Supply chain security needs more than 15 minutes of fame—or shame
Suddenly, “supply chain” is hot. Suddenly, a term that usually tends to make eyes glaze over unless you’re a member of the green-eyeshade accounting fraternity, is in the headlines, even leading the mainstream evening news.
Because, as the recently discovered cyberattack on SolarWinds/Orion illustrates, a weak link in the supply chain can break every other link on that chain. Even if there are 18,000 or more of them.
SolarWinds, which provides system management tools for network and infrastructure monitoring, has an IT performance monitoring system called Orion.
The thumbnail version of the story is that hackers were able to inject malware into an Orion update, and it then spread to tens of thousands of SolarWinds customers when they did what experts are forever telling them to do: Keep your software up to date!
So instead of having to hack into 18,000 organizations individually, the attackers just compromised one vendor and let supply chain connections take care of the rest, giving them access to the data and networks of those SolarWinds customers. Among them are at least nine federal agencies including the departments of Homeland Security, State, Justice, Commerce and Treasury, plus NASA, the FAA, National Institutes of Health and National Nuclear Security Administration.
Dependent connections
Talk about a super spreader. Which exposes a risky reality that most people know subconsciously but may not think much about. We all know we live in a “connected world.” But there’s more than one way we’re connected.
It’s not just that you’re connected to a faceless internet that lets you chronicle every moment of your life to your thousands of “friends.” It’s not just that your smartphone can give you directions to a restaurant in an unfamiliar city, ping you when you’re getting close to your favorite coffeeshop, or help find your friends for a meetup on a Friday night.
It’s not just that your car can send out a 911 call if it senses you’ve been in a crash.
For businesses, it’s that they’re also part of a connected supply chain, in which most of them are both customers and providers. They purchase cyber products, materials and services from other vendors, and are also themselves vendors or suppliers to other organizations or the public.
And if any supplier on that chain is insecure, everybody on the chain is insecure.
SolarWinds may be a recent high-profile example and the reason “supply chain” is getting 15 minutes worth of mainstream fame (or shame). But it’s not an outlier.
Many chains, many links
Indeed, some of the biggest companies in the world can be the weak link. Security blogger Brian Krebs reported earlier this month that “an unusually aggressive Chinese cyber espionage unit” had hacked more than 30,000 organizations across the U.S. and hundreds of thousands globally — both public and private sector — by exploiting security defects in Microsoft Exchange Server email software.
And while Microsoft issued emergency patches on March 2, experts said even if organizations installed the patches immediately, the attackers had likely already installed a “web shell” — a password-protected hacking tool that gives an attacker administrative access to the victim’s computer servers.
Krebs and other experts are warning Exchange users to prepare for a tsunami of ransomware attacks.
Also during the past couple of weeks, multiple airlines including Jeju Air, Finnair, United, and Malaysia Airlines reported that some data of hundreds of thousands of customers had been compromised due to a breach of — yes, a supplier of services. In this case it was SITA, an air transport communications and IT vendor with about 2,800 customers.
SITA issued a statement March 4 saying it had “confirmed” the breach on Feb. 24, that it was the result of a “highly sophisticated attack” and that it had deployed “targeted” containment measures.
But the damage had been done. While SITA said there was no evidence the compromised data had been misused, that could easily change.
Trey Herr, director of the Cyber Statecraft Initiative at The Atlantic Council noted that the same could have been said after the breach of the Office of Personnel Management, discovered in 2014, which compromised the personal information of more than 22 million current and former federal employees.
“There was clear utility to the data exfiltrated in that case and here to a lesser extent,” he said. “The narrative that if information from a breach is not already being commoditized via an online marketplace it’s not harmful is misleading and probably a backward conclusion drawn from what we see often happen with breaches of credit card and health data.
Indirect risk
That should reinforce the message: The security of your supply chain is as important as your own internal security. It’s a bit like giving your house key to the plumber. If somebody steals it from him, it doesn’t really matter that it wasn’t stolen directly from you — you’re now at risk.
All of which prompts the obvious question: What should organizations do to make sure their supply chains don’t undermine their security? Because even if a vendor is to blame for a breach, each organization is responsible, and liable, for the security of its customers’ data.
You could apply the somewhat sardonic advice former Facebook chief security officer Alex Stamos posted in a tweetthis past week: “Never run a product Microsoft doesn’t use themselves.”
But in most cases, that’s not practical for your entire supply chain.
It is feasible, however, (if not simple) and should be mandatory for organizations to know exactly what their suppliers are providing, what they may be collecting to do it, and how they are keeping those products secure.
That so-called Bill of Materials should include credible assurances from suppliers that they’re also tracking what they are using and keeping it up to date.
Blind trust?
Cybersecurity researcher Alex Birsan, in a recent post on Medium titled Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies, notes that the digital components an organization buys from a supplier may have a trail of “dependencies” that reach far beyond that supplier.
“When downloading and using a package from any of these sources, you are essentially trusting its publisher to run code on your machine,” Birsan wrote. “So can this blind trust be exploited by malicious actors? Of course it can.”
Florian Thurmann, technical director, EMEA, with the Synopsys Software Integrity Group, said many organizations have a “critical blind spot” when it comes to what their third-party vendors do with their essential data and systems.
“For example, if a vendor uses a shared account to access your corporate network, your organization won’t be able to determine which of its employees has made a given change in the system,” he said. “Every organization has the responsibility to ensure its software supply chain vendors meet its cybersecurity policy requirements.”
Thurmann’s colleague Boris Cipot, senior security engineer with the Synopsys Software Integrity Group, added that the lesson organizations should take from supply chain breaches is to “create security rules and procedures, not just internally but also for their partners in the supply chain. This means taking the software and service provider processes into consideration when discussing a partnership and defining what security measures will be implemented.”
Help is available
The good news amid all this bad news is that there are plenty of resources to help organizations do that, and thereby improve their chances of not becoming a victim of a supply chain attack.
Mike Ahmadi, vice president of research at Farallon Technology Group, and George Wrenn, founder and CEO of ZenPrivata, offered extensive advice on a 2016 podcast about how to develop effective procurement language, which is designed to hold a supplier or other third party contractually liable for the statements they make about the quality, reliability and security of the software they are providing.
As any business knows, when people sign a contract, they tend to take it more seriously.
Also, up to 90% of the final code in a software product comes from a combination of open source and third parties. That means organizations should use software composition analysis, an automated tool that helps find open source software components in products, including any known vulnerabilities and licensing conflicts in those components.
There are multiple best-practices lists for supply chain security from standards bodies including NIST SP 800–161, ISO 20243, SAFECode third-party risk practices, and the East-West Institute IT buyer’s guide.
Finally, there’s the BSIMM (Building Security In Maturity Model), an annual report that helps organizations grow and improve their software security initiatives by documenting what other organizations in their industry vertical are doing and what works. The authors of that report also provide the BSIMMsc (formerly called vBSIMM), focused on software supplied by third parties.
All those resources aren’t worth much, obviously, if an organization doesn’t follow the recommendations. Which leads to a final exhortation from Herr, echoing what’s been said at security conferences for decades: If you don’t make the secure way the easy way, chances are your security will suffer.
“CEOs being asked to pull out their phones to authenticate too many times in one day has likely been the death knell of more role-based access controls than should be the case,” he said.
Bottom line: People and organizations will ultimately put convenience over security. So if we’re going to stop, or even slow, the flood of headlines about supply chain breaches, we have to make security more convenient.