Supply chain cyber attacks are trending up. While they aren’t new, there’s a clear and concerning trend taking place with third-party software and service providers rapidly becoming attackers’ favorite target. And it’s easy to understand why given the domino effect that supply chains present and adversaries simply needing to find a single weak link in what could be an extremely tangled, and vulnerable, web.
Fresh off the heels of the SolarWinds attack affecting government, military and more than 18,000 companies, there’s been a growing string of similar incidents targeting software security supply chains, which has even prompted the CISA to issue guidance on how organizations can defend themselves. As organizations across the globe begin to scrutinize supply chains and third party integrations in the wake of these large scale, highly impactful hacks, the question arises as to what steps can be taken to prevent similar instances in the future?
Unfortunately, there is no silver bullet that can eliminate the risk of breaches at the hands of third party services. That being said, these events do underscore the value of good security hygiene, solid IT practices, and verifying the integrity of software supply chains as key first lines of defense in maintaining the integrity and security of an organization. Here are three important lessons from the fallout of these recent incidents:
1. Speed and convenience must not come at the cost of security
The discovery and subsequent fallout of these recent breaches emphasize the importance of fundamental IT security practices, which all too often are sacrificed for speed and convenience.
For customers, it’s understandable that they would be victimized by this type of breach. After all, the convenience afforded by outsourcing key functions to third party software vendors is increasingly valuable at a time when quick software delivery has never been in higher demand. But customers also need to be aware of the risks inherent in the use of these third party services.
Any organization leveraging third party software must not take its convenience and claims of being secure at face value. Users need to pay close attention to the integrity of the services they use, assessing the security practices of the vendor as well as the details of any deployment for potential issues. Users must keep an eye out for bugs and suspicious activity, and make sure that access permissions are only given to these services when and where they are needed.
Ultimately, third party vendors and integrations are extensions of your organization and technological portfolio, and security should be emphasized and prioritized just as much as internal systems and software.
2. Container security is a must
As organizations continue shifting to the cloud, container security has never been more important to the business at large. In fact, one of the more recent third party supply chain attacks affecting Codecov found that, “threat actors had gained Codecov’s credentials from their flawed Docker image that the actors then used to alter Codecov’s Bash Uploader script, used by the company’s clients.” After establishing this initial point of intrusion, attackers were then able to switch out Codecov’s IP address with their own, providing a way to “silently collect Codecov customers’ credentials—tokens, API keys, and anything stored as environment variables in the customers’ continuous integration (CI) environments.”
Secrets management is a critical area of IT security, and in the modern software stack, many of these credentials are often used by containerized applications to authenticate with other services, such as databases or storage systems. Therefore, container security — including how credentials, certificates, and other secrets are managed during the build process — must be a top priority for organizations. As container images are an increasingly popular target for cybercriminals, the importance of managing container security will only grow.
3. ‘Trust but verify’ for third parties
Whenever a third-party dependency or component is used by an organization, there is some level of trust involved. At the base of every supply chain, there is also a ‘trust chain’ consisting of three layers: the system or software is not malicious, the vendor cares about security, and they know how to properly secure the solution they’re providing.
While trust is obviously easier when organizations personally know and have an established relationship with the third-party, this privilege rarely exists, making a ‘trust but verify’ approach paramount. This means that before integrating a third-party service, organizations conduct the proper due diligence needed to ensure that these vendors’ security standards are up-to-par, so that they don’t put themselves at unnecessary risk.
Additionally, this recent string of attacks highlights the importance of implementing a cyber -supply chain risk management strategy (C-SCRM). A C-SCRM is dependent on an organization’s use of third party software. In some cases where the primary concern is the open source libraries used in the applications an organization builds, this could be as comparatively simple as implementing software composition analysis to catalog and analyze the code dependencies. Most organizations, however, should consider augmenting this with a much more comprehensive risk management strategy.
Overall, the key principles of a successful C-SCRM policy are:
Treat C-SCRM as a mission critical security practice – because it is.
Know your supply chain.
Build controls appropriate to the criticality of each supplier.
The recent NIST publication (NISTIR 8276) offers a comprehensive overview of the practices that comprise an effective C-SCRM policy. But remember, C-SCRM is just one part of effective cybersecurity. In today’s age, all organizations must consider the totality of their attack surface – from email security all the way down to the smallest software library used in their applications.
Third party services are here to stay. They offer countless benefits for organizations looking to increase efficiency and offset workloads that don’t directly contribute to whatever their core missions are. But as malicious actors increasingly zero in on supply chain attacks, both third-party solutions providers and end users must make a more concentrated effort to move beyond a mindset of inherent security trust and shift to a ‘validation before implementation’ model.