#110: Security Briefing - Supply Chain Attacks

Continuing my mini-series on security, I discuss Supply Chain Attacks.

No conversation on cyber-security in 2021 would be complete without talking about Supply Chain Attacks. They are on the increase, with many high profile examples - such as SolarWinds.

Or listen at:

Published: Wed, 24 Nov 2021 17:19:35 GMT



Hello, and welcome back to the Better ROI from Software Development podcast.

In this episode, I'm going to give you another security briefing, this time on Supply Chain Attacks.

No series on cyber-security in 2021 would be complete without talking about Supply Chain Attacks.

Supply chain attacks are greatly on the increase. An EU study earlier this year forecasted a four times increase in attacks during 2021 over 2020, and I'd expect that number to continue to grow over the next few years - I'll include a link that talks about that study in the show notes.

Our organisations rely on their supply chains. There's nothing new in that.

On the battlefield, it's much easier to attack the enemy supply lines than attack their actual army. It's much more likely to result in victory. Thus, our cyber-attackers are using the same tactics to attack us as we get better at securing our own defences.

Wikipedia describes Supply Chain Security as:.

Supply chain security (also "supply-chain security") activities aim to enhance the security of the supply chain or value chain, the transport and logistics systems for the world's cargo and to "facilitate legitimate trade". Their objective is to combine traditional practices of supply-chain management with the security requirements driven by threats such as terrorism, piracy, and theft.

Typical supply-chain security activities include:

* Credentialing of participants in the supply chain
* Screening and validating of the contents of cargo being shipped
* Advance notification of the contents to the destination country
* Ensuring the security of cargo while in-transit via the use of locks and tamper-proof seals
* Inspecting cargo on entry

Now, the supply chain security is obviously focussed on the security of physical goods, so Wikipedia goes on to describe Digital Supply Chain Security as:

Digital supply chain security refers to efforts to enhance cyber security within the supply chain. It is a subset of supply chain security and is focused on the management of cyber security requirements for information technology systems, software and networks, which are driven by threats such as cyber-terrorism, malware, data theft and the advanced persistent threat (APT). Typical supply chain cyber security activities for minimizing risks include buying only from trusted vendors, disconnecting critical machines from outside networks, and educating users on the threats and protective measures they can take.

Wikipedia then goes on to describe examples of Supply Chain cyber-security threats:.

* Network or computer hardware that is delivered with malware installed on it already.
* Malware that is inserted into software or hardware (by various means)
* Vulnerabilities in software applications and networks within the supply chain that are discovered by malicious hackers
* Counterfeit computer hardware

In this episode, I'm going to look at two methods of Supply Chain Attack: Managed Service Providers (or MSPs) and third party software.

So let's start with Managed Service Providers. Wikipedia described a Managed Service as:

Managed services is the practice of outsourcing the responsibility for maintaining, and anticipating need for, a range of processes and functions to improve operations and reduce expenses.

This is basically the practise of outsourcing that work.

It's not uncommon to use a Managed Service Provider (an MSP) for what's considered to be an expensive but low value task. And I.T. Is often seen as one of those activities. You may choose to outsource the responsibility of your I.T. team in an attempt to reduce costs. Now, personally, I'm not a fan of outsourcing these sorts of practises, but I'll cover that in another episode. The important thing that we need to focus on here is that if you're allowing a third party to do some of these tasks, you've got to understand they're likely to have direct access into your systems. They're likely to have privileged access to your systems and data.

Thus, if they've got access to your systems, if they're compromised then so are you.

A similar example to this is your cleaners. Almost certainly, the cleaners in your building are outsourced. You've probably outsourced them as a cost saving, or they're provided by the building that you may be renting. Those cleaners will likely have full access to the building. They will have access to everybody's offices and they're doing this work outside of ours, and almost certainly they will not be monitored while they're doing their work. What's to stop one of those cleaners picking up confidential information? That cleaner has access. That cleaner has the capability to be able to do that.

You have to have a level of trust in the cleaner and the organisation they work for that that's not going to happen. And any Managed Service Provider is exactly the same.

And when we're talking about I.T. Managed Service Providers, you've got to think they've got a lot of access to some very, very sensitive information. They have access to your servers, they have access to your systems, they have access to your data.


Because they need access to it, because you've outsourced the activities of managing those systems, of maybe backing them up, maybe provisioning extra hardware, maybe adding users, maybe maintaining who can access her systems to a third party.

As an attempt to save internal costs.

But when you did that, did you really weigh up the pros and cons? Did you look at what their security posture is? Did you review their security practises?

Are the cost savings from outsourcing actually a false economy because of the risk you're inheriting by allowing them access to all these things.

Ok, let's move on to third party software products. And I want to talk specifically about the SolarWinds supply chain attack.

SolarWinds provide software tools to help manage IT systems - often actually used by Managed Service Providers. It's widely used in large enterprise. It's reported to have 300,000 customers, US federal government including the Department of Defence and 425 of the US Fortune 500.

Yet in December 2020, a number of organisations were compromised, including the US Treasury, via SolarWinds.

A vulnerability was added to the SolarWinds software. It was added during the development process by an attacker. That vulnerability was then distributed by virtue of the SolarWinds software to the SolarWinds customers.

Thus, the attacker could then use that vulnerability to attack SolarWinds customers.

It's a Trojan horse on a massive scale.

Those customers were expecting software from SolarWinds. They used that software from SolarWinds and, because of the type of software it was for managing IT systems, it had access to a lot of IT systems.

Now, this was an exceptionally sophisticated attack. It's believed to have been carried out by a nation state. And this is a great example of how you can be compromised by trusting third party software.

What pieces of trusted software do you have in your organisation? What efforts do you go through to make sure that the suppliers of those software have gone through the relevant vulnerability testing? How confident are you that those third party software providers can't be compromised?

Many large organisations were caught out by the SolarWinds attack, and almost certainly it will go down as a textbook example of a supply chain attack. I'll provide you a link to an article about the attack.

As well as potentially getting third party software such as a SolarWinds product, you may also be using third party components.

If you're developing your own software internally, you're almost certainly relying on third party components - be they open source or paid. The percentage of third party code in our custom software is growing and will continue to do so. It's critical for productivity. Why reinvent the wheel when it already exists?

But if that third party software includes vulnerabilities, then they will also be including that in your software.

You will be making your software products vulnerable.

Now, the software industry as a whole is getting better at understanding this third party software, especially open source, will often be flagged if a vulnerability is identified. And you are able to access tools to run periodic audits to identify where you have vulnerable components.

To take advantage of this, you'll need to make sure that your development process includes the relevant steps to be able to run an audit - then act on those audits quickly and push those changes into production again quickly.

The longer a vulnerability is exposed, the higher risk to you as an organisation.

Now, if you're going to move quickly and you're going to do these in a rapid manner, you really need to think about your automation. As I described in Continuous Integration, Delivery and Deployment in episodes 19 through to 21, the quicker you can turn those fixes round, the lower the risk, the lower the expense.

Having to wait six months for the next release is not an acceptable risk. If you know you have a vulnerability, you have a responsibility to fix it. You should not be waiting to the next quarter or half annual release.

And this needs to be done for all custom software, not just the latest shiny thing.

It's quite common in established, long running organisations for them to have older software, which maybe hasn't been touched for a year, two years, and in some cases I find five or 10 years - it hasn't been released lately, hasn't been looked at.

How confident can you be that there aren't vulnerabilities in software that was deployed five years ago and nobody's looked at since?

That almost innocent seeming piece of software may be the route in for attackers to be able to exploit your systems.

If your development process is compromised, then you can become the SolarWinds of your own organisation, or even possibly for your customers, if you're providing that software to them.

In this episode, I wanted to introduce the idea of a Supply Chain Attack.

Supply Chain Attacks are such a hot topic in security at the moment. They've been growing rapidly and they will continue to do so. They're a good way of bypassing good security practises. It's an example of attackers evolving to use different opportunities to attack you as organisations get better at protecting themselves by having better levels of security.

They go after weaker links - in this case, a trusted third party, whether that be an MSP, whether it be a software product like the SolarWinds product, or whether it be a software component that you're using in your custom development.

Remember, an attacker doesn't need to attack you directly if it can either influence or disrupt your supply lines. There's a good chance it can do just as much damage to you as if it attacked you directly.

Thank you for taking the time to listen to this episode. I look forward to speaking to you again next week.