I was fortunate to be on a panel to discuss the Software Supply Chain with Richard Rushing, Bryan Hurd and Richard Greenberg (moderator) for the ISSA Los Angeles chapter on Wednesday (1/19/21). Click here to view the recording, https://www.youtube.com/watch?v=y3wqCc34tME.
Supply chain security can refer to suppliers who provide services, staffing, support, or who develop software/hardware. The supply chain is varied and different across industry segments and organizations. If you consider the development of applications or electronics, there may be a long list of companies who contribute to the final product. The longer the supply chain and the less visibility you have into (or ability to assess) each supplier, the higher the overall complexity and resulting risk to your organization.
Let’s consider the software that we use in our own organizations. There is a lot of it. Do you have a complete inventory of the software you have running on your endpoints, or supporting business processes? Having a granular software inventory and an approved enterprise application catalog is a starting point. The granular information you need includes: “Who owns and makes decisions about the application?” “Who supports and patches it?” “Who budgets for and pays for licenses?” “What is the application architecture and how does it communicate?” Having a central trusted software inventory (this may differ between desktops and servers) is a starting point. Read More
=&0=& for the federal government for years, but the Trump administration has increased the focus on them. Homeland Security last year banned government agencies from using products made by the Russian cyber firm Kaspersky Lab, citing the risk that Moscow could secretly access the company’s data or reach into its customers’ computers. Congress codified a similar ban later that year. DHS is also seeking industry feedback on a broader supply chain risk management initiative . And on Thursday, the telecom agency NTIA launched a project to encourage more transparency around the building blocks of software, with the goal of reducing hidden risks that can threaten the U.S. supply chain.
=&1=& on supply chain threats. Some lawmakers are trying to impose Kaspersky-like restrictions on the Chinese telecom giants Huawei and ZTE. Others have introduced bipartisan legislation to tackle supply chain risk management more holistically, and the White House has circulated a draft proposal that closely mirrors that bill. Meanwhile, the commerce committees have encouraged the FCC and the Agriculture Department to prevent telecom companies that receive federal subsidies from buying Huawei or ZTE products. At a recent federal advisory board meeting, a House Energy and Commerce Committee staffer noted that rural telecom operators in particular were liable to buy from these Chinese firms because they often offered better prices than American competitors.
[Infosecurity Magazine] “PwC UK worked closely with UK defense firm BAE Systems and the new National Cyber Security Centre (NCSC) to uncover “Operation Cloud Hopper”, which they’re claiming to be “one of the largest ever sustained global cyber espionage campaigns.”
Such “stepping stone” attacks are not uncommon, but the scale of this campaign is noteworthy, with MSP infrastructure used as “part of a complex web of exfiltration routes spanning multiple victim networks.”
The group behind the attacks may have started operations as early as 2014, although it stepped up activity in 2016, adapting its tools and techniques all the time.”
Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware --
Threat actors are exploiting unpatched Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware.
