Software supply chain attacks are becoming more widespread. Learn what they are and how they occur so you can develop a strategy to help manage the risks.
The statistic is alarming. Software supply chain attacks increased by 78% in 2018, according to Symantec’s “2019 Internet Security Threat Report“. And security experts expect the number of attacks to continue to spiral upward.
If you haven’t heard of software supply chain attacks, you are not alone. It is important that you learn about them, though. You need to understand what they are and how they occur so that you can develop a strategy to help manage the risks.
What Software Supply Chain Attacks Are
The term “software supply chain attack” is not referring to a new hacking tool or the latest class of malware. These attacks have, in fact, been around for years. Rather, the term describes a strategy that cybercriminals use to attack companies. Instead of attacking them directly, hackers compromise the third-party software used by those businesses. This is done before the software reaches the companies’ doors, so the hackers do not have to worry about hacking into the companies’ networks and being detected.
Once the compromised software arrives, the hackers use it to initiate other types of malicious activities. For example, the NotPetya malware that paralyzed companies’ networks worldwide in 2017 was initiated by a successful software supply chain attack.
How Hackers Compromise Software
So, how do cybercriminals compromise companies’ software? The main ways include:
Hackers are not the only ones compromising software to carry out supply chain attacks. There have been cases of insiders inserting malicious code into programs.
How to Manage the Risks
Admittedly, there is nothing you can do to stop a hacker from inserting malicious code into software when the software is not under your control. That is one reason why software supply chain attacks are becoming more popular among cybercriminals. However, you can take steps to manage the risks.
At a minimum, you should list each application used in your company and its supplier. If you are not familiar with a supplier, do some research to make sure the company is reputable and no red flags pop up.
You might also want to look at NIST’s guide for managing risks in the cyber supply chain. It provides questions to ask suppliers to determine their security risk level as well as best practices to follow to manage the risks. If time is a factor, there are companies like BitSight Technologies and Security Scorecard that will evaluate and rate your vendors based on the security of their networks. However, they charge for this service.
Finally, you should take the basic security precautions (e.g., make sure your security software is up-to-date, perform backups of data and systems) in case you fall victim to a software supply chain attack. You might also want to consider getting a security solution that uses advanced detection methods (e.g., analytics, machine learning) to identify and block attacks. We can provide more information about those solutions if you are interested.