By: Taylor Armerding, Software Security Expert at Synopsys Integrity Group
“Supply chain” is a good term for the collection of third parties — vendors, partners, contractors, etc.— an organisation does business with because a chain is a series of “links.” It’s a significant word in cybersecurity — as in, “you’re only as secure as your weakest link.”
There is a large and ominous pile of evidence that most supply chains have some very weak links. What is more ominous is that even though most organisations are well aware of the risks — given the ongoing headlines, how could they not be? — Few of them are doing much about it.
Perhaps the most famous example of a weak link risk is mega-retailer Target. Six years ago, attackers were able to steal 40 million debit and credit card numbers and 70 million other records that included addresses and phone numbers through an email phishing attack on one of the company’s service suppliers — heating, ventilation, and air-conditioning (HVAC) contractor. That gave the attackers access to Target’s point-of-sale (PoS) payment card readers.
Prevalence of supply chain attacks
But famous does not mean rare. Supply chain attacks are rampant. Earlier this year, endpoint security firm Carbon Black issued a report on so-called island hopping — the term for what attackers do when they try to expand on a breach of a victim’s network.
According to the report, “Attackers these days want to ‘own’ your entire system … Exactly half (50%) of today’s attacks leverage island hopping.”
Or as Tom Kellermann, Carbon Black’s Chief Cybersecurity Officer put it in the report. “They’re not just, say, invading your house — they’re setting up shop there, so they can invade your neighbours’ houses too.”
Ponemon’s 2018 Data Risk in the Third-Party Ecosystem found that 59% of more than 1,000 respondent companies in the U.S. and U.K. said they had been victims of a data breach caused by a third party or vendor during the previous year. Another 22% said they didn’t know if they had been or not.
The headlines are littered with other examples. Russian hackers were able to spread the infamous NotPetya malware in 2017 in part by compromising the update mechanism for a Ukrainian accounting application.
That technique has continued into this year. Motherboard reported in March that Kaspersky Lab researchers found that attackers had compromised the Live Update function of Taiwan-based ASUS, one of the world’s largest computer makers, to spread a malicious backdoor to about 500,000 computers. The researchers labelled it ShadowHammer, and it worked because “the malicious file was signed with legitimate ASUS digital certificates to make it appear to be an authentic software update.”
There are plenty more examples, but you get the idea.
Cyber supply chain risk management
Why is the supply chain so popular among attackers? One obvious reason is that it is an ever-expanding attack surface. Businesses, especially in an online world, are interconnected like never before. Most of them use dozens to hundreds to even thousands of apps — many from external vendors.
Prioritising supply chain risks
Given all that, organisations ought to be taking the advice of NIST (National Institute of Standards and Technology) on Cyber Supply Chain Risk Management (C-SCRM): The agency calls for “identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of IT/OT product and service supply chains. It covers the entire life cycle of a system (design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an IT/OT product or service at any stage.”
But as noted above, while organisations say they are aware of the risks, most admit that they aren’t making supply chain security a priority.
A May 30 report from research and advisory firm Gartner, Get Ahead of the Expanding Risk Frontier: Supply Chain Security found that “supply chain leaders rank cyberattack risks at the top of their list of concerns, yet only 10% of them characterise the relationship between their function and IT as strategic.”
Which is both ironic and troubling, since plenty of help is available for anyone who cares to use it.
Developing effective procurement language in contracts
It was more than three years ago that Mike Ahmadi, then Director of Critical System Security at Synopsys (now Vice President of Transportation Security at DigiCert), and George Wrenn, then CSO and Vice President Cyber Security for Schneider Electric (now founder and CEO of CyberSaint Security), offered extensive advice on how to develop effective procurement language, which is designed to hold a supplier or other third party contractually liable for the statements they make about the quality, reliability and — most of all — security of the software they are providing.
That ought to be fundamental since, as we all know, when people sign something, they tend to take it more seriously.
Using automated testing tools
Second, it is well known by now — the annual Open Source Security and Risk Analysis (OSSRA) report by Synopsys has been documenting it for years — that software today is assembled with up to 90% of the final code coming from a combination of open source and third parties.
An organisation that doesn’t know, and test, what’s inside that code is asking for supply chain problems. And as Ahmadi pointed out back in 2016, doing that doesn’t have to mean laborious, time-consuming manual reviews. Instead, automated tools will help you do it more accurately and much faster.
“You could manually comb through and create test cases that could fuzz something at a protocol level,” he said. ”Or you could connect them to our automated testing tools, push the button, and wait.”
How to vet software vendors
There is also the BSIMM (Building Security In Maturity Model) report, which helps organisations grow and improve their software security initiatives (SSI) by showing what other organisations in their industry are doing and what works. The authors of that report also provide the BSIMMsc (formerly called vBSIMM), focused on software supplied by third parties.
Sammy Migues, a Principal Scientist at Synopsys and a co-author of the BSIMM, notes in a white paper that the BSIMMsc “leverages attestation and automation to function as a foundational security control for software supply chain risk management.”
Put a bit more simply, it is designed to help organisations avoid software vendors that are “clueless.”
Software supply chain risk management essentials
That report, based on discussions within the BSIMM community between software vendors and acquirers, suggests the following list for vetting software suppliers. Those vendors should be able to produce evidence of the following:
- A documented secure software development life cycle (SSDL)
- Artefacts showing that the activities described in the SSDL occur as expected
- Personal conversations with the software security leader that demonstrate a high level of knowledge about software security initiatives and technology
- The existence of a full-time software security group (SSG), which may be called a product or application security group
- A documented process that ensures security defects get fixed
- A third-party review of software security efforts and results
Third-party vendor oversight
Beyond that, the Gartner report offers a playbook for organisations seeking to conduct effective oversight of the security of their third-party vendors.
Among the recommendations from analysts Katell Thielemann, Mark Atwood, and Kamala Raman:
- Know what you, and your third parties, have and need to protect.
- Assess the security and risk management posture of third parties.
- Know all industry regulations applicable to you and make them part of your supply chain risk management strategy.
Other recommended supply chain risk management practices
Finally, Emile Monette, Director of Value Chain Security at Synopsys, points to a compilation of supply chain software security practices he assembled from various sources, including NIST SP 800-161, ISO 20243, SAFECode third-party risk practices, the EastWest Institute ICT Buyers Guide, Department of Homeland Security implementation of C-SCRM in its programs, and others.
- Product assurance
- Secure software development life cycle
- Software composition analysis
- Static analysis
- Dynamic analysis
- Malformed input (“fuzz”) testing
- Known malware analysis
- Validation of security measures
- Third-party penetration testing
- Software bill of materials (BOM)
- Remote access
- Chain of custody
- Counterfeit avoidance and mitigation
- Supplier management
- OEM purchasing
- Insider threat management
- Supplier cybersecurity (by NIST Cybersecurity Framework function)
- Use of commercial standards
That is a long list, and even doing it all won’t make you perfect. But it will get you a lot closer, which is usually enough to get attackers to look for easier targets.
And the primary question shouldn’t be, “Can we afford to do it?” Given the risks of data theft, legal liability, brand damage, and more from a porous supply chain, the question should be, “Can we afford not to do it?”