A software supply chain attack involves the infiltration and corruption of a software company’s product. The attacker inserts malicious code into a software component that is then compiled into a software package update. The compromised package is subsequently made available to customers of the software provider as an update to the package they are currently using. The update becomes the vehicle for hackers to then penetrate the IT environments of the software company’s customers.
The most recent examples of these kinds of attacks include SolarWinds Orion software and Kaseya’s Virtual System Administrator (VSA) software. Both software packages are used by companies to monitor and manage their IT environments. In December 2020, it was discovered that hackers had inserted malicious code into an Orion software update that was subsequently distributed to hundreds of companies and government agencies. The apparent aim was theft of intellectual property and espionage. In July 2021, it was discovered that hackers infiltrated Kaseya’s systems and inserted malicious code into a VSA software update. This update was distributed to approximately 60 managed service providers (MSPs), allowing the hackers to insert malicious changes and infect over 1,000 companies with ransomware.
What does a managed service provider do?
A managed service provider delivers services, such as network, application, infrastructure, and security, via ongoing and regular support and active administration either on customers’ premises, in their own data center (hosting), or in a third-party data center. MSPs often provide hosting for an organization’s data as well as its systems.
What factor did trust play in these incidents?
Organizations assume that software updates from a verified source are unadulterated
It is assumed that MSPs will take proper steps to shield their customers from harm
Both software companies and MSPs are seldom subject to audit by their customers
What is the cost to compromised organizations?
Compromise of key financial systems and unauthorized movement of funds
Investigative costs to ascertain the scope of the breach
Costs required to sanitize the IT environment and remove any back doors
Impact of public disclosure on stock value and market share
Cost of lawsuits and potential regulatory actions
Price increases for cyber insurance or cancellation of policy
Some of the ways to protect your organization
Supply Chain and Vendor Risk Management – Review your previous vendor risk management (VRM) assessments. It may be time to perform a new one.
Zero Trust Architecture – Zero Trust requires all users, local and remote, to authenticate, be authorized and validate their security configuration before getting or retaining access to corporate applications, systems, or data.
Network Segmentation – As its name implies, network segmentation is splitting a computer network into subnetworks, each one being a separate network segment.
Identity and Access Management – This enables granular access control and auditing of all IT assets on premises and in the cloud.
Security Operations Center (SOC) Risk Management – The focus of a SOC is the round-the-clock monitoring, management, and operational improvement of the organization's security posture.
ManpowerGroup® (NYSE: MAN), the leading global workforce solutions company, helps organizations transform in a fast-changing world of work by sourcing, assessing, developing and managing the talent that enables them to win. We develop innovative solutions for hundreds of thousands of organizations every year, providing them with skilled talent while finding meaningful, sustainable employment for millions of people across a wide range of industries and skills. Our expert family of brands – Manpower, Experis, Talent Solutions, and Jefferson Wells – creates substantially more value for candidates and clients across more than 75 countries and territories and has done so for over 70 years. See how ManpowerGroup is powering the future of work, visit www.manpowergroup.us
The content and opinions represented here should not be relied upon or construed as legal, financial and/or medical advice.
The law is changing literally every single day and can vary from state to state and even city to city. Please consult with your own Legal, HR and Finance resources and consider state and local law variations before making any policy or procedure changes.