseya’s direct customers, including Managed Service Providers (MSPs), with additional 800-to-1500 businesses affected due to the supply chain effect.
LOG4J Vulnerability: In December 2021, the remote code execution vulnerability of LOG4J, a widely used open-source logging API for Java, created a software supply chain crisis. An estimated 3 billion devices might be affected by LOG4J vulnerability. Read GlobalDots’ LOG4J exposure report to learn more.
Supply chain risk mitigation requires a multi-dimensional approach.
You should have a clear understanding of what components go into your product. Gaining visibility into your software supply chain will help you understand potential vulnerabilities in the development pipeline. A technology partner with knowledge and experience can help you pinpoint weaknesses in your supply chain security.
Network security focuses on keeping the business running and protecting against attacks that stop operations. Data security focuses on keeping data from getting stolen or destroyed. Even though the processes might overlap, the separation of data security and network security makes the supply chain more resilient.
IT can focus on protecting against attacks, while data security specialists can concentrate on making sure the data is secure even if an attack happens. For example, data security specialists can protect data using encryption at rest.
To hear how it’s done in practice, check out our most recent talk on this topic:
Better data protection through zero trust principles and auditing vendors separately to protect data are considered more robust supply chain risk mitigation. Data is only valuable to cybercriminals if they can understand it. If you can protect the data during a network breach, your supply chain is safer.
For more robust supply chain protection, change your approach to protecting your endpoints. Build a security operations center (SOC) to gain more visibility into all the endpoints in your supply chain. You can continuously monitor your network and understand the vulnerable points in the organization, especially the integration points of the software.
You cannot eliminate supply chain threats, but how your security architecture is built significantly impacts your risk level. Separating data & network protection is an excellent idea if applied to work seamlessly by experts. A technology partner who has a holistic view of your infrastructure is highly advised.
Are you having difficulty with your supply chain risk mitigation strategy? Contact GloabalDots to improve your supply chain security today.
Last week, a researcher named RyotaK shared a clever supply chain vulnerability in Cloudflare’s highly popular hosted module called cdnjs, which runs on around 12% of all sites on the web. The module helps developers consume other popular packages and integrate them safely into their sites. The vulnerability was in the cdnjs library update server […]
The Challenge: Dealing with the Back-and-Forth There are so many shared challenges when it comes to cloud compliance. The constant back-and-forth with the auditor has become a draining routine. As you dart through digital archives for necessary audit evidence, precious minutes slip away from your actual duties. Each passing hour pulls you further from your […]
LastPass’ password management service has introduced millions of users to the convenience and security of unique passwords. Across mobile and browser, LastPass promises a near-passwordless experience for millions of individuals and over 100,000 businesses. However, recent news threatens to drop a bombshell on credential-based security. The Year-Long LastPass Dual Breach In August 2022, LastPass released […]
Properly implemented, a zero trust architecture provides much more granular and effective security than legacy security models. However, this is only true if a zero trust initiative is supported with the right tools. Legacy solutions, such as virtual private networks (VPNs), lack the capabilities necessary to implement a zero trust security strategy. Zero Trust Security is […]
Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.