By John Adams, Chief Executive Officer at Waratek,
According to Microsoft chief executive Satya Nadella, in the near future “every business will become a software business.” By leveraging the right applications and data, companies of all sizes and industries can make smarter decisions to beat their competitors and better serve their customers.
The problem in terms of application security, however, is that in many cases it’s not your own software you’re using. Nearly every organization makes use of applications from third-party vendors and suppliers, in what businesses like to call the “software supply chain.”
Over the past few years, we’ve seen a worrying rise in “supply chain attacks” that take advantage of these relationships between software vendors and their customers. For the strongest cybersecurity posture, companies must not pay attention to not only their own IT security, but also that of their suppliers and partners. In this blog post, we’ll discuss why you’re only as safe as the company you keep when it comes to application security.
What is a Supply Chain Attack?
Because you’re not automatically privy to the security practices of third parties, it’s easy to assume that the vendors and partners you deal with are completely secure and doing everything right. However, a recent series of high-profile cyber attacks have exposed the deep-seated problems with this presumption.
In 2014, for example, Home Depot suffered a massive data breach that exposed 56 million payment card details. Investigators later discovered that the hackers entered Home Depot’s IT systems using the login credentials of a third-party vendor.
Magecart, an attack that targets e-commerce sites and steals credit card data, has been well known for a couple of years now. In the early days, Magecart groups would look for common vulnerabilities on websites as a way to install the skimming software. Last year, these gangs upped the ante by injecting Magecart into third party code used by Ticketmaster for customer support during checkout.
As these headlines illustrate, a supply chain attack takes this idea of third-party vulnerabilities to the next level by embedding flaws and malware into a third-party or open source software. The attack then makes its way down the chain, implanting itself in the companies that use this software as well.
With the ubiquity of open source code use in software development, and the need for companies to create a seamless user experiences through integrations, the software supply chain is an attractive target. Companies must remain vigilant in assessing potential vulnerabilities in their own code, including open source libraries. In addition, they must also pay attention to the privileges given to third-party vendors and partners.
Supply Chain Attacks: Examples
Although still a relative rarity—partially due to the expertise needed to pull them off—supply chain attacks seem to be growing in number and scale in recent years. Cybersecurity firm Symantec estimates that supply chain attacks increased significantly by 78 percent in 2018.
In 2018, Bloomberg reported that some motherboards built by the hardware manufacturer Supermicro included malicious components that could spy on or interfere with the operations of the board. It was later discovered that these boards were running on servers used by companies such as Apple and Amazon.
The Supermicro online portal for software updates was also apparently breached in 2015 by Chinese hackers, allowing them to compromise the devices’ firmware and infect Supermicro customers such as Facebook. In this case, the malicious code allowed hackers to secretly control a server’s communications.
Meanwhile, the 2017 Petya/NotPetya worm managed to spread to more than 1,000 organizations and individuals in Ukraine using the tax accounting software MeDoc as a vector. According to researchers, MeDoc’s central software update servers were outdated and vulnerable to a security exploit that would have allowed attackers to compromise the company’s update functionality.
How to Protect Against Supply Chain Attacks
Protecting against supply chain attacks is no easy feat. The natural instinct for companies, especially those with less technical savvy, is to place trust in their software vendors and suppliers. However, it’s exactly this trust that the attackers seek to take advantage of.
The best defense against supply chain attacks for organizations that are at the end of the chain is to use strong endpoint security:
●Install updates and patches to all servers as soon as possible.
●Use antivirus and antimalware software that can detect and remediate suspicious files and activity on user devices.
●Test new software updates in a sandbox environment for strange behavior before deploying them to the organization at large.
In general, you should prefer larger, more mature vendors and suppliers—they’re more likely to have robust cybersecurity policies that can protect against a supply chain attack at the origin.
RASP (runtime application self-protection) is another way to protect systems and thwart unwanted code before execution. While an application is running, RASP technologies analyze its behavior at runtime, automatically detecting suspicious or malicious activities and blocking those behaviors before the program executes. RASP provides protection from both known and unknown vulnerabilities, which can also save countless hours of development testing when using open source and third party code.
Meanwhile, vendors should consider purchasing cyber insurance and undergoing external security audits such as penetration testing. Using security protocols like SSL/TLS and signing all files involved in software development are good ways to make the process much less tamper-proof.
John Adams is chief executive officer of Waratek. As CEO, John has complete responsibility for developing markets and operating all aspects of the organization’s global business. John has a rich history in security and medical technology with his experience spanning more than two decades. Prior to Waratek, John served as president & COO of SecurAmerica, leading the company’s expansion into nearly three-dozen new geographic markets and growing the company from 5 employees to over 5,000. In his career, John has also served as SVP N. America for London-based G4S (formerly Securicor) and held senior executive positions at US Surgical Corporation and Medline Industries. John holds an MBA in Healthcare Administration from Webster University and a BS in Business Administration/Accounting from Florida Southern College.