U.S. announces guidance that impacts federal agencies, organizations and vendors
The need to secure America’s software supply chain is urgent and the White House has responded. In a bold effort to strengthen cybersecurity through more of a Zero Trust approach, the White House issued an executive order (EO 14028) and ordered guidance to be released to ensure federal agencies are using software that follows secure development standards. If you’re in the private sector, don’t stop reading this article. It’s critical you adapt to the continuously changing cyber environment in order to keep business and protect your own network.
The executive order accomplished two things: It directed the National Institute of Standards and Technology (NIST) to come up with guidance on securing the software supply chain for government agencies and it also directed the Office of Management and Budget (OMB) to require federal agencies to comply with those guidelines.
If federal agencies use third-party vendor software, they must get those vendors to confirm they meet minimum NIST standards. This goes beyond the initial install. Renewals and major version changes are also subject to NIST standards. If the vendor can’t meet all of the NIST guidelines, it must provide a plan to mitigate risks and develop a Plan of Action & Milestones (POA&M). The federal agency will then make a risk-based decision. Third-party software vendors can see why it’s crucial to be buttoned up when it comes to software supply chain compliance. The more confident a federal agency is in your security, the more likely you would get that business.
Bold Changes and Significant Investments
The executive order is blunt: “Incremental improvements will not give us the security we need.” It emphasizes the federal government needs to make bold changes and significant investments to defend the vital institutions that underpin the American way of life.
NIST released a Secure Software Development Framework (SSDF) that contains fundamental, secure recommended practices. They’re organized into four groups:
- Prepare the Organization
- Protect the Software
- Produce Well-Secured Software
- Respond to Vulnerabilities
The SSDF includes lists of tasks, examples of how to implement them and references. However, it’s not a one-size-fits all approach. NIST acknowledges some examples may not be applicable to certain organizations and situations. The SSDF does not prescribe how to implement each practice. The focus is on outcomes of the practices, rather than the tools, techniques and mechanisms to get there.
The government recommends organizations consult other resources to implement these practices. It’s important to partner with a managed services provider that helps you sort through the tasks and gets you where you need to go.
What is a Software Supply Chain Attack?
Now you know about the executive order and updated standards to prevent software supply chain attacks. Here we will explain why those standards were created and the consequences of not strengthening your network.
A software supply chain attack occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. It’s a trickle down effect. The compromised software then compromises the customer’s data or system. Supply chain attacks can also happen through a patch or hotfix before it enters the customer’s network. These types of attacks can have widespread consequences – from government to critical infrastructure to private sector software customers.
There are three common ways a software supply chain attack can be carried out:
- Hijacking updates – infiltrating network to compromise updates pushed out to customers as part of routine maintenance
- Undermining code signing – impersonating trusted vendor to insert malicious code into update
- Compromising open-source code –inserting malicious code into publicly accessible code libraries
It’s critical to protect against all three of those methods because attackers often carry them all out simultaneously.
Impacts of Supply Chain Attacks
Many lessons can be learned from what happened to SolarWinds – a company synonymous with Network Management Systems (NMS) that is used almost universally across 300,000+ customers worldwide. It was compromised through a supply chain attack. Attackers inserted code into SolarWinds’ most popular platform called Orion. They pushed out updates which contained what was effectively a trojan horse. The attackers essentially had free-range on the victim’s network. They had virtually limitless capabilities on most networks they infected.
Organizations with SolarWinds’ Orion platform had to take immediate steps to investigate the impact and needed to review their logs for signs of long-term compromise. They could not assume their organization was safe. They also had to consider their third party suppliers and connected partners to understand whether they were also compromised.
Other entities that have dealt with software supply chain attacks include:
- CCleaner – Floxif infected 2.2 million CCleaner customers worldwide with a backdoor. Attackers specifically targeted 18 companies and infected 40 computers to gain access to major technology companies.
- South Korea – Hackers compromised a commercial anti-antivirus package to steal South Korean classified military data.
- MeDoc – A tweaked version of MeDoc was infected with a backdoor to deliver a destructive payload disguised as ransomware. It paralyzed networks nationwide – shutting down or affecting operations of banks, companies, transportation and utilities. It cost companies millions of dollars.
Who’s Most Vulnerable?
Organizations are uniquely vulnerable to software supply chain attacks for two major reasons, according to the Cybersecurity and Infrastructure Security Agency:
- Privileged Access – Many third-party software products require elevated system privileges to operate effectively. This includes products like anti-virus, IT management and remote access software. Customers often accept third-party software defaults without investigating further.
- Frequent Communication – Third-party software products typically require frequent communication with the vendor regarding updates and fixes. This connectivity can allow hackers to send illegitimate updates containing malware to the customer.
It’s difficult mitigating a software supply chain attack after it’s occurred. Organizations rarely control their entire software supply chain and don’t have the authority to compel every organization in its chain to take mitigation steps, according to CISA.
Your Defense Against Growing Threat
Attackers will adapt and change their signatures to avoid detection. It’s hard to keep up. That’s why it’s critical to enlist help from a strong tech security partner who stays on top of growing threats and has the knowledge and expertise to provide the best solutions for your organization – so you can focus on your daily operations and clients.
Lightstream adopts a Zero Trust cybersecurity framework that incorporates automation, visibility and proven practices from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST). We have the capabilities to help organizations in various stages of dealing with a software supply chain attack:
- Emergency: Doing damage control during an attack
- Recovery: Long-term solutions after an attack
- Prevention: Strengthening systems to mitigate risk
Lightstream conducts Zero Trust Readiness Assessments to help companies identify gaps in their security and develop an action plan to help prevent future attacks. Lightstream offers a variety of best-in-class solutions with deep integration of the platform across leading vendors. Within one week of completing the Zero Trust Readiness Assessment, you’ll receive a strategic advisory report. It offers future improvements in the areas of strategic, managerial and operational levels.
Case Study: Zero Trust Security Model prevents breaches and ransomware attacks
Lightstream can also create a custom Rapid Risk Profile for your organization to quickly evaluate security threats associated with your account, identity and access management, logging, networking, storage and monitoring. You’ll receive a written report with grade-level reporting on key cloud-risk indicators and security best practices for CIS. If required, we will also provide a PCI/HIPAA/regulatory requirement-specific report in lieu of a CIS report. Our security team will review the findings with you through the lens of two additional industry-standard security frameworks or regulatory compliance controls.
Case Study: Rapid Risk Profile helps clients protect what matters
You have options. Enterprises large and small can use our fully-managed platform to supplement their own security operations or fully outsource the management, detection and response 24x7x365. Take advantage of Lightstream’s expertise in Zero Trust architecture. It can be used to evolve your physical and virtual network to minimize the damage and business impact from even sophisticated attackers.
Contact a Lightstream security expert today to schedule a call and talk through your security concerns. We can share what we’re seeing in the market and with other organizations to help you decide if there’s opportunity for improvement or additional risk mitigation.