Supply Chain Attacks—What You Need To Know

Supply Chain Attacks—What You Need To Know

During the 2020 holiday season, I felt a disturbance in the force as if 1000s of cybersecurity professionals suddenly cried out in terror. Not only did people need to immediately drop whatever they were doing and start remediation plans, it was also a stark reminder of just how helpless organizations are in terms of supply chain defense.

Let’s revisit one of the destroyers of the holidays last year.

The SolarWinds Attack

The largest publicly known supply chain attack was disclosed in December of 2020. If you haven’t read about it yet, the SolarWinds announcement is here. Supply chain attacks are an emerging threat that target software developers and suppliers. The goal is to access source codes, building processes, or update mechanisms by infecting legitimate apps to distribute malware.

The scale of the SolarWinds breach is massive and hard to overstate. Upwards of 18,000 companies were made vulnerable to attacks. The number of companies compromised is likely unknown to everyone except for the attackers themselves. The attack was so successful that if not for the attackers publicly ridiculing FireEye, one of the top cybersecurity firms in the world, by releasing FireEye’s internal tools, the attack may not have been discovered. Let me state that differently, if the attackers had not intentionally let FireEye know about an internal breach, then it is likely no one would have discovered the source, SolarWinds, yet. It would be impressive if the fallout wasn’t so widespread and impactful. And again, I don’t think you can overstate the impact to the firms that were ultimately targeted.

ClearStar continues to field a fair number of questions concerning our own exposure. ClearStar does not utilize any SolarWinds software. However, it’s clear from the scope of the questions that a lot of organizations are rightfully concerned about SolarWinds deployments. (As a precaution, ClearStar also investigated known IOCs related to the breach and found zero beaconing related domains. Not that we expected to find any, just us being diligent.)

But let’s not miss the forest for the trees.

The Real Issue

The SolarWinds supply chain attack won’t be the last because everyone is vulnerable to supply chain attacks. Software development process standards aren’t widely accepted. No organization is truly required to utilize multi-factor authentication everywhere. Organizations aren’t always focused on understanding how third-party libraries might bring outside vulnerabilities into scope on company assets. There is very little transparency in what components make up software. There simply isn’t a set of standards that says your code is safe.

And not just your code.

When was the last time your internet-connected alarm panel was updated? When was the last time you investigated if the embedded TCP/IP stack on your internet-connected alarm panel was completely up to date, but perhaps still vulnerable to Ripple20? What about printers, UPS systems, IP cameras, or video conferencing systems? What about the water we drink?

The Possible Solution

Looking forward into this year, let’s all hope that the Consortium for Information & Software Quality group makes progress on releasing their proposed Software Bill of Materials approach. Being able to develop a SBOM repository that is easily queried and shared would go a long way in helping organizations better understand risks. Software composition analysis is another subject that more and more firms outside of the Fortune 500 are taking seriously. SOC2 reporting is becoming a requirement for any company looking to provide B2B services as are certain ISO certifications.

But you’re a background screening company? Why are you talking about supply chain risks and software?

No, ClearStar is a technology company. Our focus is helping others manage risk with background and medical screening. That’s because employees are a source of information capital. Just as companies can’t afford to ignore the risks with supply chain attacks, neither can they do so with their employees. Companies have entire departments setup for managing risk, vulnerabilities, and cybersecurity yet for some, a single employee background check during onboarding is enough.

For companies serious about success, security, including background screening, must be an ongoing effort. This is for the record.

Additional links concerning the SolarWinds attack:

https://us-cert.cisa.gov/ncas/alerts/aa20-352a
https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/

For The Public Record is a monthly blog featuring thought leadership from the most seasoned experts at ClearStar, across all functions of the background screening process. Click here to subscribe.

 


Damien Stewart - Deputy Chief Information Security Officer

Damien Stewart serves as Deputy Chief Information Security Officer of ClearStar. Damien is responsible for leading ClearStar through its compliance journey, including ISO 27001-2013 certification, SOC2 T1/T2 reporting, and security and operation infrastructure refreshes all while building out an effective cybersecurity practice within the organization.

Damien is a Certified Information Systems Security Professional (CISSP), a designation issued by (ISC)² to validate expertise in designing, implementing, and managing best-in-class cybersecurity programs.

At ClearStar, we are committed to your success. An important part of your employment screening program involves compliance with various laws and regulations, which is why we are providing information regarding screening requirements in certain countries, region, etc. While we are happy to provide you with this information, it is your responsibility to comply with applicable laws and to understand how such information pertains to your employment screening program. The foregoing information is not offered as legal advice but is instead offered for informational purposes. ClearStar is not a law firm and does not offer legal advice and this communication does not form an attorney client relationship. The foregoing information is therefore not intended as a substitute for the legal advice of a lawyer knowledgeable of the user’s individual circumstances or to provide legal advice. ClearStar makes no assurances regarding the accuracy, completeness, or utility of the information contained in this publication. Legislative, regulatory and case law developments regularly impact on general research and this area is evolving rapidly. ClearStar expressly disclaim any warranties or responsibility or damages associated with or arising out of the information provided herein.

SOLUTIONS BY INDUSTRY

meritroyalbet -

slotbar

-

baymavi

- Bursa escort -
Betpark
- eskort mersin - Grandbetting giriş - Mobilbahis giriş - Betvole -
vdcasino
- sekabet yeni giriş