Supply chain security issues are not exactly new. High-profile attacks, like SolarWinds in 2020, were a big wake-up call for many people because they brought home just how far-reaching and destructive these attacks could be.
The threat from supply chain partners remains one of the most significant risks to security beaches. The SANS 2023 Attack and Threat Report found that 40% of breaches in 2022 occurred through supply chain partners.
But other sources point to even higher figures. Verizon’s latest Data Breach Investigation Report puts that figure at 62%. Verizon pointed out another critical and unsettling fact: some attackers, like nation-state threat actors, are more interested in access than in exfiltrating data. Their report called the compromise of the right partner a “force multiplier” because the attacker lurks undetected on the network over a long period to monitor proprietary information and business activities.
How vulnerabilities happen
Think about how software development happens these days. Your vendor’s probably using open source software, and that open source software’s probably using other open source software, and you end up with a huge chain of dependencies.
At any point along that chain, any of those vulnerabilities can propagate down to your organization.
Large vendors often use open source software when developing a product. Anyone was allowed to submit pull requests to fix bugs or add new features. Did something nefarious get introduced by one of those pull requests? It’s happened before and will surely happen again. There are so many dependencies in a piece of modern software that the supply chain is a huge source of potential vulnerability.
We saw this happen with the Log4J event in December 2021 when a third-party vulnerability was discovered in this commonly used logging library. As an Apache project, it was widely embedded in many popular services and frameworks, and consequently, this vulnerability had widespread effects across the entire industry.
The maturity of your security posture
In an ideal situation, you know all your dependencies across all the software you use within your organization. You would also know what CVEs and other vulnerabilities are in those dependencies and whether they are actually exploitable. You’d have dedicated threat hunting staff and be able to patch vulnerabilities in real time.
However, this isn’t feasible for most organizations. We should certainly strive for this ideal, but we recognize it’s not always attainable, especially for smaller organizations.
How to reduce your risk
Strive to institute security practices that will minimize the impact of potential supply chain threats. You know you’ll have vulnerabilities in pieces of software that you’re using, and you can’t get rid of them because you don’t control that dependency. It’s part of your software supply chain.
Here are three tips that any organization regardless of size or maturity can do to reduce supply chain threats:
- Ask yourself, “Have I done my best to limit access to these resources?” This includes implementing “least privilege” security practices that restrict access and minimize the attack surface.
- Implement automated code vulnerability scanning so that you are constantly monitoring your environments.
- Aim for a rapid mean time to patch so that you can limit the damage if you do have a vulnerability from your software supply chain. You want to minimize the impact, detect threats as quickly as possible, and remediate those threats as quickly as possible.
If you’re developing systems that allow you to do those three things, then you’re making the best effort that you can, and that’s more realistically attainable than the “ideal.”
In addition to organizations protecting themselves, CISA recently announced its Secure by Design, Secure by Default initiative. The program urges software manufacturers to do all that’s necessary to release secure products. This is a great step in the right direction because it acknowledges the responsibility of manufacturers to do their part in the fight against these cyber threats. Organizations must protect themselves, but software vendors should adopt this “security first” culture.
Finally, the supply chain issue underscores the need to understand your attack surface. One of the main security challenges that companies should be aware of more generally is what their attack surface really comprises and whether they are working to address each area.
This means understanding where your potential points of vulnerability are and addressing them, as well as removing attack surfaces that don’t need to exist. Ultimately, managing attack surface is a major factor in an organization’s cybersecurity success.
Read the entire SANS 2023 Attack and Threat Report for additional threats and what you can do to protect your organization.