As a cybercrime writer for more than 25 years, I've asked some dumb questions, especially in my early days. Looking back now, however, those questions don't seem so stupid after all.
For example, in 2000, I asked a group of Cisco engineers, "Why don't we just change IP since that trust model is the source of most our problems?" They were incredulous, saying that IP would never change. But isn't that what IPV6 is?
But the most chilling stupid question I ever asked was, "What happens if my auto update turns out to be malicious?" For conjecturing this idea in my Hack of the Month column for Computerworld, I nearly got shouted off my pedestal as a columnist. "Updates will always be secure. They come from the vendors," my readers said.
Yet in today's reality, we cannot trust that all updates coming from the actual software (and even hardware) manufacturers are secure. For the past few years, malicious actors have been focusing their efforts on infiltrating the computing supply chain and issuing malicious code through updates, hardware components and new installs coming directly from the manufacturers.
In a CSO article in January, Maria Trombly (who worked at Computerworld at the same time I did) writes the clearest description of supply chain hacking here.
And now, a growing number of news reports indicate just how insidious supply chain attacks are becoming.
In a recent Wired magazine article, Randy Greenberg tells the scary story of a hacking group bent on breaking into software development systems for the sole purpose of poisoning vendor software updates with malware that then gets onto user systems through what users perceive as normal, trusted updates that actually are coming from their trusted vendors.
Supply chain attacks are not just targeting software updates. Hackers are breaking into developer organizations and modifying the source code of trusted cleanup tools, inserting malware into game development code (including the Microsoft Visual Studio) and even installing backdoors and DOS code in hardware components.
Protecting against vulnerabilities in the computing supply chain is no easy task. Most organizations don't even check their vendor partner's vulnerability status, according to the SANS 2019 vulnerability management survey (page 10, registration required). Of those that do, the largest group (28%) are checking on their vendor's vulnerability status only once a year.
"Managing updates is becoming more and more difficult for IT professionals," says Mark Morley, Director of Product Marketing for OpenText Business Network. "These updates will be for both on- and off-cloud solutions, and may be used across multiple devices such as smart phones, tablets and laptop PCs."
For IT professionals managing patch updates, Morley points to good management and testing practices. He also suggests that vendors in the business of software and hardware development build in strong ID/IAM and version control management to prevent unauthorized changes.
"Choosing the right vendor is important if companies want to secure their end-to-end supply chain," he continues. "So, select a vendor that is ISO 27001 compliant. This should ensure that their data center infrastructure, hosted solutions and personnel are authorized to make updates to supply chain solutions in a secure fashion."