What is a software supply chain attack?A software supply chain attack involves the infiltration and corruption of a software company’s product. The attacker inserts malicious code into a software component that is then compiled into a software package update. The compromised package is subsequently made available to customers of the software provider as an update to the package they are currently using. The update becomes the vehicle for hackers to then penetrate the IT environments of the software company’s customers.
The most recent examples of these kinds of attacks include SolarWinds Orion software and Kaseya’s Virtual System Administrator (VSA) software. Both software packages are used by companies to monitor and manage their IT environments. In December 2020, it was discovered that hackers had inserted malicious code into an Orion software update that was subsequently distributed to hundreds of companies and government agencies. The apparent aim was theft of intellectual property and espionage. In July 2021, it was discovered that hackers infiltrated Kaseya’s systems and inserted malicious code into a VSA software update. This update was distributed to approximately 60 managed service providers (MSPs), allowing the hackers to insert malicious changes and infect over 1,000 companies with ransomware.
What does a managed service provider do?A managed service provider delivers services, such as network, application, infrastructure, and security, via ongoing and regular support and active administration either on customers’ premises, in their own data center (hosting), or in a third-party data center. MSPs often provide hosting for an organization’s data as well as its systems.
What factor did trust play in these incidents?
- Organizations assume that software updates from a verified source are unadulterated
- It is assumed that MSPs will take proper steps to shield their customers from harm
- Both software companies and MSPs are seldom subject to audit by their customers
What is the cost to compromised organizations?
- Compromise of key financial systems and unauthorized movement of funds
- Investigative costs to ascertain the scope of the breach
- Costs required to sanitize the IT environment and remove any back doors
- Impact of public disclosure on stock value and market share
- Cost of lawsuits and potential regulatory actions
- Price increases for cyber insurance or cancellation of policy
Some of the ways to protect your organization
- Supply Chain and Vendor Risk Management – Review your previous vendor risk management (VRM) assessments. It may be time to perform a new one.
- Zero Trust Architecture – Zero Trust requires all users, local and remote, to authenticate, be authorized and validate their security configuration before getting or retaining access to corporate applications, systems, or data.
- Network Segmentation – As its name implies, network segmentation is splitting a computer network into subnetworks, each one being a separate network segment.
- Identity and Access Management – This enables granular access control and auditing of all IT assets on premises and in the cloud.
- Security Operations Center (SOC) Risk Management – The focus of a SOC is the round-the-clock monitoring, management, and operational improvement of the organization's security posture.
These are simplified explanations of some (but not all) of the steps you should be taking. For more detail on how to protect yourself and your customers, be sure to watch our Supply Chain Cyber Attack webinar.