Computer code is the foundation for every piece of technology, from smartphones to robots and the networks that connect them. In today's digital world, that also makes code part of the foundation for many — if not most — businesses and services.
Hackers recognize this fact and leverage it. A recent, high-profile example is the attack on FireEye that used multiple trojanized updates to SolarWinds software. By targeting software providers, the hackers were able to install back doors into companies that, in turn, enabled them to reach their intended targets: the government agencies that received services from those companies.
This attack method also leverages trust. Businesses, governments and other customers assume that if a software or firmware update comes from the vendor, it’s safe to install. Some will trust but verify; they check the vendor’s website for the update’s hash value and then compare that to the download. If they match, they assume it is free of vulnerabilities.
This trust creates opportunities for malicious actors who are able to manipulate the source code during the development process. As a result, users unwittingly download an exploit, which often sits quietly for weeks or months while spreading throughout an organization to ultimately attack a roster of partners, suppliers or customers. How can organizations protect themselves?
Keep out bad actors. A supply chain risk management (SCRM) program is critical for mitigating threats and vulnerabilities inherent to the adoption and integration of third-party products and services. It covers people, processes and technology, and spans multiple departments including security, IT, human resources (HR), procurement and legal. It is especially important to expand a company’s SCRM program into the software development life cycle (SDLC). In the process, the SCRM program creates a culture of security where everyone is a participant and is aligned toward the same goal.
Within the SDLC, a SCRM program focuses on the people who need to touch the code and related resources such as tool sets. Understandably, these employees should be thoroughly vetted during the hiring process, including background checks to identify any potential ties to criminal activity and/or nation states.
Companies utilizing staffing firms need to ensure that the firm understands their unique and specific requirements. For example, companies should know who their staffing firms are and if they have a presence in countries that have a history of state sponsored cybercrime. When companies are dealing with proprietary and confidential information, they don’t want staffing firms’ remote offices feeding them resumes and candidates who are potential insider threat plants. Nation-state attackers are increasingly focused on getting their people into targeted organizations. They have the financial resources to train people, who demonstrate coveted coding skills and other sought-after credentials that elevate their résumés to the top of the pile. This is something for human resource teams and hiring managers to be cognizant of.
It’s possible that some bad actors will slip through even the most careful screening and hiring processes. That’s why it’s important to monitor employee activity through a well-defined insider threat program to identify unusual and suspicious behaviors such as unauthorized escalation of privileges and access to systems, programs and applications.
A SCRM program should also identify the people who need to touch the code and related resources such as tool sets, and then implement safeguards to keep all that away from everyone else. Once the code is licensed, it should be the sole source for the authorized developers, meaning they can’t bring in additional code from outside sources. Essentially, once the code is already assessed and controlled, businesses don’t want developers going out to get code from new sources that have not yet been assessed for security risks. This best practice mitigates vulnerabilities such as back doors buried in unauthorized code unwittingly used by authorized developers or undocumented portals hidden by unauthorized users.
Scrutinize and control. Tightly controlling technology provides another layer of protection. For example, even when employees transfer within the organization, consider providing them with a new laptop that has an image created specifically for their new role and department. Also, disable any previously acquired access that is no longer required. This helps ensure data and access remains privileged.
The IT department should also reimage brand-new computers before they’re issued to developers. Using the stock, vendor-provided image could create back doors if the operating system and any pre-installed bloatware have compromised code. Instead, create a custom, hardened image for those devices.
All new types of hardware and software should be initially sandboxed for some period of time. This gives the IT department time to scrutinize their behavior, such as making unsolicited calls out to the internet to try to pull down data. It also creates a baseline to help detect sudden changes in behavior months or years later that could indicate that they’ve been compromised.
Create a culture of security. This is a lot to consider, which highlights why SCRM must be a cross-organization effort. For example, the legal department should ensure that vendor and partner contracts contain language regarding audits to ensure that all requirements are followed. Meanwhile, HR can help develop and enforce rules for screening candidates.
C-level buy-in and leadership are key for achieving this kind of team effort and ensuring that the resources are available to implement a SCRM program. This produces a culture of security that spans the entire organization and transforms security from an afterthought into a fundamental part of the development process.
Michael Iwanoff is chief information security officer at iconectiv.