Supply chain attacks are an emerging threat that targets developers and suppliers of software. The main aim is to identify and get the credentials to the code source, build processes, or update mechanisms by infecting legitimate apps to distribute malware.
How supply chain attacks work
Cyber attacks hunt for unsecured network protocols, unsafe coding practices, and unprotected server infrastructures. They change codes, archive built-in malware, and update the processes as the software is built and released by trusted sources; the apps are signed and certified. In Supply Chain attacks, the origin or the vendor is not aware of updated malware infection when released to the public, and the code runs without any hassle with the same trust and permission.
The Popularity of the apps is significant, and so is the number of victims. For example, a case occurred where a free file compression app was poisoned and deployed to customers in a country where it was the top utility app.
Types of supply chain attacks
- Compromised software building tools or updated infrastructure
- Stolen code-sign certificates or signed malicious apps using the identity of dev company
- Compromised specialized code shipped into hardware or firmware components.
- Pre-installed malware on devices (cameras, USB, phones, etc.)
What can be done?
“What you don’t know can’t hurt you” may have been the oft-quoted remedy to not worrying about unknown problems. However, the strange technology footprint can create significant headaches for the organization. Therefore, one needs to live by the new maxim: “What you don’t know can hurt you.”
At an organizational level, it is crucial to acknowledge your third parties, their deployed technologies, and their underlying platforms and hardware. Apache Log4J vulnerability mentions itself as one of the classic cases. Companies were not aware of the provider system and whether they were using authentic Log4J as a part of their Product.
Some of the best practices for managing supply chain risks are:
- A comprehensive inventory of all assets within the realm of the CIOs’ organization Shadow business applications bought by sales, marketing, quality, or shop floor environments for industrial IoT and safety.
- Identify known third-party risks, on an ongoing basis, for not only the primary technology but the underlying platform or hardware used by the provider and plan to remediate them. Often this leads to technology upgrades with cost elements or product support issues; in such cases, near-term mitigating controls will need to be identified.
- A process must be implemented for a periodic audit of third-party systems to identify vulnerabilities, along with a detailed source code review for gaps. Insisting on the provider to offer the same as part of the procurement process will address the heartburn later.
While the above points pertain primarily to how one interacts with third-party providers, there are a few things that one can look at doing from a hygiene perspective.
- Limiting the number of privileged accounts: Most attackers go after these accounts to carry out significant damage, as reducing them will reduce the overall attack surface.
- Reducing the access to sensitive data: Treat sensitive data as your crown jewel. Access to them should be restricted to a select few, and the access requests (successful/ unsuccessful) should be monitored, including geofencing.
- Third-party vendor access: Tight control on third-party employees/contractors in terms of what they have access to, including their life cycle, needs to be implemented.
- Control shadow IT purchases: Any purchased technology system should go through a standard security check and be included in the overall tracking inventory to avoid surprises.
The world today is running by means of technology and is connected with the strings of data, science and digital artifice. The most important thing today is data but is constantly at risk.
Millions of people and their data are joined with the weakest link that stems from that one small piece of hardware or software in a remote corner with a chance of bringing the company to a standstill. So it is high time for organizations and professionals to understand the purpose of ultimate security at every end.
Focus on this blind spot and find a way to stay abreast of risks and mitigate them.