The story about the guy who hit his mule between the eyes with a 2x4 to “get his attention first” so the beast would then obey his gently whispered commands is memorable because it uses humor to make a serious point: Don’t wait to get clobbered before you pay attention to exhortations about what you ought to do.
So if anything good comes out of the SolarWinds/Orion cyber attack that impacted more than 18,000 organizations, it’s that it might serve as the figurative 2x4 between the eyes about digital supply chain risks.
Experts have been warning for years—even decades—about those risks. Just as with a physical chain, a supply chain is only as strong as its weakest link. So if any entity in an organization’s supply chain—vendor, partner, contractor—isn’t secure, that organization isn’t secure either.
There have been plenty of stark examples of that reality. Perhaps the most notorious is the 2014 breach of mega-retailer Target’s point-of-sale systems, enabled because hackers penetrated one of the company’s vendors—an HVAC contractor—via a social engineering attack that delivered malware in an email.
That compromised 41 million credit card numbers and 70 million addresses, phone numbers, and other pieces of personal information.
Unfortunately, it didn’t substantively change the world of supply chain security. Perhaps most organizations thought that what happened to a retailer wouldn’t happen to them. But now there are more than 18,000 victims from just about every industry in both the public and private sectors. At a U.S. Senate Intelligence Committee hearing on Feb. 23, 2021, Chairman Mark Warner (D-VA) acknowledged that the SolarWinds hack “highlighted a number of lingering issues that we’ve ignored for too long.”
So maybe this time will be different. Suddenly supply chain security is a hot topic—very hot. Everybody’s talking about it.
That’s good. Because the risks are real, as illustrated by SolarWinds. The company, which provides system management tools for network and infrastructure monitoring, has an IT performance monitoring system called Orion.
The thumbnail version of the story is that hackers were able to inject malware into an Orion update, and from there it spread to thousands of customers when they dutifully installed it, obeying the mantra: “Keep your software up to date!” That gave the attackers access to the data and networks of those customers. Among them are federal agencies including the departments of Homeland Security, State, Justice, NASA, FAA, Commerce, and Treasury, plus the National Institutes of Health and National Nuclear Security Administration.
But while the risks are real and the consequences can be catastrophic, solutions to those risks are real, too. Organizations don’t have to be helpless. There are mitigations available to manage and reduce supply chain risks.
No, they won’t make you bulletproof, just as seatbelts, airbags, lane assist, crumple zones, and accident-avoidance technology won’t guarantee you could never get hurt or killed in a car crash. But those measures do make driving much safer. And supply chain security measures can make an organization much more secure.
So now that we have your attention…
In most cases, organizations are both supply chain consumers and producers. As in, they receive (consume) materials, products, and services from various third parties, and also produce products and services for other organizations or for the public. But the security emphasis is a bit different for each role. The recommendations in this post focus on consumers in the supply chain. A second post will focus on producers.
The leaders of most consumer organizations of any size likely know that their supply chain is lengthy and complex. But they may not grasp just how complex.
Indeed, it’s not just the security of an HVAC contractor or other vendor that’s important. It’s also the security of the dozens to hundreds or thousands of components an organization may import while building applications or anything else powered by software.
Cyber security researcher Alex Birsan, in a recent post on Medium titled “Dependency Confusion: How I Hacked Into Apple, Microsoft, and Dozens of Other Companies,” gets deep into the details of the causes of malware-by-update, which is increasingly likely in a world where software is less built than assembled from third-party and/or open source components. Those components create a trail of dependencies that can exponentially expand your supply chain.
As Birsan put it, “When downloading and using a package from any of these sources, you are essentially trusting its publisher to run code on your machine. So can this blind trust be exploited by malicious actors? Of course it can.”
Tim Mackey, principal security strategist within the Black Duck Cybersecurity Research Center, makes the same point. “Modern software consists of code libraries from commercial third-party providers, open source components, and cloud API services. Each of these elements represents an independent stream of code that flows into what is commonly referred to as an application,” he said.
“Each stream in this model can contain its own code streams. Put together they form the supply chain for a modern service. Any compromise within this chain is a supply chain attack.”
Or as Paul Ducklin, writing on the Sophos Naked Security blog, put it, “For better or worse, modern package management tools … can hide this dependency complexity from you by automatically identifying, fetching, downloading, configuring, and installing the packages you need, plus the packages on which they depend, and so on.”
“As handy as this sounds, you’re probably thinking that there’s a lot that could go wrong here, and you’d be right,” he wrote. “A complex dependency tree means a complex package supply chain, and a complex supply chain means a greatly increased attack surface area for you.”
One of the first things a consumer organization should do is track what it’s using. Compile a Bill of Materials and get credible assurances from its producers that they are also tracking what they are using and keeping it up to date.
There’s considerable advice, in great detail, available on how to do that. Here are a few useful sources.
Mike Ahmadi, former director of critical system security at Black Duck and now vice president of research at Farallon Technology Group, and George Wrenn, then CSO and vice president cyber security for Schneider Electric and now founder and CEO of ZenPrivata, offered extensive advice in a 2016 podcast on how to develop effective procurement language. That’s language designed to hold a producer or other third party contractually liable for the statements they make about the quality, reliability, and—most of all—security of the software they are providing.
That ought to be fundamental since, as we all know, when people sign something, they tend to take it more seriously.
Second, it’s well-known (the annual Open Source Security and Risk Analysis (OSSRA) report by Black Duck has been documenting it for years) that software today is assembled—up to 90% of the final code comes from a combination of open source and third parties.
An organization that doesn’t know, and test, what’s inside that code is asking for supply chain problems. And, as Ahmadi pointed out, an automated software composition analysis tool will examine it more accurately and much faster than any manual method.
“You could manually comb through and create test cases that could fuzz something at a protocol level,” he said. ”Or you could connect them to our automated testing tools, push the button, and wait.”
The Building Security In Maturity Model (BSIMM) is an annual report that helps organizations grow and improve their software security initiatives by documenting what other organizations in their industry vertical are doing and what works. The authors of that report also provide the BSIMMsc (formerly called vBSIMM), focused on software supplied by third parties.
Sammy Migues, principal scientist at Black Duck and a coauthor of the BSIMM, noted in a white paper that the BSIMMsc “leverages attestation and automation to function as a foundational security control for software supply chain risk management.” Put a bit more simply, it helps organizations avoid software vendors that are less vigilant.
Michael Fabian, principal consultant at Black Duck, recommends that consumers “engage in a risk discovery and framing exercise, following frameworks outlined by international standards bodies.”
Finally, Emile Monette, director of value chain security at Black Duck, compiled a list of supply chain software security practices from sources including NIST SP 800-161, ISO/IEC 20243-1, SAFECode third party risk practices, and the East-West Institute IT buyer’s guide.
Using those resources can help consumers prepare for the unknown in their supply chain. Supply chain risks can be the equivalent of poison in your food—an existential threat.
Unfortunately, software components are not regulated the way our food supply is. So it’s up to organizations. If you want to maintain the health of your products and systems, you have to make sure everything you use outside your organization is healthy too.