Software products today rely on thousands upon thousands of prewritten packages that are either created by vendors or derived from open-source libraries. Cyber criminals are looking for the most popular third-party components of the software supply chain. They could be used to compromise thousands, if not millions, of companies in different industries around the globe. Firms don't have to feel helpless. They can always rely on outsiders to find vulnerabilities. The three steps corporate leaders and IT departments can take to identify and fix vulnerabilities and prevent supply chain cyberattacks are the best for their businesses.REvil, a Russian cybercriminal group, was able in July to shut down 800 Swedish grocery stores, two New Zealand schools and two Maryland town government IT systems, as well as around 1000 other businesses around the globe. The hackers discovered that Kaseya was a software program used by IT service providers to remotely manage corporate networks. REvil was able to gain access to the IT systems of many organizations by attacking Kaseya. Kaseya was therefore a powerful attack vector.Now, we should pay attention to linchpin technologies services and products. If compromised, they could have similar far-reaching consequences. Most software products today rely on prewritten packages that are either created by vendors or derived from open-source libraries. Cyber criminals are looking for the most valuable third-party supply chain components in their software supply chains. They are also highly vulnerable. Synopsys conducted a 2020 audit and found that 49% used open-source components with high-risk vulnerabilities. These vulnerabilities could be exploited by attackers to compromise thousands, if not millions, of companies in different industries around the globe.This isn't idle speculation. Highly skilled threat actors have targeted supply chain components that are not well secured and widely used. SVR, a Russian intelligence agent, infected a SolarWinds software update with malicious code. This cloud management software is used for cloud management. SVR was able to create a possible attack vector for the 18,000 government agencies and enterprises that installed the update.They are not the only ones. Paul Nakasone (commander of U.S. Cyber Command) told Congress that nations are engaging in best practices to attack supply chain vulnerabilities. Sonatype, a security firm, estimated that there were more supply chain attacks in July 2019 than in all four previous years.An adversary can damage a company's reputation and financial assets by breaking into its network. Many businesses would not survive the consequences. Verizon found that 60% of small and medium-sized businesses close within six months after a cyberattack. It is incumbent upon firms to reduce their risk.We conducted semi-structured interviews to better understand the threat, its management, and those involved in supply chain remediation. These included vulnerability coordinators at CERT/CC (a government-funded agency that fixes critical cybersecurity flaws) and chief security officers of technology companies.Many corporate leaders that we spoke to seemed extremely pessimistic about the task. One CEO of a small company admitted that he was not confident that his company could secure its supply chain. This is a natural instinctual response. According to Synopsys, commercial codebases use an average of 445 open-source components. Very few organizations have the resources and bandwidth to search for cybersecurity vulnerabilities in their many third- and fourth-party vendors.The good news is that firms don't have to feel helpless. They can depend on other companies to find vulnerabilities. The growing network of security researchers and information sharing agencies has discovered thousands of critical vulnerabilities over the past several years. Businesses just need to be aware of the potential threats and respond quickly to them.Soon, businesses will have access to more tools that help them quickly identify vulnerabilities and determine if they are vulnerable. Software bills of materials (SBOMs) are currently not widely available. These lists the components that make up their supply chains and are provided by vendors. A recent executive order by the Biden administration requires that all technology vendors contracting with the federal government, including the most well-known software manufacturers, publicly release their SBOMs. This will provide much-needed transparency in the software supply chain.Businesses need to prioritize vulnerabilities and quickly fix them, rather than finding them. Many aren't. According to HP-Bromium, many companies have failed to fix years-old vulnerabilities. Companies that fail to patch vulnerabilities are at risk. CrowdStrike's co-founder and chief cyber incident response company CrowdStrike has pointed out that many criminal organizations reverse-engineer patches in order to exploit vulnerabilities.This problem is not insurmountable even for small companies. It is possible for IT professionals and corporate leaders to take three steps in order to identify and fix vulnerabilities and prevent supply chain cyberattacks.To fix simple vulnerabilities, IT managers need to rely on automated tools more.GitHub, an online code repository, has created automated robot code that identifies simple vulnerabilities and fixes them with a click of a button. Similar services will soon be created as SBOMs become more common.These tools are not widely used by businesses. 42 percent of 1,896 GitHub users that were contacted about a vulnerability in their code accepted the automated patch. This needs to change.For vulnerability patching, businesses should do a cost-benefit analysis.It will be difficult to fix many vulnerabilities. Many products cannot be patched if their systems are offline. It is impossible to fix every vulnerability.It is not necessary. It is not possible to exploit all vulnerabilities. Fortinet reported that only 5% were used against organizations more than 10%. IT teams can also triage vulnerabilities, just as busy hospitals triage patients. It is imperative to fix exploitable and serious vulnerabilities quickly. To address less urgent vulnerabilities, businesses can delay scheduled updates.To triage vulnerabilities, businesses can use new metrics. The Exploit Prediction Score System (EPSS) was developed by a group of cybersecurity experts and software developers. It estimates the likelihood that a vulnerability could be exploited based upon its inherent characteristics. This tool will allow risk managers to determine whether the cybersecurity benefits from fixing a vulnerability exceed the disruptions that remediation will create.Procurers must insist that vendors of critical technology implement hot patching.Certain technologies, like the industrial control systems running factories or the software managing power grids and water distribution networks are so crucial that they can't fail. No matter how exploitable the vulnerability may be, businesses want them to be secure.These systems should always be accessible. They cannot be downed to fix vulnerabilities, so cybersecurity updates are not often needed. Businesses and governments rarely have the resources to do this.Businesses should insist that vendors install hot patching systems. This will allow them to quickly deploy patches without having to restart their software. Although this functionality will increase costs, it will ensure businesses don't have to choose between availability and cybersecurity.These measures won't protect companies from all risks in the software supply chain. EPSS is imperfect and can sometimes produce false negatives. It may conclude that more urgent vulnerabilities are not as important. Our suggested security measures will not protect companies from malicious actors who exploit vulnerabilities that have not been discovered by the cybersecurity community, until they are exploited in an attack. Companies can still repel most attacks that exploit known vulnerabilities by following these steps. This risk is not something that businesses should feel helpless about managing.
