In 2021, Sita, an airline industry IT supplier, informed airlines using its passenger service system that their passengers' frequent flyer data could have been exposed due to a cyber attack. Singapore Airlines was one of the airlines affected even though it did not use the Sita system directly – rather, it provided its frequent flyer data to Star Alliance which did use Sita systems.  This interconnectivity between critical systems is attracting cyber criminals seeking to exploit the weakest links. These weak links are quickly becoming the norm in the supply chain, especially third-party IT systems that many organisations use to run their IT operations. SolarWinds is a good example of this vulnerability being exploited. As time goes by, we are learning that some common patterns are emerging behind these attack vectors.

The good news is that in general, cyber defences of high-value targets are in much better shape and continuing to improve, therefore direct attacks against target systems are more difficult. However, threat actors, of all varieties, tend to like the easy option so it is more effective to move along the software supply chain to seek out and exploit weak links away from the target’s hardened perimeter cyber defences.

A growing supply chain risk is the use of open-source software. The assumption that security is guaranteed in popular open-source projects must be verified at every juncture. Open-source projects tend to be general purpose uses and so can be promiscuous in terms of accessing device services and facilitating interconnections – from a security standpoint, this is a risk that must be understood and controlled. It goes without saying that secure systems will likely become vulnerable when such promiscuous projects are integrated into the system architecture. A growing threat vector is loosely managed open-source software library repositories. These repositories can give attackers options to covertly deploy malicious software and there are many examples of this attack vector being exploited.

Recommendations for Chief Information Security Officers (CISOs)

The shift to cloud infrastructure and the “as-a-service” model presents supply chain uncertainties surrounding control ownership and risk accountability. These uncertainties must be included and played out in detailed incident detection and response processes and resilience exercises.

Thinking of enterprise resilience, some research suggests that many cyber defence programs only actively protect about 60% of the business info-structure; the remaining 40% remains vulnerable to security breaches originating from the supply chain and remaining invisible until it’s too late due to the difficulty of gaining visibility of the supply chain.

Risks are never eliminated, they are managed, so, for organisations of all sizes, the key defence against supply chain attacks is to maintain a proactive cyber defence posture to contain risks and their blast radius damage when a breach occurs anywhere along that supply chain. This means identifying the most critical data and applying the principle of least privilege to it and all the users, services and resources that have access to it. A good exercise is to assume that the most critical assets are under attack, especially those that leverage third-party applications where elevated privileges are required for their effective operation.

At every point, defenders must be able to respond quickly to a breach. Bearing in mind the guidance above, a zero-trust security model which focuses on users, assets and resources rather than exclusively on the network perimeter is proving more effective, but demands organisations rigorously authenticate their users as they operate in a more distributed security environment. Clearly, the pandemic was a good testing ground for this approach.

As the barrier to entry for attackers with the proliferation of offensive cyber tools and as-a-service models continues to rise, it is wise to work out how to set up your enterprise to automate security operations as a means to identify and respond to cyberattacks more quickly. This augmentation allows organisations to make the best use of their human assets and provides them with the necessary patterns and insights to make rapid decisions.

The reliance on third-party providers has, by default, added to the responsibilities of many CISOs ~ where does the boundary stop? To answer that question, CISOs must be directly engaged with the broader risk management function and integrate it into their role. Recent high-profile supply chain security breaches have exposed the need for CISOs to effectively communicate potential supply chain risks to Boards in meaningful terms that drive contingency and mitigation plan support. As an example of good practice, SolarWinds CISO showed that immediate action to confirm the safety of systems and code from attack and proactive engagement and assistance to customers greatly aided containment. A response website kept up to date with the latest updates and swift inquiry response also demonstrated its worth as a resource-saving mechanism if implemented correctly.

To summarise, in maintaining the organisation’s preparedness, CISOs must, as a minimum, set the conditions for:

• Effectively monitor for vulnerabilities; both existing and emerging;

• Tune internal early detection capabilities to those vulnerabilities;

• Ensure that scenario planning exercises keep pace with sophisticated and emerging threats;

• Establish a regime that allows response teams to hone their skills and drills in dealing with new threats;

• Ensure that these efforts exercise collective preparedness and not just IT or technical response skills.

Looking longer term, verified reproducible builds are being refined as an important counter-measure to supply chain vulnerabilities. This build process allows independent organisations to produce a build from source code and verify that the build results come from the claimed source code and an approved source. The Linux Foundation has been funding work to develop the verified reproducible builds process. Equally, the notion of secure by design is gaining traction as a means to prevent downstream, more expensive flaws from becoming baked in and irrecoverable. Finally, as part of ongoing third-party due diligence, CISOs should verify that their software providers are conducting regular refreshes of their suppliers and confirming that how they mitigate the risk of emerging threats and communicate that information to customers continues to align with the organisation's plans and expectations.