US CISA & NIST Issue Guidance to Defend Against Supply Chain Attacks!

US CISA & NIST Issue Guidance to Defend Against Supply Chain Attacks!

New guidance highlights software supply chain risks & tips on how to identify, assess, & mitigate risks.

News about last year’s SolarWinds attack was industry altering. Now, after that incident, 2 US Govt. agencies are issuing guidance to software vendors & customers on how they can be better equipped to defend against future attacks.

This week the US Cyber-Security & Infrastructure Security Agency (CISA) & the US National Institute for Standards & Technology (NIST) released Defending Against Software Supply Chain Attacks (.PDF).

Targeting Lesser Known

A supply chain attack is an attack usually carried out by targeting lesser known or less secure elements in the software supply chain. 3rd-party providers, vendors, or partners with weaker security are often a common target.

CISA & NIST observed that attacks, especially of late, have been carried out by either hijacking a vendor’s updates, usually by hacking their network, using the code-signing system to falsify trust & validate code, & by compromising open source-code that is in 3rd party code.

Common Attack Techniques

This document, released on Mon., gives an overview on software supply chain risks, examples of common attack techniques, & recommendations for developing & overseeing a risk management program.

It encourages readers to think of any product they’re considering purchasing & implementing through the lens of 1 of these programs, like NIST’s Cyber Supply Chain Risk Management (C-SCRM) or Secure Software Development Framework (SSDF).

Mitigate Risks

NIST’s C-SCRM can help organisations identify, assess, & mitigate risks in a distributed supply chain ecosystem. It is not a new concept, but dates back to 2016, but NIST’s C-SCRM was last updated this month, so its directives are timely.

SSDF is newer & was originally published in April 2020. This framework relies on secure software development practice guidance from BSA, OWASP, & SAFE Code. The guide’s aim is to help reduce the number of vulnerabilities in software & mitigate the impact of exploited vulnerabilities.

The guidance is just that, guidance; but as seen in SolarWinds, malicious, barely detectable vulnerabilities can still find their way in, even after due diligence.

Encouraging Organisations

So, this is why in their document CISA & NIST are also encouraging organisations to have a vulnerability management program. By having a way to scan, identify, triage, & mitigate vulnerabilities, businesses can help put right any issues that arise in software.

Ensuring software follows a software development life cycle, or SDLC, 1 that has SSDF roles & security requirements can help organisations increase the resilience of their software too.

Mitigate Vulnerabilities

Organisations should also do these things to mitigate vulnerabilities post-deployment by obeying the following:

  • Archiving & protecting each release of software so that the vendor can analyse, identify, & develop mechanisms to eliminate vulnerabilities discovered post-release.
  • Maintaining processes, & even a formal program, to identify & confirm suspected vulnerabilities in software, whether identified by the vendor, its customers, or 3rd-party researchers.
  • Establishing an assessment, prioritisation, & remediation approach that enables vulnerabilities to be remediated quickly

There are a handful of additional variables to consider around software procurement & deployment. The new guide is by no means exhaustive, but it should give organisations a baseline on best practices to follow if they are not already.

https://www.cybernewsgroup.co.uk/virtual-conference-may-2021/

 

SHARE ARTICLE