When it comes to software supply chain jacking, you might be thinking of the hacking of the Trans-Siberian pipeline. But this type of attack is also a threat to organizations with software-based supply chains. In fact, software supply chain jacking has become an increasingly common problem, thanks to the global labor market, which allows organizations to manufacture the same product or component in several countries and assemble it at different focal points. This creates more vulnerabilities in the supply chain, and recent attacks have shown that.
In June, Checkmarks researchers discussed the rising threat of software supply chain jacking. In this talk, they detailed some examples of attacks affecting the software supply chain. They found that the average software project contains as many as 203 dependencies. If even one of these dependencies is compromised, the number of potential victims can increase exponentially. Luckily, most companies can detect supply chain attacks with minimal risk.
Unfortunately, even public sector supply chains are vulnerable to this type of attack. In 2017, a hack of software supplier SolarWinds affected over 18,000 organizations, including nine federal agencies. The malicious code was installed through routine software updates. While the attackers’ goal was to collect intelligence, they hacked critical infrastructure. This was an attack on the public sector and a wakeup call to agencies everywhere. The public trusts these agencies with their information. But these agencies have to make sure they can keep that trust.
The software supply chain is extremely vulnerable to these attacks, as many vendors use open source components or poorly secured hardware. Hackers may use this to insert unwanted functionality or exploit the final destination of the software or hardware. And if the software is poorly developed, hackers may exploit vulnerabilities in the software. To protect your organization against these threats, you need to have complete visibility into your supply chain. By implementing best practices, you can protect your IT infrastructure from supply chain jacking.
This threat is a real problem for software supply chains, as they involve hundreds of suppliers for each application. It is possible for a threat actor to use a vulnerability in open source software, which could lead to a major data breach. The most effective way to avoid this is to secure your software. And if you don’t know about it, you’ll never know when your software may come under attack.
Security experts are working to prevent supply chain jacking. One method involves using threat intelligence to alert you of new threats and give you information to proactively defend against these attacks. This approach is called the “swiss cheese model,” and it combines data from malware analysis and search to give you an accurate picture of what’s happening. Threat intelligence can provide you with insights you need to secure your supply chain.