Securing the Supply Chain

Before a supply chain can be improved, it must be understood. Rather than attacking one target, it is more effective to manipulate the supply chain to gain access to multiple targets. The 2013 Target breach was an example of a supply chain attack, as the hackers used credentials stolen from the HVAC provider, Fazio Mechanical Services, to gain access. The 2018 Ticketmaster breach was also a supply chain attack, as was the 2017 NotPetya incident. It is predicted that supply chain attacks will continue to increase in 2023 and beyond, as they provide a high return on investment for malicious actors. These attacks often target smaller organizations first, as they are less likely to have a strong cybersecurity setup. Large organizations should consider requiring their vendors to follow certain security best practices. Software supply chain attacks are a particular area of concern, as they have a large potential blast radius and can affect entire markets. Open source software libraries are particularly vulnerable, as they are often used to deliver software faster. To protect against these attacks, organizations should be aware of the open source software they are using and use software bills of material. Physical supply chain attacks are also a possibility, as seen in the Ukraine/Russia conflict and the Colonial Pipeline incident. To protect against these, organizations should review the security policies of all those in the chain and use compensating controls such as egress filtering.

This Cyber News was published on www.securityweek.com. Publication date: Thu, 02 Feb 2023 12:17:02 +0000

Cyber News related to Securing the Supply Chain

Software Supply Chain Security Checklist - In the ever-evolving landscape of digital innovation, the integrity of software supply chains has become a pivotal cornerstone for organizational security. Software supply chain security is not just about protecting code - it's about safeguarding the ...
1 year ago Feeds.dzone.com

New "MITRE ATT&CK-like" framework outlines software supply chain attack TTPs - A new open framework seeks to outline a comprehensive and actionable way for businesses and security teams to understand attacker behaviors and techniques specifically impacting the software supply chain. The Open Software Supply Chain Attack ...
2 years ago Csoonline.com

CISA Announces Renewal of the Information and Communications Technology Supply Chain Risk Management Task Force - The Task Force, chaired by CISA's National Risk Management Center and the Information Technology and Communications Sector Coordinating Councils, is a public-private partnership composed of a diverse range of representatives from public and private ...
1 year ago Cisa.gov

Supply Chain Cybersecurity - CISO Risk Management Guide - As regulatory scrutiny intensifies and cyber threats grow more sophisticated, CISOs must adopt a proactive, strategic approach to supply chain cybersecurity risk management, making it a boardroom priority and an integral part of organizational ...
7 months ago Cybersecuritynews.com

SCS 9001 2.0 reveals enhanced controls for global supply chains - In this Help Net Security interview, Mike Regan, VP of Business Performance at TIA, discusses SCS 9001 Release 2.0, a certifiable standard crafted to assist organizations in operationalizing the NIST and other government guidelines and frameworks. ...
2 years ago Helpnetsecurity.com

Securing the Supply Chain - Before a supply chain can be improved, it must be understood. Rather than attacking one target, it is more effective to manipulate the supply chain to gain access to multiple targets. The 2013 Target breach was an example of a supply chain attack, as ...
2 years ago Securityweek.com

UK, ROK sound alarm over North Korean supply chain attacks The Register - The national cybersecurity organizations of the UK and the Republic of Korea have issued a joint advisory warning of an increased volume and sophistication of North Korean software supply chain attacks. "In an increasingly digital and interconnected ...
2 years ago Theregister.com Lazarus Group

How AI could bolster software supply chain security - SAN FRANCISCO - While supply chain risks remain prevalent across enterprises of all sizes, Synopsys' Tim Mackey said AI tools will enable developers more than attackers - at least for now. Supply chain security was a significant topic that speakers ...
1 year ago Techtarget.com

Developer Accounts Compromised Due to Credential Reuse in WordPress.org Supply Chain Attack - On June 24th, 2024, the Wordfence Threat Intelligence Team became aware of a WordPress plugin, Social Warfare, that was infected with malware through the WordPress repository. We immediately notified the WordPress Plugin's Team and they removed the ...
1 year ago Wordfence.com

Synopsys Introduces Latest Solution for Comprehensive Security Across Software Supply Chains - Synopsys has introduced Black Duck® Supply Chain Edition, a novel software composition analysis solution. This offering aids organisations in mitigating upstream risks within their software supply chains. Black Duck® Supply Chain Edition ...
1 year ago Itsecurityguru.org

New Survey Finds a Paradox of Confidence in Software Supply Chain Security - Get results of and analysis on ESG's new survey on supply chain security. New research reveals that, despite increasing attacks and incidents against software supply chains, a surprising number of firms believe their defense is sufficient. This gap ...
1 year ago Securityboulevard.com

Shai-Halud Supply Chain Attack: A New Threat to Cybersecurity - The Shai-Halud supply chain attack represents a significant escalation in cyber threats targeting global supply networks. This sophisticated attack exploits vulnerabilities in software supply chains, allowing threat actors to infiltrate multiple ...
3 months ago Cybersecuritynews.com

NPM Supply Chain Attack via ctrl-tinycolor Package Exposes Thousands of Projects - A recent supply chain attack targeting the npm ecosystem has been uncovered, involving the malicious ctrl-tinycolor package. This incident highlights the growing threat of supply chain compromises in open-source software repositories. The attacker ...
3 months ago Cybersecuritynews.com

Assessing and mitigating cybersecurity risks lurking in your supply chain - Most involve the supply of software and digital services, or at least are reliant in some way on online interactions. SMBs in particular may not proactively be looking, or have the resources, to manage security in their supply chains. Blindly ...
1 year ago Welivesecurity.com

Securing Linux Containers - A Guide for Cloud-Native Environments - “A core principle of container security is reducing the attack surface-the total of all points where an unauthorized user could try to access the system,” notes a recent TuxCare security advisory. The most effective container security ...
7 months ago Cybersecuritynews.com

Polyfill.io, BootCDN, Bootcss, Staticfile attack traced to 1 operator - The recent large scale supply chain attack conducted via multiple CDNs, namely Polyfill.io, BootCDN, Bootcss, and Staticfile that affected anywhere from 100,000 to tens of millions of websites has been traced to a common operator, according to ...
1 year ago Bleepingcomputer.com

Securing Student Data in Cloud Services - In today's educational landscape, securing student data in cloud services is of utmost importance. One key aspect of securing student data in cloud services is ensuring proper data encryption. This article explores the various challenges and best ...
2 years ago Securityzap.com

Council Gives Green Light to Europe's Corporate Sustainability Due Diligence Directive - For most businesses, corporate responsibility has evolved from a peripheral concern to a core consideration. Today, with the Council's vote on the European Union Corporate Sustainability Due Diligence Directive, the EU took a significant step toward ...
1 year ago Feedpress.me

Supply Chain Worm Infects Hundreds of NPM Packages - A recent supply chain attack has compromised hundreds of NPM packages, posing significant risks to the JavaScript development community. This widespread infection involves malicious actors injecting harmful code into popular open-source libraries, ...
3 months ago Infosecurity-magazine.com