In July, REvil, a Russian cybercrime, crippled the IT systems of 800 Swedish grocery stores, several New Zealand schools, two Maryland municipalities, and around a thousand other companies around the world. The attackers discovered that Kaseya, software used by IT service providers to remotely manage corporate networks, had numerous cybersecurity vulnerabilities. By attacking Kaseya, REvil opened a back door into the IT systems of the many organizations that supported the software. Kaseya was thus a potent attack vector.
We should now turn our attention to pivotal technology services and products which, if compromised, would have similar far-reaching effects. Today, most software products rely on thousands of pre-built packages created by vendors or taken from open source libraries. The most commonly used of these third party software supply chain components are highly valued targets for cyber criminals. And they are vulnerable. A 2020 audit by Synopsys found that 49% of commercial codebases use open source components that have high-risk vulnerabilities. If attackers exploited these vulnerabilities, they could compromise thousands or even millions of companies in all industries and around the world.
These are not idle speculations. Sophisticated threat actors have already targeted widespread – and poorly secured – supply chain components. The Russian secret service SVR has implanted malicious code in a software update for SolarWinds, a cloud management software. This created a potential vector of attack for SVR in the 18,000 companies and government agencies that dutifully installed the update.
The Russians are not alone. US Cyber Command commander Paul Nakasone told Congress that nation states are increasingly applying “best practices” to address supply chain vulnerabilities. Security company Sonatype estimates that there were over 400% more attacks on the supply chain between July 2019 and March 2020 than in the four previous years combined.
Once an adversary intrudes into an organization’s network, it can cause serious financial and reputational damage. Many companies would not survive the consequences. A study by Verizon found that 60% of small and medium-sized businesses went out of business within six months of a cyber attack. It is therefore up to companies to mitigate their risk.
To better understand the threat and its current management, we conducted semi-structured interviews with executives at small and medium-sized businesses and with those in the trenches of supply chain clean-up: Vulnerability Coordinators at CERT / CC, a government-funded organization dedicated to fixing critical cybersecurity bugs and the chief security officers of technology companies.
Many of the business leaders we spoke to were strikingly fatalistic about this challenge. A small-cap company CEO confessed that he doesn’t think his company could ever secure its supply chain. That instinctive response makes sense. Synopsys’ report found that commercial code bases use an average of 445 open source components. Few companies have the know-how – and almost none have the bandwidth – to search for the cybersecurity vulnerabilities of their numerous third-party and fourth-party providers.
But the good news is that businesses don’t need to feel helpless; You can rely on others outside the company to uncover vulnerabilities. In recent years, the growing ecosystem of security researchers and information-sharing agencies identified thousands of critical vulnerabilities before malicious actors took advantage of them. Organizations just need to stay informed and respond with a sense of urgency to the threats they may encounter.
Companies will soon have access to even more tools to help them quickly identify whether a vulnerability can compromise them. Currently, only a few vendors publish software parts lists (SBOMs) that list the supply chain components embedded in the code base of their products. But a recent ordinance by the Biden administration requires all technology providers who sign contracts with the federal government (including the most popular software manufacturers) to publicly release SBOMs. This will bring the much needed transparency into the software supply chain.
Instead of finding bugs, companies need to prioritize and fix weaknesses quickly. Unfortunately, there are not many. A report from HP-Bromium found that many companies had failed to fix security holes for years. Companies that cannot fix vulnerabilities for which a patch exists are at acute risk. As noted by Dmitri Alperovitch, co-founder of leading cyber incident response company CrowdStrike, many criminal groups are reconstructing patches in order to discover vulnerabilities and exploit insecure organizations.
The good news is that this problem is not insurmountable for smaller businesses either. Business leaders and IT teams can take three steps to prioritize and remediate vulnerabilities and prevent cyberattacks on the supply chain.
IT managers should rely more on automated tools to fix simple vulnerabilities.
The online code repository GitHub has developed “automated robot code” that identifies and fixes simple user vulnerabilities with one click. With the proliferation of SBOMs, similar services are being developed.
However, few companies have implemented these novel tools in their IT workflows. Only 42 of the 1,896 GitHub users contacted about a vulnerability accepted the automated patch. This has to change.
Companies should conduct a cost-benefit analysis for patching vulnerabilities.
Many vulnerabilities will not be easy to fix. Many products can only be patched when their systems are offline. It is therefore impractical to fix every vulnerability.
Fortunately, it is not necessary. Not all weak points are the same: some are very expensive to arm and can therefore hardly be exploited. Fortinet has reported that only 5% of the vulnerabilities were exploited against more than 10% of the organizations it monitored. Just as a busy hospital triages patients, IT teams can sort out weak spots. Exploitable and influential weaknesses have to be fixed quickly. Organizations can wait for scheduled updates to address less urgent vulnerabilities.
Organizations can use newly created metrics to identify vulnerabilities. For example, the Exploit Prediction Scoring System (EPSS), developed by a team of cybersecurity experts and software vendors, estimates the likelihood of a vulnerability being exploited based on its inherent properties. This tool helps risk managers determine whether the cybersecurity benefits of fixing a vulnerability outweigh the glitches caused by fixing.
Buyers should require critical technology vendors to implement hot patching.
Some technologies, like the industrial control systems that run factories and the software that manages power and water distribution networks, are so critical that they cannot fail. Organizations want them to be free of known vulnerabilities regardless of how exploitable they think the vulnerability is.
But these systems must also always be available. If they had to be shut down for patching, cybersecurity updates would be rare as companies and governments can rarely afford to take them offline.
Therefore, companies should require their vendors to implement hot patching systems that allow them to deploy patches without having to restart their software. Implementing this functionality can add cost, but it also ensures that organizations don’t have to choose between cybersecurity and availability.
Certainly, these measures will not protect companies from all risks in the software supply chain. Like any imperfect test, EPSS produces false negative results: it sometimes incorrectly concludes that strong vulnerabilities are less urgent. In addition, our proposed security practices do not protect organizations from malicious actors exploiting vulnerabilities that the cybersecurity community does not discover until they are exploited in an attack. Still, by taking these steps, organizations will be able to ward off most attacks that turn known and exploitable vulnerabilities into weapons. Companies don’t have to feel powerless – they can manage this risk.