The recent security incident involving Solarwinds Orion proves that cybersecurity is a team game. We all use software developed by a wide range of providers (and we will continue to do so). Any successful attack on one of these vendors (suppliers) can have negative consequences on all users of their software solutions. Solarwinds was targeted by a complex attack (most probably state-sponsored) that successfully deployed malicious code into their IT management software product Orion (The backdoor code was hidden within the legitimate library SolarWinds.Orion.Core.BusinessLayer.dll, according to Microsoft). Due to the extended use of the product, the impact is potentially massive.
This reminds me of another famous cyber-attack: Stuxnet. How can you breach a heavily protected nuclear plan? It seems that the most effective way is through one of the suppliers. The attack against Iran’s nuclear facility was possible by secretly infecting at least five outside companies connected in some way to the nuclear program. Although Stuxnet itself is not a threat anymore, his legacy is: Duqu (2011), Flame (2012), Havex (2013), Industroyer (2016), and Triton (2017) posed characteristics similar to Stuxnet and created havoc in the energy sector till 2018 (at least).
What should we learn out of these examples?
We need to learn to play the cybersecurity game as a team: vendors and customers.
- Learn to evaluate the vendors not only from price & features capabilities but also from the internal processes, best practices, and compliance efforts.
- Consider your suppliers as your partners. Don’t squeeze everything you can out of their offers as this will translate sooner or later into the quality (and security) of the software that you buy.
- Contribute to the quality of the products that you use. Be vigilant and proactive in identifying bugs, vulnerabilities, and unexpected behaviors of software solutions. Report them and follow through until you get an acceptable resolution.
- Be responsible! Develop software that is secure by design, coding, and testing. Your customers’ security posture depends on you!
- Take your users seriously! Incentivize them to act as your extended testing and bug hunting team. Make sure their feedback is considered and incorporate whenever appropriate.
- Whenever a vulnerability or a security incident is reported, announce all affected customers promptly! Then fix the problem.
We can only win together, #togetherforsecurity !
Republished LinkedIn article: https://www.linkedin.com/pulse/defeating-supply-chain-attacks-together-bogdan-carlescu