Almost a month has passed since an industry leader announced that their network and product had been compromised by a highly sophisticated state-sponsored adversary (see our previous article).
In the meantime, a lot has been discovered as to how the attack was perpetrated. Attackers managed to inject malicious code into the software security updates that are automatically and without question pushed to every customer using their software. The update came from the vendor update servers, was signed with a genuine key, and the software was downloaded and installed automatically.
This allowed threat actors direct access to customer infrastructure and repercussions of this access are still being discovered today.
While major breaches like these are unsettling, they do force us to remember that any company is potentially at risk when it comes to cybersecurity. While we can’t help when a high-level hack like this occurs, we can all implement best security practices and take protective measures to minimize risk and hopefully avoid being impacted.
Perform Due Diligence.
Validate the business relationship with all your vendors to ensure data is handled safely according to existing legislation, that their own environment is secure and regularly updated, etc.
There are several certifications available such as ISO27001 and SOC 2 Type II to validate that partners have been audited by external parties and are compliant with existing legal security requirements.
In other words, make sure all indicators are green before you consider partners as trusted and allow their software into your environment. The same goes for any required connection between their network and yours (e.g., update server, secure proxy/gateway, etc.)
Stay Tuned In
Should their software be affected directly or indirectly, most vendors are able to push out a security update – usually a quick fix – to try to mitigate the impact, if not completely prevent it. Some might even provide their own security update system, but if not, it would need to be downloaded manually from the vendor portal for later deployment.
Make sure you are subscribed to all security newsletters from your vendor and that they’re not misplaced (e.g., detected as spam) and are acted upon once received by the appropriate team. In some highly secure environments, a whole change process exists to validate any software update to be installed, and this can take time, which is key in such a scenario.
Do Not Blindly Accept Any Update.
Although the easy thing to do would be to trust and install any update from your vendor (why wouldn’t you?) you might want to review them first, if possible, to analyze the possible impact, define acceptance criteria, and define a rollback plan in case of issue.
Only download security updates from trusted sites (HTTPS, valid certificates) validated by your software vendor.
Some governmental agencies like the Cybersecurity and Infrastructure Security Agency (CISA) provide security guidance; see Recommended Practices | CISA for more information.
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group