{"id":6267,"date":"2022-01-05T21:47:46","date_gmt":"2022-01-05T20:47:46","guid":{"rendered":"https:\/\/www.gpsj.co.uk\/?p=6267"},"modified":"2022-01-05T21:51:56","modified_gmt":"2022-01-05T20:51:56","slug":"countering-cyberthreats-becoming-secure-by-design","status":"publish","type":"post","link":"https:\/\/www.gpsj.co.uk\/?p=6267","title":{"rendered":"Countering Cyberthreats: Becoming Secure by Design"},"content":{"rendered":"

By Charles Damerell, Senior Director, UKI at SolarWinds<\/span><\/p>\n

Malicious threat actors are now targeting software vendors and IT vendors in a bid to hide zero-day vulnerabilities in legitimate software updates. Since today\u2019s digital supply chains are becoming ever more complex and intertwined, these supply chain attacks now pose a significant threat. By tampering with back-end systems and introducing a backdoor enabling them to compromise software which is then delivered to unsuspecting customers, these highly organised criminals can achieve mass reach and disrupt at scale.<\/p>\n

Like many other industry sectors, public sector organisations increasingly reliant on today\u2019s technology supply chains now need to take positive action to prevent these types of supply chain attacks. As well as taking steps to secure their own software environments and development processes, they\u2019ll need to undertake a rigorous due diligence process when evaluating which software technologies are used in their environment.<\/p>\n

Initiate a Secure by Design Development and Build Environment<\/strong><\/p>\n

The recent attack method utilised in the attack against SolarWinds highlights how organisations now need to go beyond traditional integrity checks and single software development and build environments. This should include initiating two or more separate environments and building systems featuring separate user credentials. This will ensure the integrity of each build environment can be independently verified, and potential compromises addressed.\"\"<\/a><\/p>\n

Similarly, developers should adopt a \u2018belt and braces\u2019 approach, undertaking source discovery\/analysis and PEN testing at every stage of the design process. This will ensure the build pipeline is regularly reviewed and appropriate security controls can be applied to every asset.<\/p>\n

Adopt Zero-Trust\/Least Privilege<\/strong><\/p>\n

Using compromised or stolen credentials to access an organisation\u2019s development environment is the top approach used by cyber criminals looking to breach organisations relying on software as a service (SaaS) tools and platforms.<\/p>\n

To proactively protect themselves, public sector organisations should implement stronger and deeper endpoint protection as well as zero-trust and least privilege access policies and mechanisms. This includes strictly enforcing requirements for multi-factor authentication in all environments and using privileged access management platforms for all administrative accounts.<\/p>\n

Use Attack Simulations to Test Defences<\/strong><\/p>\n

Using Red Team vs. Blue team exercises to simulate full-scale tailored attacks will enable cybersecurity teams to gain first-hand experience at responding to and repudiating attacks that utilise the latest techniques and methods. Indeed, the National Cyber Security Centre (NCSC) recommends organisations take advantage of free-to-use platforms like the MITRE ATT&CK\u00ae framework to fine-tune their white hat intrusion simulations and find ways to disrupt an attack.<\/p>\n

Perform Due Diligence on Suppliers<\/strong><\/p>\n

The cascading nature of today\u2019s supply chain attacks means public sector organisations will now need to undertake detailed checks on all technology vendors. Ideally, every RFP or due diligence process should incorporate the following key seven questions to help public sector organisations explore and assess the security posture of any supplier:<\/p>\n

1. What is your approach to the secure development lifecycle?<\/p>\n

2. How do you secure software code and its associated infrastructure?<\/p>\n

3. Have you implemented enterprise risk management (ERM)? If yes, please describe the programme.<\/p>\n

4. When a threat or vulnerability is discovered by or disclosed to your organisation, what is your process for notifying your customers? Does this include providing details of possible mitigations?<\/p>\n

5. What level of detail do your internal processes provide to identify internal threats? For example, which individuals were responsible for specific source code, software module, library, and\/or hardware changes used within your products?<\/p>\n

6. What are your internal processes to validate:<\/p>\n

\u2022\u00a0Product changes against a traceable baseline
\n\u2022\u00a0When they occurred
\n\u2022 Attribute the changes to their source(s)
\n\u2022\u00a0A means to investigate changes without an established lineage<\/p>\n

7. Does your organisation have an internal hiring screening process sufficient to identify adversarial actors, domestic\/foreign terrorists, and\/or candidates with criminal backgrounds?<\/p>\n

By implementing a Secure by Design mindset in everything they do and establishing minimum security standards for their suppliers, public sector organisations can improve their overall resilience and confidently reduce the number and impact of supply chain attacks they experience.<\/p>\n

At the end of the day, security is everyone\u2019s business. Those public sector organisations that boost control of their supply chains and take steps to continually improve their own defences using secure design principles can minimise the risk of being compromised.<\/p>\n","protected":false},"excerpt":{"rendered":"

By Charles Damerell, Senior Director, UKI at SolarWinds<\/p>\n

Malicious threat actors are now targeting software vendors and IT vendors in a bid to hide zero-day vulnerabilities in legitimate software updates. Since today\u2019s digital supply chains are becoming ever more complex and intertwined, these supply chain attacks now pose a significant threat. By tampering with back-end <\/p>\n

Continue reading Countering Cyberthreats: Becoming Secure by Design<\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[1312,1],"tags":[2659,753,2657,25,417,26,264,143,2656,1263,310,416,422,2658,1152],"class_list":["post-6267","post","type-post","status-publish","format-standard","hentry","category-central-government","category-it-it-security","tag-charles-damerell","tag-cyberattacks","tag-erm","tag-government-public-sector-journal","tag-government-journal","tag-gpsj","tag-gpsj-magazine","tag-it","tag-mitre-attck","tag-national-cyber-security-centre-ncsc","tag-public-sector","tag-public-sector-journal","tag-public-sector-magazine","tag-secure-by-design","tag-solarwinds","odd"],"yoast_head":"\nCountering Cyberthreats: Becoming Secure by Design - Government & Public Sector Journal<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.gpsj.co.uk\/?p=6267\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Countering Cyberthreats: Becoming Secure by Design - Government & Public Sector Journal\" \/>\n<meta property=\"og:description\" content=\"By Charles Damerell, Senior Director, UKI at SolarWinds Malicious threat actors are now targeting software vendors and IT vendors in a bid to hide zero-day vulnerabilities in legitimate software updates. Since today\u2019s digital supply chains are becoming ever more complex and intertwined, these supply chain attacks now pose a significant threat. By tampering with back-end Continue reading Countering Cyberthreats: Becoming Secure by Design\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.gpsj.co.uk\/?p=6267\" \/>\n<meta property=\"og:site_name\" content=\"Government & Public Sector Journal\" \/>\n<meta property=\"article:published_time\" content=\"2022-01-05T20:47:46+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-01-05T20:51:56+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.gpsj.co.uk\/wp-content\/uploads\/2021\/09\/IMG_2075-300x200.jpg\" \/>\n<meta name=\"author\" content=\"The GPSJ Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"The GPSJ Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.gpsj.co.uk\\\/?p=6267#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.gpsj.co.uk\\\/?p=6267\"},\"author\":{\"name\":\"The GPSJ Team\",\"@id\":\"https:\\\/\\\/www.gpsj.co.uk\\\/#\\\/schema\\\/person\\\/d54386f99736367ec2789825fed93b4a\"},\"headline\":\"Countering Cyberthreats: Becoming Secure by Design\",\"datePublished\":\"2022-01-05T20:47:46+00:00\",\"dateModified\":\"2022-01-05T20:51:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.gpsj.co.uk\\\/?p=6267\"},\"wordCount\":714,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/www.gpsj.co.uk\\\/?p=6267#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.gpsj.co.uk\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/IMG_2075-300x200.jpg\",\"keywords\":[\"Charles Damerell\",\"Cyberattacks\",\"ERM\",\"Government & Public Sector Journal\",\"Government Journal\",\"GPSJ\",\"GPSJ Magazine\",\"IT\",\"MITRE ATT&CK\u00ae\",\"National Cyber Security Centre (NCSC)\",\"public sector\",\"Public Sector Journal\",\"Public Sector Magazine\",\"Secure by Design\",\"Solarwinds\"],\"articleSection\":[\"Central Government\",\"IT & IT Security\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.gpsj.co.uk\\\/?p=6267#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.gpsj.co.uk\\\/?p=6267\",\"url\":\"https:\\\/\\\/www.gpsj.co.uk\\\/?p=6267\",\"name\":\"Countering Cyberthreats: Becoming Secure by Design - Government & Public Sector Journal\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.gpsj.co.uk\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.gpsj.co.uk\\\/?p=6267#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.gpsj.co.uk\\\/?p=6267#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.gpsj.co.uk\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/IMG_2075-300x200.jpg\",\"datePublished\":\"2022-01-05T20:47:46+00:00\",\"dateModified\":\"2022-01-05T20:51:56+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.gpsj.co.uk\\\/#\\\/schema\\\/person\\\/d54386f99736367ec2789825fed93b4a\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.gpsj.co.uk\\\/?p=6267#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.gpsj.co.uk\\\/?p=6267\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/www.gpsj.co.uk\\\/?p=6267#primaryimage\",\"url\":\"https:\\\/\\\/www.gpsj.co.uk\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/IMG_2075-300x200.jpg\",\"contentUrl\":\"https:\\\/\\\/www.gpsj.co.uk\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/IMG_2075-300x200.jpg\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.gpsj.co.uk\\\/?p=6267#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.gpsj.co.uk\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Countering Cyberthreats: Becoming Secure by Design\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.gpsj.co.uk\\\/#website\",\"url\":\"https:\\\/\\\/www.gpsj.co.uk\\\/\",\"name\":\"Government & Public Sector Journal\",\"description\":\"Public Sector, Government, business, stories and news along with latest developments, research, thought leadership, strategy, policy and insights\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.gpsj.co.uk\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.gpsj.co.uk\\\/#\\\/schema\\\/person\\\/d54386f99736367ec2789825fed93b4a\",\"name\":\"The GPSJ Team\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/13cdd73dc4abbd6e05b80a0562c7c553a9104ad2e5e96ee20afca2c462894143?s=96&d=blank&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/13cdd73dc4abbd6e05b80a0562c7c553a9104ad2e5e96ee20afca2c462894143?s=96&d=blank&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/13cdd73dc4abbd6e05b80a0562c7c553a9104ad2e5e96ee20afca2c462894143?s=96&d=blank&r=g\",\"caption\":\"The GPSJ Team\"},\"sameAs\":[\"http:\\\/\\\/gpsj.co.uk\"],\"url\":\"https:\\\/\\\/www.gpsj.co.uk\\\/?author=3\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Countering Cyberthreats: Becoming Secure by Design - Government & Public Sector Journal","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.gpsj.co.uk\/?p=6267","og_locale":"en_GB","og_type":"article","og_title":"Countering Cyberthreats: Becoming Secure by Design - Government & Public Sector Journal","og_description":"By Charles Damerell, Senior Director, UKI at SolarWinds Malicious threat actors are now targeting software vendors and IT vendors in a bid to hide zero-day vulnerabilities in legitimate software updates. Since today\u2019s digital supply chains are becoming ever more complex and intertwined, these supply chain attacks now pose a significant threat. By tampering with back-end Continue reading Countering Cyberthreats: Becoming Secure by Design","og_url":"https:\/\/www.gpsj.co.uk\/?p=6267","og_site_name":"Government & Public Sector Journal","article_published_time":"2022-01-05T20:47:46+00:00","article_modified_time":"2022-01-05T20:51:56+00:00","og_image":[{"url":"https:\/\/www.gpsj.co.uk\/wp-content\/uploads\/2021\/09\/IMG_2075-300x200.jpg","type":"","width":"","height":""}],"author":"The GPSJ Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"The GPSJ Team","Estimated reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.gpsj.co.uk\/?p=6267#article","isPartOf":{"@id":"https:\/\/www.gpsj.co.uk\/?p=6267"},"author":{"name":"The GPSJ Team","@id":"https:\/\/www.gpsj.co.uk\/#\/schema\/person\/d54386f99736367ec2789825fed93b4a"},"headline":"Countering Cyberthreats: Becoming Secure by Design","datePublished":"2022-01-05T20:47:46+00:00","dateModified":"2022-01-05T20:51:56+00:00","mainEntityOfPage":{"@id":"https:\/\/www.gpsj.co.uk\/?p=6267"},"wordCount":714,"commentCount":0,"image":{"@id":"https:\/\/www.gpsj.co.uk\/?p=6267#primaryimage"},"thumbnailUrl":"https:\/\/www.gpsj.co.uk\/wp-content\/uploads\/2021\/09\/IMG_2075-300x200.jpg","keywords":["Charles Damerell","Cyberattacks","ERM","Government & Public Sector Journal","Government Journal","GPSJ","GPSJ Magazine","IT","MITRE ATT&CK\u00ae","National Cyber Security Centre (NCSC)","public sector","Public Sector Journal","Public Sector Magazine","Secure by Design","Solarwinds"],"articleSection":["Central Government","IT & IT Security"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.gpsj.co.uk\/?p=6267#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.gpsj.co.uk\/?p=6267","url":"https:\/\/www.gpsj.co.uk\/?p=6267","name":"Countering Cyberthreats: Becoming Secure by Design - Government & Public Sector Journal","isPartOf":{"@id":"https:\/\/www.gpsj.co.uk\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.gpsj.co.uk\/?p=6267#primaryimage"},"image":{"@id":"https:\/\/www.gpsj.co.uk\/?p=6267#primaryimage"},"thumbnailUrl":"https:\/\/www.gpsj.co.uk\/wp-content\/uploads\/2021\/09\/IMG_2075-300x200.jpg","datePublished":"2022-01-05T20:47:46+00:00","dateModified":"2022-01-05T20:51:56+00:00","author":{"@id":"https:\/\/www.gpsj.co.uk\/#\/schema\/person\/d54386f99736367ec2789825fed93b4a"},"breadcrumb":{"@id":"https:\/\/www.gpsj.co.uk\/?p=6267#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.gpsj.co.uk\/?p=6267"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.gpsj.co.uk\/?p=6267#primaryimage","url":"https:\/\/www.gpsj.co.uk\/wp-content\/uploads\/2021\/09\/IMG_2075-300x200.jpg","contentUrl":"https:\/\/www.gpsj.co.uk\/wp-content\/uploads\/2021\/09\/IMG_2075-300x200.jpg","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.gpsj.co.uk\/?p=6267#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.gpsj.co.uk\/"},{"@type":"ListItem","position":2,"name":"Countering Cyberthreats: Becoming Secure by Design"}]},{"@type":"WebSite","@id":"https:\/\/www.gpsj.co.uk\/#website","url":"https:\/\/www.gpsj.co.uk\/","name":"Government & Public Sector Journal","description":"Public Sector, Government, business, stories and news along with latest developments, research, thought leadership, strategy, policy and insights","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.gpsj.co.uk\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Person","@id":"https:\/\/www.gpsj.co.uk\/#\/schema\/person\/d54386f99736367ec2789825fed93b4a","name":"The GPSJ Team","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/secure.gravatar.com\/avatar\/13cdd73dc4abbd6e05b80a0562c7c553a9104ad2e5e96ee20afca2c462894143?s=96&d=blank&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/13cdd73dc4abbd6e05b80a0562c7c553a9104ad2e5e96ee20afca2c462894143?s=96&d=blank&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/13cdd73dc4abbd6e05b80a0562c7c553a9104ad2e5e96ee20afca2c462894143?s=96&d=blank&r=g","caption":"The GPSJ Team"},"sameAs":["http:\/\/gpsj.co.uk"],"url":"https:\/\/www.gpsj.co.uk\/?author=3"}]}},"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/www.gpsj.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/6267","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.gpsj.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gpsj.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gpsj.co.uk\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gpsj.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6267"}],"version-history":[{"count":8,"href":"https:\/\/www.gpsj.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/6267\/revisions"}],"predecessor-version":[{"id":6275,"href":"https:\/\/www.gpsj.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/6267\/revisions\/6275"}],"wp:attachment":[{"href":"https:\/\/www.gpsj.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gpsj.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6267"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gpsj.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}