As organizations come to rely upon third-party vendors to provide cybersecurity and software updates for their networks, software supply chain attacks are becoming more common. However, there are lessons we can learn from previous attacks, including how to make them less likely to attack your organization and do whatever they want with your most sensitive data.
Let’s explore some of the methods for preventing these attacks from harming you and your customers.
What Are Software Supply Chain Attacks?
A software supply chain attack is what occurs when hackers infiltrate a software vendor’s network. Typically, they will employ malicious code to compromise the software before the vendor sends out a new patch or update, or some new software can even be compromised as soon as it goes live.
Software supply chain attacks affect anyone using the compromised software, or whose personal information was exposed through the compromise. They can happen in every industry and can even affect critical infrastructure, government agencies, and customers in the private sector.
Example: SolarWinds Orion Attack
There are unfortunately many examples of software supply chain attacks in the digital age. However, one of the most notable recent events occurred in 2020 with the now-infamous SolarWinds Orion attack.
In this attack, hackers with ties to the Russian government infiltrated Orion, the flagship software of IT management company SolarWinds. Once inside, they sent out a software update that left tens of thousands of customers vulnerable to having data logs, emails, and other information stolen. Since multibillion-dollar companies and federal agencies used Orion to protect their network, this attack has had implications for national security.
The exact purpose of the attack is still mostly unknown. However, it could mean anything from future ransomware attacks to the distribution of classified information from the Department of Homeland Security. We may never know the true extent of the consequences, aside from its global scale.
What This Means for Businesses of All Sizes
Cybersecurity specialists are getting better at what they do all the time. However, cybercriminals and cyberterrorists are also getting better at finding workarounds. Now more than ever, businesses of all sizes need to have robust security measures in place to keep their networks, employees, and information safe.
The strength and sophistication of an organization’s cybersecurity measures are often consistent with their size. Large organizations usually have multiple locations and dozens or hundreds of points of vulnerability, but they also have larger security budgets and the ability to implement more robust measures. However, that isn’t always the case—some large organizations can also have lax security and bad data hygiene.
Cybercriminals and scammers tend to target smaller organizations because they know those businesses and agencies don’t often have the same level of security. However, they also know that these smaller organizations might vend to larger clients, making them especially desirable targets for software supply chain attacks.
Software Supply Chain Security Best Practices
Good Data Hygiene
Defending against software supply chain attacks requires everyone in your organization to practice good data and code-signing hygiene. At a glance, that typically includes the following across all parts of your organization, as well as your vendors:
- Knowing who has access to which types of data at all times
- Having security measures in effect for where your data is physically stored, such as server locations
- Keeping an active list of the number and identities of system administrators, both internally and through external vendors who have access to your data systems
- Updating your list of system administrators on a regular basis and removing those who no longer need access
Data encryption is one of the cornerstones of software supply chain risk management. Every organization in the supply chain needs it to protect systems from being compromised. This includes:
- Encrypting password information
- Using APIs and single sign-on features to protect digital points of entry
- Ensuring vendors are also using reliable encryption methods
- Keeping encryption methods and software patches updated regularly
Supplier Policy Vetting
External suppliers and open-source code are frequently the sources of supply chain attacks. In turn, it’s important to know exactly what your suppliers and vendors are doing to protect both their security and yours. These are some considerations most cybersecurity experts will recommend:
- Verifying vendor policies around system access for current and past employees, including username and password changes
- Reviewing both internal and supplier policies regarding mobile devices and laptop security measures
- Vetting supplier wireless network security procedures and monitoring capabilities
If your suppliers do not have some or all of these measures in place, you may need to either suspend your work with them until they resolve the issue or find another vendor who can resolve the issues.
Preventative Maintenance to Protect the Software Supply Chain
Preventative measures and maintenance are less expensive, harmful, and embarrassing than cleanup and recovery. Making sure your IT and developer teams, and your entire organization, take these preventative steps can keep your company safe. That includes:
- Assuring that suppliers are maintaining firewalls and antivirus software to maximize their own security
- Maintaining your organization’s firewalls, using robust antivirus software, and implementing multifactor authentication wherever possible
- Regularly reviewing access and permissions on mission-critical files
- Reviewing business requirements for authorizations multiple times per year
- Using software testing tools to identify vulnerable open-source code before malicious actors can exploit it
Backups, Disaster Recovery, and Risk Communications
These are the pieces that most IT security professionals hope they never have to use. However, they’re also the most important methods for securing the software supply chain and preventing nightmare scenarios like what happened to SolarWinds. Some of the essential steps to take can include:
- Backing up all critical data and systems frequently
- Having an established, documented disaster recovery plan in place
- Testing your disaster recovery plan regularly as part of your team’s training
- Having a risk communications plan on hand for internal, external, and public stakeholders
Just as you might practice and prepare to evacuate your home during a fire or an earthquake, it’s important to have disaster mitigation plans in place for your organization in the event of cyberterrorism or other digital security threats.
How Vulnerability Testing Protects Your Assets
We’ve already mentioned the necessity of using software code analysis tools to identify and resolve vulnerabilities. Making Software Composition Analysis (SCA) and Static Application Security Testing (SAST) regular parts of your security measures can make a huge difference in protecting your organization and clients.
Kiuwan offers tools and add-ons that can help you find risky code before the criminals can. That way, you can use both your vendors’ software and deploy your own with peace of mind. Not only does it offer rapid results, but it also provides insights into different types of security risks your software may have—all with a clear, full-coverage view of your product suite.
Start Your Free Trial to Prevent Software Supply Chain Attacks
Supply chain attacks aren’t going anywhere. Ensuring everyone in the supply chain is delivering and using secure code plays a huge role in thwarting all types of cyberattacks. Having code analysis and governance tools in place can help prevent these software supply chain attacks. To see how Kiuwan can reduce your cyber risks, start a free trial of our application security software today!