How to secure your software supply chain against an attack:
Don't let third-party partners put you at risk.
Software supply chain attacks made serious headlines over the past year, and it’s likely you’ve read all about big ones like SolarWinds, Kaseya, and Log4j. But these incidents are far from the only cause for concern.
According to a study* from Argon Security (an Aqua Security company), software supply chain attacks increased by over 300% in 2021. Ninety-three percent of respondents in a recent BlueVoyant study confessed they’ve experienced a direct cybersecurity breach because of vulnerabilities in their supply chain, while 97% of organizations admitted they’ve been “negatively impacted by a cybersecurity breach that occurred in their supply chain.”
In the first piece of this three-part series, we reviewed how to conquer third-party risks. But why are software supply chain attacks growing in number? How are bad actors using supply chains to gain a foothold into an organization’s network? What can businesses do to shore up these vulnerabilities? Let’s discuss.
What is a supply chain attack?
Software supply chain attacks, commonly referred to as third-party attacks, occur when cybercriminals penetrate your system through an external provider or a third-party partner that has access to your systems or data.
You might be wondering to yourself, “How many outside vendors actually have access to my system?” The answer may surprise you. The average number of software vendors used by Fortune 1000 enterprises is 110, according to a session from this year’s RSA Conference. And there are countless risks to your organization’s supply chain.
Common supply chain vulnerabilities
You could have a malicious supplier. There could be buggy or vulnerable software. There could be unauthorized modification in the development or delivery of an application in any level of the supply chain. We are now hearing from some of the largest organizations in the world that bad actors are infiltrating partner organizations by posing as new hires. This method enables a malicious actor to gain access through their employer to the ultimate target: a downstream consumer partner.
There are several types of supply chain attacks, according to Fortinet:
- Stolen certificates. Hackers steal certificates used to guarantee the legitimacy or safety of an organization’s product and push malicious code under the pretext of that organization’s certificate.
- Compromised software development tools or infrastructure. Hackers introduce security weaknesses in the development process using tools for building software applications. This occurs before the process of creating an application even begins.
- Preinstalled malware on devices. Bad actors preinstall malware on phones, cameras, Universal Serial Bus (USB) drives, cameras, and other mobile devices. Malicious code gets introduced once the user connects the device to their system or network.
- Malicious code in components’ firmware. Cybercriminals put malicious code in firmware, giving them a foothold into a system or network.
Strategies for securing your software supply chain
The U.S. government is attempting to mandate supply chain security – but it’s complicated.
The Biden Administration’s Executive Order (EO) on improving America’s cybersecurity – EO 14028 – requires vendors to apply secure development and supply chain practices. However, EOs are only obligatory for federal departments and agencies and serve as guidance for the private sector.
In the absence of legal mandates, it will be challenging to get private organizations to enforce these policies. But, as supply chain attacks continue to grow in number, it’s worth following in the footsteps of industries with heavily regulated supply chains. Be sure to also keep an eye out for future regulations and guidance standards rolled out by the government – these may trickle into the private sector.
Additionally, consider limiting your supplier count. With fewer and better suppliers, you can decrease your organization’s risk by narrowing your focus and shrinking your attack surface. This tactic will minimize your chances of being exploited. Traceability concepts should be emphasized and documented, allowing organizations to share transparency, identify disruptions, and respond faster to issues. This also provides more visibility into the overall business needs.
Taking the temperature of your third-party vendors
Standardized information gathering (SIG) questionnaires are used to assess vendors and manage third-party risk. But they’re not always used to their full potential.
Tailor your questionnaires for the specific use case of each of your vendors, and make sure you’re asking the right questions. Don’t ask a vendor if they have a plan – inquire about the last time they tested it. Also, if a vendor has a high or critical rating, consider if executive-level approval should be required.
If you are leveraging automation and software connectivity, conduct periodic reviews of your organization’s interactions with partners via a standardized method like a Software Bill of Materials (SBOM). Make this an aligned part of your third-party risk assessment.
Consider contractual SLAs for third-party incident and risk efforts, including response, support, and notification of any malicious or perceived malicious behavior.
Where to begin?
A realistic assessment of your supply chain security maturity is paramount. Establish a baseline using recommended guidelines and frameworks. MITRE’s System of Trust offers a framework for zeroing in on supply-chain-related risks that are most relevant and actionable to those involved in exchanging goods and services. Guidance standards can be found in the more common frameworks such as: NIST SP 800- 161; NIST IR 7622; ISO 27036; and ISO 270243.
It’s also a good idea to seek approval for a supply chain steering committee, and if applicable, join industry efforts to attest secure code such as NIST Secure Software Development Framework (SSDF) practice groups and the Supply Chain Integrity Transparency and Trust (SCITT) initiative.
Consider investing in the most effective toolsets as well. Aside from SIG questionnaires, investigate application security and overall security posture, and continue to adopt a zero-trust approach by using tools like remote browser isolation. Additionally, adopt the zero-trust methodology for your DevSecOps teams and focus on mitigating vulnerabilities in source code throughout the entire process.
How SHI can help you secure your supply chain
Securing your software supply chain is becoming a necessary component of a cybersecurity strategy as it involves all aspects of the business, including security, legal, compliance and privacy, marketing, and more. Our experts will assess your security environment’s current state by focusing on application security, data security, and risk management.
With SHI’s Security Posture Review, we identify potential gaps within your environment’s entire security landscape. We will evaluate your security posture based on the implementation and maturity of technologies in your environment, taking a holistic approach to your organization’s security.
The Security Posture Review focuses on the following key areas:
- Gaps and blind spots
- Redundant costs and solution mix
- Solution modernization
- Tool integration
Software supply chain attacks are only increasing in size and sophistication. Now’s the time to make sure your largest gaps and vulnerabilities are addressed. Speak to one of our specialists today.
*link has been removed as of September 2024