Cultural Side of Supply Chain Security

With cybersecurity & ransomware attacks on the rise, strengthening our defenses towards ensuring the safety & privacy of customer data has assumed paramount importance. One of the major challenges in this endeavor today is to manage the risk associated with integrating open-source software in the products that we develop. This is where Software Supply Chain Security swoops in and, potentially, saves the day.

The sources of attack on a supply chain can be varied & need not be relegated to just the piece of software being shipped or the vulnerabilities therein. For this post, however, we shall be limiting the scope of discussion to the cybersecurity aspect & shall be discussing various efforts towards improving the security in this space.

So what is Software Supply Chain Security exactly?

During the development of any application software, developers piece open source & proprietary libraries together. This software is further deployed on a platform towards making it available for end-user consumption. In this entire chain of design, development, and deployment there are various software packages being used with no means to corroborate their security. This leads to an architecture that is susceptible to attacks not only via traditional exploitation measures but also via indirect means such as utilizing political influence, blackmail, or even threats of violence against the developers who release such libraries^[1]

Given the multi-faceted nature of this problem, the approach we use towards securing the product also needs to be holistic. Merely defending the endpoints will no longer suffice. Right from the design & build stage, security considerations must be incorporated into the process towards ensuring extensive mitigation of the aforementioned attacks. This implies that anything affecting your code – libraries, operating systems, etc, as it passes from development to production will be accurately recorded & tracked so that appropriate monitoring & mitigation processes can be put into place. 

A cultural shift?

While a quick Google search can list down the many efforts being taken towards developing appropriate tooling for this purpose, as with everything else, this calls for a cultural shift along with a technological one. Merely integrating available technology in a software supply chain will achieve very minimal results since this will always be an evolving space due to the nature of attacks & the scope involved. A shift in the mindset, as well as the ways of working, needs to accompany the ongoing advancements in tooling & technology.

Assuming shared responsibility

Much like DevOps, the onus of ensuring a secure supply chain doesn’t lie on one team or person alone. It is a shared responsibility and everybody in an organization should collaboratively work towards the end goal. Rather than security as an afterthought, it must be the focal point for every decision an individual/team makes throughout the cycle. Yes, that also includes tooling!

Automated tooling

Every single package matters! This is also why every release iteration will require the packages involved to be recorded, analyzed, & monitored for any vulnerabilities. In the event of a vulnerability, there also needs to be a way to assess the impact and mitigate it as soon & effectively as possible. Doing this ad infinitum in a manual manner would be effort & resource intensive which is why there is a requirement for intelligent and automated tooling to be in place. 

Embracing failures

As the discipline of Chaos Engineering evolves, there is hope for sophistication in the sphere of supply chain attack simulation. Simulations help us discover further vulnerabilities within the existing processes/tooling in place & help us improve, should they occur in real-time because let’s face it; everything fails! How we deal with failure is what ultimately matters. Planning ahead for mitigation and remediation measures as an outcome of such simulations will only help make our supply chains more reliable.

What are the odds?

A four-fold increase in supply chain attacks is expected by the end of this year. Per the report published by the European Union Agency for Cybersecurity titled, Threat Landscape for Supply Chain Attacks^[2], the sophistication and complexity of the attacks were only going to improve with time, thereby requiring equally intelligent & holistic measures towards securing them.

What are our options?

Glad you asked! There is a lot of work underway currently in various areas as detailed extensively in this document by Aeva Black. With efforts such as standardization frameworks, open-source projects, and companies like Chainguard Inc. towards revolutionizing the available tools, this is one space that will be seeing a rapid transformation in the coming years.

Episode 4 – Let’s Go Phishing for Ransomware

Shankar Radhakrishnan, Founder of Skedler, recently sat down with the CEO of TCE Strategy, Bryce Austin, who is a Cyber Security Expert and Professional Speaker as well as the author of the book Secure Enough? 20 Questions on Cybersecurity. The topic of the discussion, phishing for ransomware, is incredibly important as many organizations and individuals around the world are exposed to the perils of phishing and ransomware attacks daily. Bryce was able to detail why hackers target individual accounts and what best practices organizations can employ to proactively mitigate attacks or handle the fallout after a phishing and ransomware attack. 

[video_embed video=”I5ys5nOowTo” parameters=”” mp4=”” ogv=”” placeholder=”” width=”700″ height=”400″]

Top Phishing Scenarios That Organizations Face

A recent report found that 64% of organizations have experienced a phishing attack in the past year. Research by IBM reveals that 59% of ransomware attacks originate with phishing emails and a remarkable 91% of all malware is delivered by email. This tells us that more users are seeing attacks, but since they are not trained in how to spot or handle them, they become a victim of them. With the volume and variety of phishing attacks on the rise, many organizations are struggling to keep up with the barrage of ransomware attacks that are constantly hitting their networks.

In order to combat these terrible attacks, we must first understand what they are and what their purpose is. Bryce explains that “phishing comes in many forms. It can be a vague email. It could be from someone you know. It could be from someone you know who says ‘I thought you might find this link interesting,’ and it tries to get you to click on a weblink.” Bryce goes on to detail how “it could [also] state ‘please see the file for the next, new, exciting thing in technology.’ Something vague and nondescript.” This is an incredibly important aspect of these attacks since many people open emails that interest them, even if they don’t know the sender. Once the individual clicks through, the hacker has everything they need in order to obtain remote access to the user’s desktop or copy their address book to carry out a phishing attack of epic proportions.

Best Practices For Safeguarding Your Company From Phishing Attacks

First and foremost, cybercriminals are interested in money. If they think that there is a reasonable chance of them getting money from a user or company, they will try. This is why, Bryce explains that “one of the biggest things you can do is to have cybersecurity awareness training for yourself and for anyone in your company.” In essence, Bryce tells us that, “Cybersecurity awareness training is cybersecurity 101. It’s the basics of what these phishing scams look like. That is far and above the #1 way to prevent it.”

Too often, employees aren’t familiar with the signs of ransomware and therefore make their companies vulnerable to attacks. This is why, to mitigate the risk of a phishing or ransomware attack, it’s imperative to provide regular and mandatory cyber security training to ensure all employees can spot and avoid a potential phishing scam in their inbox. You also need to look into endpoint detection and ensure that you have built a really strong security posture. This will give everyone from your frontline employees to your executives the tools they need to successfully squash a phishing attack in its tracks before it becomes a catastrophe.

Best Practices For Post-Phishing Attacks

If a threat actor successfully phishes an employee, it can provide them with access to the company’s entire network of resources. Bryce explains that “if a phishing attack is successful, it inherits whatever abilities the user has.” This means that a single phishing attack can provide a hacker with access to the organization’s sensitive financial and intellectual property data which can be devastating.

To combat the spread of a phishing attack once it has already made its way into your network, Bryce explains that a huge mitigating step is to “proactively remove local administrator rights so that users don’t log in as a local admin at the company.” This is similar to throwing sand on a roaring fire pit. It doesn’t undo what has already happened, but it can keep the damage from getting out of hand.

Don’t forget to subscribe and review us because we want to help others like you improve their IT operations, security operations and streamline business operations. If you want to learn more about Skedler and how we can help you just go to Skedler.com where you’ll find tons of information on Kibana, Grafana, and Elastic Stack reporting. You can also download a free trial at skedler.com/download so you can see how it all works. Thanks for joining. We hope you will tune in to our next episode!