Software supply chain attacks have been increasingly bedeviling the IT space.
Recent statistics bear out the dangers of these attacks. According to a study by an Israel-based security company:
- Supply chain attacks grew by more than 300 percent in 2021 over 2020.
- Attackers focused most heavily on open-source vulnerabilities and exploiting the supply chain process and supplier trust to distribute malware.
Vendors must be carefully vetted
A state-of-supply chain report shows a massive 633 percent year-over-year increase in attacks in 2022. Attackers find supply chain breaches lucrative because when every day or common software is compromised, the attackers could, in theory, gain access to all the enterprises that use that software. Organizations and IT departments need to take this seriously. All companies should carefully vet their vendors and only use tested and reliable companies.
Onboarding and offboarding can create vulnerabilities
The growing supply chain attacks prompted Cybersecurity and Infrastructure Security Agency (CISA) to update its guidance with a new bulletin that addresses basics like:
- Account Security: Best practices such as enabling multi-factor authentication, creating a process to revoke credentials of departing employees, creating unique user credentials, separating user and privileged accounts, and requiring passwords that meet specific minimum standards.
Workflows are critical
CISA’s report also calls for every company to have a workflow – Supply Chain Risk Management (SCRM) – that puts a process in place for dealing with software vendors.
Threats from lack of having an SCRM include:
- Malicious software that disables, negates, or hides from security agents or monitoring tools in the user environment.
- Appropriate logs not being collected, analyzed, or correlated; and partial/incomplete continuous monitoring and security audits.
CISA lists several mitigations for those threats, including:
- Regular red team hunting and security exercises.
- Implement risk-based management approaches for specific software products to identify logging and event monitoring.
- Implementing a threat model based on the product.
Even the FBI is getting in on the public warnings, teaming up with CISA to point out well-known supply chain attacks in the past year, like Log4J.
Don’t let hackers slip into your network through the cracks. Supply chain attacks are detrimental to companies and can be avoided with the right preventative tools and training. Contact us at Access Tech to assess your current security and advise you on the next steps best for your business, all without breaking the bank.
Read more here