Contact us

If you’ve got a story or event for the GPSJ website, e-mail Stuart Littleford at editor@gpsj.co.uk

January 2022
M T W T F S S
« Dec    
 12
3456789
10111213141516
17181920212223
24252627282930
31  

Archives

Countering Cyberthreats: Becoming Secure by Design

By Charles Damerell, Senior Director, UKI at SolarWinds

Malicious threat actors are now targeting software vendors and IT vendors in a bid to hide zero-day vulnerabilities in legitimate software updates. Since today’s digital supply chains are becoming ever more complex and intertwined, these supply chain attacks now pose a significant threat. By tampering with back-end systems and introducing a backdoor enabling them to compromise software which is then delivered to unsuspecting customers, these highly organised criminals can achieve mass reach and disrupt at scale.

Like many other industry sectors, public sector organisations increasingly reliant on today’s technology supply chains now need to take positive action to prevent these types of supply chain attacks. As well as taking steps to secure their own software environments and development processes, they’ll need to undertake a rigorous due diligence process when evaluating which software technologies are used in their environment.

Initiate a Secure by Design Development and Build Environment

The recent attack method utilised in the attack against SolarWinds highlights how organisations now need to go beyond traditional integrity checks and single software development and build environments. This should include initiating two or more separate environments and building systems featuring separate user credentials. This will ensure the integrity of each build environment can be independently verified, and potential compromises addressed.

Similarly, developers should adopt a ‘belt and braces’ approach, undertaking source discovery/analysis and PEN testing at every stage of the design process. This will ensure the build pipeline is regularly reviewed and appropriate security controls can be applied to every asset.

Adopt Zero-Trust/Least Privilege

Using compromised or stolen credentials to access an organisation’s development environment is the top approach used by cyber criminals looking to breach organisations relying on software as a service (SaaS) tools and platforms.

To proactively protect themselves, public sector organisations should implement stronger and deeper endpoint protection as well as zero-trust and least privilege access policies and mechanisms. This includes strictly enforcing requirements for multi-factor authentication in all environments and using privileged access management platforms for all administrative accounts.

Use Attack Simulations to Test Defences

Using Red Team vs. Blue team exercises to simulate full-scale tailored attacks will enable cybersecurity teams to gain first-hand experience at responding to and repudiating attacks that utilise the latest techniques and methods. Indeed, the National Cyber Security Centre (NCSC) recommends organisations take advantage of free-to-use platforms like the MITRE ATT&CK® framework to fine-tune their white hat intrusion simulations and find ways to disrupt an attack.

Perform Due Diligence on Suppliers

The cascading nature of today’s supply chain attacks means public sector organisations will now need to undertake detailed checks on all technology vendors. Ideally, every RFP or due diligence process should incorporate the following key seven questions to help public sector organisations explore and assess the security posture of any supplier:

1. What is your approach to the secure development lifecycle?

2. How do you secure software code and its associated infrastructure?

3. Have you implemented enterprise risk management (ERM)? If yes, please describe the programme.

4. When a threat or vulnerability is discovered by or disclosed to your organisation, what is your process for notifying your customers? Does this include providing details of possible mitigations?

5. What level of detail do your internal processes provide to identify internal threats? For example, which individuals were responsible for specific source code, software module, library, and/or hardware changes used within your products?

6. What are your internal processes to validate:

• Product changes against a traceable baseline
• When they occurred
• Attribute the changes to their source(s)
• A means to investigate changes without an established lineage

7. Does your organisation have an internal hiring screening process sufficient to identify adversarial actors, domestic/foreign terrorists, and/or candidates with criminal backgrounds?

By implementing a Secure by Design mindset in everything they do and establishing minimum security standards for their suppliers, public sector organisations can improve their overall resilience and confidently reduce the number and impact of supply chain attacks they experience.

At the end of the day, security is everyone’s business. Those public sector organisations that boost control of their supply chains and take steps to continually improve their own defences using secure design principles can minimise the risk of being compromised.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  

  

  

This site uses Akismet to reduce spam. Learn how your comment data is processed.