Call us today on: +44 (0)203 88 020 88
SecureTeamSecureTeamSecureTeamSecureTeam
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Quality Policy
    • Security Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us

Articles

Home  >  Articles  >  Infrastructure  >  What is Cyber Supply Chain Risk Management?
NextPrevious

What is Cyber Supply Chain Risk Management?

Articles, Infrastructure | 29 April, 2021 | 0

Recent high-profile security incidents, such as the compromises at SolarWinds and CodeCov and the vulnerabilities in Microsoft Exchange Server, have drawn attention to the risks posed by the software we invite into the heart of our networks and often trust implicitly.

The processes and procedures for identifying and mitigating the risks posed by these third-party software systems is known as Cyber Supply Chain Risk Management or C-SCRM.  Whether it is an off-the-shelf software system or a library which is compiled into in-house developed software, understanding the supply chain that delivers the software onto our networks will help security managers to manage the risk.

There are essentially two types of risk associated with third party software: accidental security vulnerabilities that can be leveraged by malicious actors and deliberate software supply chain attacks.

 

Contents

  • 1 What are Software Supply Chain Attacks?
  • 2 How to defend against Software Supply Chain Attacks
  • 3 Enhanced Security Due Diligence when picking suppliers
  • 4 Deploy all software updates under a Change Control system
  • 5 Use file integrity monitoring to detect changes to software
  • 6 Protect and secure the development environment
  • 7 Follow supplier guidelines and security baselines
  • 8 Manage the ingress of software updates
  • 9 Manage vulnerabilities in well-known products and services
  • 10 Helpful resources

What are Software Supply Chain Attacks?

When a threat actor infiltrates a software vendor’s network (or an open-source code repository) in order to inject malicious code that will later be delivered onto a customer’s network as part of another software product, a software supply chain attack has occurred.

The compromised software may be subverted from the outset, or the compromise may interfere with legitimate patching and update mechanisms to deliver a malicious payload through the trusted update channel.

How to defend against Software Supply Chain Attacks

There are several strategies that can help defend against software supply chain attacks – either by reducing the probability of an attack or spotting an attempted attack quickly and defeating it.

Enhanced Security Due Diligence when picking suppliers

Choosing to work with suppliers who can demonstrate a mature and security minded Software Development Life-Cycle will help prevent malicious actors getting into the supply chain in the first place.  Conducting due diligence before entering into contracts with new suppliers and requiring them to maintain agreed standards of secure behaviour will help protect your network.

Use existing secure development standards to benchmark suppliers, such as the NIST Secure Software Development Framework or the payments centric PA-DSS.

Deploy all software updates under a Change Control system

If left to their own devices, many software products will download and install updates automatically and at their own schedule.  This can be a problem if the update mechanism is subverted by a malicious actor.

Rather than allowing direct updates to be solicited by each device on your network, channel the updates through a central update system that is under your control.  This means updates can be quarantined, validated and tested before they are deployed to production systems at a time of your choosing. For example SCCM or WSUS can be used to manage the deployment of Microsoft Windows updates and related products.

Use file integrity monitoring to detect changes to software

If you are controlling the timing of patch deployment and software upgrades, then any changes to software outside of the expected time window can be detected using File Integrity Monitoring systems.  This will help identify if a malicious actor is pushing updates or installing malware such as a Web Shell on your systems.

Protect and secure the development environment

In many organisations, the production systems and networks are the most secure. Test environments are a little less tightly controlled and the development environment has little or no security controls.  While this may help developers to ‘get on with their job’ it also makes it much easier for a malicious actor who has gained access to the network to interfere with the development systems including injecting their own malicious code into your applications.

Building applications and compiling code is a production level activity and the systems that perform these tasks should be secured accordingly to prevent tampering and subversion of your in-house applications or software delivered to your customers.

Follow supplier guidelines and security baselines

When installing third party software, follow the security recommendations provided by the vendor and revisit these recommendations in case they have changed since your system was first installed.  Vendors will update their security recommendations to reflect changes in the software design and evolving threats and vulnerabilities over time.  It is quite likely that the security best practices you followed seven years ago when the CRM system was first installed have changed since then.

Manage the ingress of software updates

A compromised software update system may pull updates from servers controlled by malicious actors rather than the software vendor.  If possible, use firewall or proxy rules to limit the IP address and URL the software may contact in order to request updates to known and trusted servers of the vendor.

When a new software update is downloaded, check the bill of materials to confirm what has been delivered matches what the vendor said would be changing.  If hash values/checksums are provided for the changed files then actually check them to ensure the files have not been intercepted and changed during transit.

Manage vulnerabilities in well-known products and services

The risks presented by third party software are not limited to supply chain attacks, traditional security vulnerabilities also pose a significant risk – especially for well-known products.

When a vulnerability is disclosed in a well-known product – such as Microsoft Exchange Server – malicious actors start to attempt to exploit the vulnerability within a few days.  Such is the speed with which newly disclosed vulnerabilities are attacked that Google’s Project Zero has recently added a 30 day grace period before disclosing the details of patched vulnerabilities in order to give time for customers to actually get the patches installed before the vulnerability is disclosed and comes under attack.

Users of well-known products and services are advised to actively monitor for the release of security alerts and hot-fixes in order to be able to respond in a timely manner. Waiting for the arrival of the monthly security patch bundle may well be too late for high-profile vulnerabilities – as was seen with the recent Exchange Server ProxyLogon vulnerability.

 

Helpful resources

Further advice and resources to help you develop your Cyber Supply Chain Risk Management approach:

  • Defending against Software Supply Chain Attacks – CISA
  • PA-DSS Guidelines for developing secure payment applications
  • OWASP Secure Coding Practices
  • Microsoft Security Development Lifecycle

 

Subscribe to our monthly cybersecurity newsletter
Stay up-to-date with the very latest cybersecurity news & technical articles delivered straight to your inbox
We hate spam as much as you do. We will never give your email address out to any third-party.
Security operations, software development, supply chain attacks

Related Post

  • What is PIPEDREAM malware?

    By Mark Faithfull

    Since Stuxnet was used to damage Iran’s nuclear aspiration in 2010, there has been a dawning realisation that malware is not just a threat in cyberspace – it can cause real world damage to industrialRead more

  • Why Asset Management is important for Cybersecurity

    By Mark Faithfull

    As a security manager you can only protect systems that you know about. Asset Management is the art and science of keeping track of all the devices connected to your network so that you canRead more

  • Managing Certificate Expiry

    By Mark Faithfull

    At the turn of midnight at the end of October, parts of Windows 11 suddenly stopped working. The reason why the Snipping Tool, touch keyboard and emoji panel refused to run was an expired certificate. Read more

  • What is Zero Trust Security?

    By Mark Faithfull

    Understanding the principles of Zero Trust Security will help Security and Network Managers evolve their network design to better defend against new and emerging cyber security threats and increased remote working. To understand and appreciateRead more

  • NAT Slipstream attack defeats NAT firewalls

    By Mark Faithfull

    NAT Slipstream allows an attacker outside the firewall to remotely access any TCP or UDP services running on a local machine, behind a NAT firewall, simply by tricking the victim into visiting a malicious website.Read more

NextPrevious

Recent Posts

  • Amex and Snapchat used in Open Redirect Attacks
  • VMware Patch Critical Authentication Bypass Flaw
  • Critical Confluence Vulnerability Exploited in the Wild
  • LinkedIn the Top Phishing Brand in Q2 2022
  • Microsoft Exchange Servers Open to Backdoor Hack

Recent Comments

    Archives

    • August 2022
    • July 2022
    • June 2022
    • May 2022
    • April 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • September 2021
    • August 2021
    • July 2021
    • June 2021
    • May 2021
    • April 2021
    • March 2021
    • February 2021
    • January 2021
    • December 2020
    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • April 2020
    • March 2020
    • February 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • June 2019
    • May 2019
    • April 2019
    • March 2019
    • February 2019
    • January 2019
    • December 2018
    • November 2018
    • July 2018
    • June 2018
    • April 2018
    • January 2018
    • October 2017
    BCS Cyber Essentials Cyber Essentials Cyber Essentials PLUS ISO 9001 ISO 27001
    information. secured.
    • Home
    • Our Services
      • Infrastructure Testing
        • Internal Network Penetration Test
        • External Network Penetration Test
        • Wireless Network Penetration Test
        • Vulnerability Assessment
        • Network Segregation Test
        • Voice over IP (VoIP) Penetration Test
      • Application Testing
        • Web Application Penetration Test
        • Mobile Application Penetration Test
        • Desktop Application Security Assessment
        • Citrix Breakout Test
      • Configuration Review
        • Windows Server Build Review
        • Linux Server Build Review
        • Citrix Configuration Review
      • Information Assurance
        • ISO 27001 Gap Analysis
      • Cyber Essentials
    • News
    • Articles
    • About
      • About SecureTeam
      • STORM Appliances
        • Installing a STORM Device
        • Returning a STORM Device
      • White-Label Consultancy
      • Jobs
      • Cookie Policy
      • Quality Policy
      • Security Policy
      • Privacy Notice
      • Website Terms & Conditions
    • Contact Us
    SecureTeam