One of the most notorious cybersecurity attacks to strike through the corporate supply chain happened in 2020. That’s when criminals successfully installed malware into the Orion software product sold by SolarWinds, which then infected thousands of SolarWinds’ corporate customers around the world.
Due to the level of stealth employed by the attackers and their success at compromising so many victims at a single stroke, the SolarWinds attack demonstrates all the perils that can come from supply chain attacks.
So how can you protect your own organization from supply chain attacks? Start by identifying the risk factors. Knowing these factors will help you determine your protection strategy and to keep adversaries out of your IT environment.
What Is a Supply Chain Attack?
A software supply chain attack can occur when a software product contains vulnerabilities that an attacker can exploit to simultaneously attack all the organizations using that software product. In the SolarWinds case, the attackers leveraged SUNSPOT malware that then inserted the SUNBURST backdoor vulnerability into Orion.
SUNBURST, which is a piece of malicious code, can execute files, reboot the machine, and even disable system services. Worse, it can carry out these activities at scale – which is why the attack had so many victims.
Other Examples of Supply Chain Attacks
In 2018, the Event-stream Attack caused some ripples in cybersecurity circles. Attackers injected malware into event-stream, a popular open-source JavaScript code library. Their aim was to steal funds from bitcoin wallets, and they did succeed to some extent.
Two other supply chain attacks were discovered a few months earlier. One compromised a piece of server management software, while the other slipped a malicious package into Python’s official repository, increasing fears about a widespread attack.
In 2021, the Mimecast attack also made waves worldwide. In this attack, hackers successfully compromised a security certificate, affecting about 10 percent of Mimecast’s customers.
Guard Against These Supply Chain Attack Risk Factors
In cybersecurity, forewarned is always forearmed, especially for supply chain management risks and supply chain attacks. By recognizing your risk factors, you can detect threats, address vulnerabilities, and minimize risk.
Which risk factors are most common? Consider the following.
You use many commercial software products
Most modern organizations use commercial software applications for HR, financial services, accounting, operations, project management, and a host of other needs. Attackers may exploit the vulnerabilities in these applications, resulting in an attack against your critical assets or sensitive data.
You use many open-source software or components
Per one 2021 report, about 90 percent of companies use open-source innovations and source code to save time and money, accelerate innovation, and solve business problems. That said, security vulnerabilities are an ongoing problem with open-source components. The Equifax data breach from 2017, for example, is one well-known attack that exploited a vulnerability in an open-source component.
In 2021, more than 4,000 high-severity vulnerabilities were discovered in open-source components, which is why even President Biden’s cybersecurity executive order talks about the integrity of open-source and third-party software and securing the software supply chain.
Your vendor network is growing
The more software applications you purchase, the more your third-party vendor network grows and the more cyber threats can potentially enter your environment. If these applications contain vulnerabilities, they will increase your risk of supply chain attacks.
You source software from ‘risky’ foreign countries
Software that originates in some low-cost countries often contains exploitable vulnerabilities and malware. These gaps allow attackers to compromise the application and attack all its enterprise users. If you purchase software from such countries, be warned that you may be at risk of a supply chain attack.
How to Prevent Supply Chain Attacks
You want to eliminate the risk of supply chain attacks. As a practical matter, however, most businesses can’t simply stop using commercial software; nor are they likely to stop using open-source software or components. Also, your vendor network may continue growing, depending on your software requirements, budget, and vendor capabilities.
You can, however, minimize the risk of many types of supply chain attacks by following these best practices:
- Buy software only from trusted vendors
- Apply security patches and updates to all software and operating systems as soon as the vendor releases them
- Conduct regular audits of software assets and create a software inventory so you know exactly what needs to be protected
- Run regular vulnerability scans and penetration tests across your entire software environment
- Keep track of “shadow IT” software (that is, unauthorized software users install themselves) and remove such applications if you find vulnerabilities
You should also install client-side protection tools to stop malicious code before it gets installed on your network, install antivirus software, and deploy endpoint detection and response (EDR) tools to protect endpoints.
It’s also crucial to implement a comprehensive third-party cyber risk management program and conduct due diligence on every software vendor. Also assess providers’ security posture and check whether they have implemented a security framework to protect their software and minimize their attack surface.
Some other good practices to follow to prevent supply chain attacks to your business:
- Implement code dependency policies so only authorized apps can run on the network
- Make secure coding part of your company’s software development lifecycle (SDLC)
- Develop an incident response process for quick remediation of supply chain security incidents
Protect Yourself from Supply Chain Attacks With ZenGRC
Visibility is crucial to understand your threat landscape and prevent supply chain attacks. Get this enhanced and granular visibility with ZenGRC. ZenGRC will help you see and understand your supply chain risks.
Use its insights to determine the required action to minimize these risks. ZenGRC will also allow you to make data-driven decisions about your security investments. Take advantage of expert-provided guidance, automated workflows, built-in content library, and single source of truth to enhance your software supply chain’s security and protect your organization from the bad guys.