The number of attacks targeting the software supply chain has significantly increased in the last few years. Two key factors are software vulnerabilities in the supply chain that can be exploited by attackers or threat actors to introduce hidden backdoors they can use at scale. This all might sound a bit Jason Bourne-ish. Still, we have seen several examples of suspect nation-states gaining access to software CICD pipelines, like the Move-it attack. More recently, liblzma, part of the xz open-source data compression utility, maliciously gained a trusted position over time in an open-source project to deploy a backdoor that could have had a significant impact. So, what can we, as supply chain end users, do to protect our users and data?
SBOM
A first step to protecting against supply chain compromise is to understand what you have in your supply chain, both open source and commercial. A Software Bill of Materials is a good step in combination with an asset register, as organizations can quickly understand if they are impacted when public announcements are made. This should not be done during an incident but should be done right now and maintained, as it will prove invaluable when faced with a potential incident.
Multi-factor authentication
A crucial component of supply chain cybersecurity is multi-factor authentication (MFA). By requiring multiple verification forms to access systems or data, MFA adds an extra layer of security beyond just a username and password. This is particularly important in the supply chain, where sensitive information and critical systems are at risk of cyberattacks. MFA ensures that even if one factor is compromised, such as a password, the additional factors provide an added level of security.
Access control and least privilege
Whether you are an organization with third-party software or an organization building 3rd party software, access control is a key part of any network, you need to strike a balance between convenience and security. Users without security training will see access control as an “annoying blocker” to their day-to-day work, and it can be tempting just to open the gates to relieve the tide of support tickets. But access control and more importantly, least privileged access, where users only have access to the software they require with the lowest levels of permissions to achieve the outcome, can make a real difference to an attacker being able to move laterally.
Network segmentation
Implement network segmentation to isolate critical systems and data from non-essential parts of the network. This limits the impact of a cyberattack and helps contain threats. Network segmentation divides the network into smaller segments, each with its own security protocols. This ensures that the rest of the network remains protected if one segment is compromised. Segmenting based on factors like department or function enhances overall cybersecurity and reduces the risk of a widespread breach.
Exercise, exercise, exercise
By their very nature, organizations are unlikely to detect supply chain compromise by themselves. They will most likely be alerted after the fact through government services like CISA and the NCSC or directly from impacted vendors. At this moment, you are reactive – it's like trying to close the barn door after the horse has bolted!As these steps highlight, proactively securing your supply chain is essential. Implementing these measures can significantly reduce the risk of supply chain compromise and protect your organization's data and systems. Taking action now to strengthen your cybersecurity posture will go a long way towards mitigating the impact of potential cyber threats and demonstrate your commitment to safeguarding your supply chain against future attacks.Check out our supply chain security data sheet to learn more.