Supply‑chain attacks: When trust goes wrong, try hope?

Supply‑chain attacks: When trust goes wrong, try hope?

How can organizations tackle the growing menace of attacks that shake trust in software?

Cybersecurity is only as good as the weakest link, and in a supply chain this could be virtually anywhere. The big questions may be, “what and where is the weakest link?” and “is it something that you have control over and can actually address”?

A supply chain consists of everything between the raw materials and the end product, encompassing the supplier of raw materials, the manufacturing processes, the distribution and finally the consumer. If you consider a bottle of mineral water, any malicious contamination introduced through its path to the consumer compromises the entire supply chain.

The well poisoned

Cybersecurity is no different – a contaminated chipset placed into a device such as a router potentially contaminates the end product, creating an issue for the consumer. In software, you can also get a “contaminated component scenario”, one that security vendor FireEye found themselves in when they were hacked recently. When the company discovered that it been the victim of a cyberattack, a deeper investigation found that the attacker had slipped a malware-laced update into a network management product called Orion, made by one of the company’s software providers, SolarWinds.

The backdoor – which FireEye named SUNBURST and that is detected by ESET as MSIL/SunBurst.A – was implanted into Orion prior to the code being provided to FireEye, thus creating a contaminated end product for the consumer. In this case “the consumer” meant some 18,000 commercial and governmen ..