Supply chain attacks are not new. The infamous SolarWinds attack laid the foundations for a supply chain attack frenzy. 2021 saw numerous sophisticated attacks such as Codecov in April and Kaseya in July, concluding with the Log4j vulnerability that was exposed in December.
Closer to home across the APAC region, we also see similar examples of supply chain attacks in the healthcare, automobile, and critical infrastructure sectors, just to name a few. The striking impact achieved by this one vulnerability in an open-source library demonstrates the inherent risk in software supply chains.
As a Chief Investigation Security Officer (CISO), you are responsible for your organisation’s information and data security, keeping them safe from both internal and external threats. As the cybersecurity landscape changes, your responsibilities also widen to cover the broader surface of attacks, especially as we see more WFH policies being implemented, with your own CISO role evolving beyond just a security role. However, if you have an insecure vendor in your chain of trust, your organisation will only be as strong as your weakest link.
A supply chain attack takes advantage of trust relationships between different organisations and targets the weakest link in the chain. This is especially true as cybercriminals will face greater resistance from larger organisations that are better prepared for cyberattacks.
As a result, smaller and less secure third-party vendors are an easy way in. Modern software applications, such as websites or mobile phone apps, are built using complex supply chains of third-party libraries or open-source components.
It makes the work for software engineers easier — After all, why reinvent the wheel when there are off-the-shelf solutions? However, this can be where it spirals out of control.
Cybercriminals know that third-party providers often prioritise speed to market over security. It means their code can easily be intercepted and compromised.
By the time it is used by the software engineer within an organisation, it could well be too late and risks the final software application itself being compromised too. Attackers understand DevOps teams are driven by speed to make organisations more agile.
As a result, they often develop and deploy applications without the necessary security checks. Knowing this allows attackers to take advantage of these sacrifices of security concerns.
Furthermore, there is no good way to partition third-party libraries or code from your organisation’s in-house built code. As a result, it all runs within the same privilege.
That means that anything the application can do, all the libraries can also do. So, if the application can access your database, there is nothing to stop your libraries from doing the same.
What can be done to mitigate these risks?
Supply chain attacks take advantage of unsecured trust relationships between a company and other organisations. Therefore, protecting against supply chain attacks requires a zero-trust approach to security.
Across the industry, security professionals are designing and rebuilding their strategies around a Zero Trust approach, one that trusts no user, device, or system, neither inside nor outside the perimeter.
While partnerships and vendor relationships are good for business, third-party users and software should have their access limited to what is necessary to do their jobs and be continually monitored.
Internally, it is also important to keep in mind some ways to mitigate the risks of these attacks:
- Implement Least Privilege: Many organisations assign excessive access and permissions to their employees, partners, and software. These excessive permissions make supply chain attacks easier to perform. Implement least privilege and assign all people and software only the permissions that they need to do their job.
- Perform Network Segmentation: It is usually impossible to gain complete visibility into the network of third-party software and partner organisations companies are working with, due to legal constraints or other factors.
This lack of visibility makes it difficult to monitor their supply chain security and the devices connected to their network. Therefore, it is important to limit the access of third-party vendors and use network segmentation to break the network into zones based on business functions. This way, if a supply chain attack compromises part of the network, the rest of the network is still protected. - Follow DevSecOps Practices: By integrating security into the development lifecycle, it is possible to detect if a software has been maliciously modified.
- Automated Threat Prevention and Threat Hunting: Security Operations Centres (SOC) analysts should protect against attacks across all the organisation’s environments, including the endpoint, network, cloud, and mobile.
- Leverage Artificial Intelligence (AI) and Machine Learning: Smaller IT and security teams may be overwhelmed, and their visibility can get obscured by the sheer volume of data. Relying on AI capabilities and machine learning can help mitigate the risks, prioritise tasks and enable security teams to focus on what is critical across their digital environment.
At the same time, organisations need to understand what commercial and open-source products they are using and be aware of and prepared for potential attacks using legitimate software as a vector. Adopting a hygiene-focused “prevention-first” approach to your organisation’s security architecture will give you full visibility into your IT environment and help address any blind spots.
Not limited to technical issues
In today’s modern world, a CISO’s job is no longer just technical. CISOs today need to possess technical knowledge, and leadership skills and be attuned to business risks due to the increased complexity of security management.
They are expected to have political discernment, business sensibility and even be a rhetorician to drive buy-in from the board on solutions and mitigation efforts, front explanations and explain the impact of breaches like in the case of Okta’s recent compromise.
Needless to say, the responsibilities of a CISO have drastically changed over the past decade due to the evolving security climate. As more and more applications are added to your IT ecosystem, security teams often struggle to keep updated on who is installing such applications and where. As a result, these applications can quickly become a liability.
Therefore, organisations need to have cutting-edge solutions to safeguard their assets. Good security infrastructure should adopt the BEST approach to security consisting of:
- Block threats in real-time: It should always be prevention, not detection
- Everywhere: Consolidated across networks, clouds and users
- Smart: Possess the capability of AI-powered prevention and operations
- Trusted: A reputable vendor that is trusted by other customers and industry experts
Look out for security solutions that can offer the BEST approach spanning mobile devices, network attacks, corporate emails, web servers, endpoints, IoT devices and cloud environments.
In cybersecurity, there are no alternatives. It is already too late if you discover a compromise in your system as it means that the cybercriminals are already through the door and in your network. Manage your risks, and don’t let your organisation become an enabler for cyber criminals to achieve the next big supply chain attack.