Software supply chain security is problematic because of a lack of understanding of the risk, lack of visibility, and poor understanding of what the organization needs to ask its suppliers to do. David Adams looks at the issues; and the actions that organizations should take.
Software supply chain attacks can rip through companies with devastating effect, yet organizations continue to be blindsided by the threat. Left unchecked, such attacks are rising steadily, with Gartner predicting that by 2025 45 percent of organizations worldwide will have experienced attacks on their software supply chains – a three-fold increase from 2021.
There’s already evidence this is happening, with supply chain attacks up 742 percent over the past three years. Moreover, the SANS Institute’s supply chain security webcast states that as of today there is a 70 percent chance that a cyber incident will be caused by an organization’s suppliers.
The rise in attacks may seem surprising but the truth of the matter is that just 13 percent of businesses review the risks posed by their immediate suppliers, and the proportion for the wider supply chain is half that figure (7 percent), according to the DCMS 2022 Security Breaches Survey.
So why aren’t organizations doing more to protect themselves?
Stopping attacks is difficult because of the ease with which malicious software can gain access. The State of the software supply chain report states that 96 percent of known vulnerable open-source downloads are avoidable and the European Union Agency for Cybersecurity (ENISA) identified that 66 percent of attacks were aimed to compromise code.
Software supply chain attacks can take various forms but some of the most common techniques are dependency confusion, typosquatting, brandjacking, protestware, or malicious code injection attacks which aim to trick the developer into downloading malicious code. Dependency confusion or dependency hijacking targets packet managers into retrieving a malicious file from the public repository that has a same name but a higher version number than the original file. Typosquatting sees a slight misspelling of the file name, while brandjacking will target a specific well-known software brand and change it slightly. All it takes is for the developer to download the wrong file to potentially compromise the supply chain using that application.
Clearly prevention is better than cure but there’s a real sense of apathy when it comes to assessing suppliers due to the complexity of the chain but also business protocols. Supply chains are often highly convoluted and complex, involving multiple parties, making it difficult to identify and request information that may not be readily available; and then there’s the risk of causing offense, with businesses worried that by asking for such assurances they could jeopardise their relations with large or specialist suppliers. Many also lack the expertise or the tools to evaluate the risks posed by their suppliers. They don’t know where to look, what questions to ask, or how to seek assurance from them or when to broach the subject, as it seldom forms part of the procurement process.
These obstacles were identified during a recent UK Government consultation which found that even though many of those that took part said they were using the National Cyber Security Centre’s (NCSC) Supply Chain Security Guidance and Supplier Assurance Questions, they still found it difficult to overcome these barriers. It prompted the review to conclude that intervention was needed.
What has since come to light, however, is the second wave of the Cybersecurity Longitudinal Survey. This offers some real hope in that it reveals that those with strong board oversight, a cyber security insurance policy with reference to suppliers, or which complied with a baseline security standard were much more proactive in reviewing supplier relationships. This was particularly true of the latter, with 52 percent of those complying with ISO 27001 and 48 percent of those complying with Cyber Essentials Plus having assessed or managed the potential cyber risks presented by their suppliers.
Those that interact with their suppliers over security did so in a variety of ways, however. The majority had requested cyber security information (57 percent) or had established a minimum set of cyber security standards in their supplier contracts (56 percent) over the course of the past year. Just under half had given their supplier advice or guidance (44 percent). But only about a third had actually carried out a formal assessment (38 percent) and some even jettisoned the relationship altogether following a cyber security incident (12 percent). These figures have barely changed over the two years the study has been running.
Part of the problem, as stated in the survey, is that while cyber security standards can help organizations understand their suppliers’ systems and risk posture, there is no overarching framework that draws it all together to help the business use those standards to address supplier risk.
Initiatives are emerging to fill this void, such as the Open Software Supply Chain Attack Reference (OSC&R) launched over GitHub in March. It takes a similar approach to the MITRE ATT&CK matrix by mapping the tactics, techniques and procedures (TTPs) used to compromise software supply chains and provides a single point of reference, helping businesses to more easily assess risk, and is a living document, with others able to contribute to it via the repository.
While a move in the right direction, the framework doesn’t dovetail with the baseline security standards mentioned above, but it can be used to help develop a supply chain risk management programme. So where should you begin?
An action plan
Firstly, establish and maintain a process for gathering and assessing information risk from suppliers so that a risk profile can be built. This should be implemented for all new relationships and introduced when existing contracts are renewed, if not sooner. This process should include an assurance aspect dependant on the size of the third-party organization, complexity of the relationship, or the sensitivity of data at risk of compromise.
Assurance can be achieved by accepting the provision of compliance statements against recognised standards such as ISO 27001 and SOC through to agreed KPIs and invoking the right to audit where permitted. This will ensure that you maintain an acceptable level of assurance that your data will remain secure throughout its entire lifecycle.
Technical controls including the implementation of granular access controls to your environment must be at least as good as those applied for employees including the use of multi-factor authentication where applicable, timebound access and heightened levels of logging and monitoring of sensitive connections. Zero trust models which aim to continuously validate system resources, can also minimise the impact of a breach should it occur. That said there can be issues around legacy technology without significant component implementation and poor access control management can reduce the overall efficacy of zero trust.
Responsibility for managing aspects of IT infrastructure must also be agreed and monitored. We can never assume that the whole environment is being managed. In some instances, there have been some physical aspects managed by one supplier while virtual aspects were managed by another, leaving parts of the business unmanaged or unpatched by suppliers or the infrastructure owner which then led to a heightened risk.
Likewise cyber incident preparedness needs to be communicated and tested to ensure that they are understood and fit for purpose. Where there is a reliance on suppliers to help mitigate an incident, this must be confirmed and tested to ensure that timely and effective support can be achieved.
Finally, we’ll finish as we began with Gartner’s predictions. The analyst firm further predicts that in less than two years’ time, 60 percent of organizations will use cyber security risk as a primary factor when it comes to deciding over whether to conduct transactions or business engagements via third parties. This is some indication of just how important supply chain security has become and the threat posed by the increased attack surface, and it’s a stark reminder to the business community that it needs to grapple with this issue today or risk adverse impacts to their business.
David Adams is a security consultant at Prism Infosec.