Cyber Security is generally accepted to encompass the protection of our interconnected information systems and assets including hardware, software, applications and data. In that range of topics, one of the most important areas of concern for Cyber Security professionals is Vulnerability and Patch Management within the realm of Security Operations.
Vulnerability and Patch Management is the ongoing practice of ensuring that your systems and applications are kept up to date, scanned for known and unknown vulnerabilities. The conventional wisdom is simple – when a software vendor provides security updates for critical application, these should be installed as soon as possible. Right?
Microsoft issues security patches for Windows and Office applications on the second Tuesday of each month. Apple issues security updates a handful of times per year. Other vendors have similar programs.
When a vendor issues security updates, they usually disclose the particular security vulnerabilities that it was intended to fix. So, as soon as a security update is released, the vulnerability becomes “public”. Now that the vulnerability is available (to bad actors) it is even more crucial that the fixes be applied in a timely manner.
All of this assumes that the vendor (the “Supplier” of this particular “Supply Chain”) has not already been compromised. Imagine if a hacker could get in to the systems of our software supplier, make changes to released software that add malware. Diligent users would unknowingly, and quite reliably continue to install updates, that now include malware.
If this sounds like a nightmare scenario, it is. And it has already happened.
Examine the case of the Not Petya worm. This started at a small company in Ukraine that supplies a piece of software called M.E.Doc. You probably don’t use M.E.Doc. so you are not worried, right? M.E.Doc. is accounting software, used in Ukraine (think Quicken/TurboTax) and is required for filing national taxes. So a large number of Ukraine based companies use it. In the spring of 2017, outside forces (likely Russian) hijacked the company’s update servers, injecting malware that included a small, but critical backdoor into the software. As users updated their systems, they were infected with a backdoor, which laid latent for a month or two.
Then, the attack was launched. The attack leveraged other vulnerabilities in Windows known as Eternal Blue and Mimikatz. These vulnerabilities rely on being “inside” the network of a company, behind the firewall, and once there, were able to spread globally encrypting data and asking for ransom. Large multinational companies were affected, including banks, large shipping interests, manufacturing and more. If your company had an office in Ukraine, you may have been affected. If one of your suppliers, to whom you connect has offices in Ukraine, or is connected to someone who does, you might have been affected.
The upshot is this: Supply Chain security in Cyber Security is a now multi level concern. Security professionals must now consider not only who might get in to their own network, but who might get in to their supplier’s network and who might get in to their suppliers’ supplier’s networks, and so on.
As is the case in other areas of Supply Chain security, we must concern ourselves with not only preventing bad things from happening, but assuming that they can, and trying to limit what can be done when bad things happen anyway.
And there is no simple answer. Keep systems up to date to protect from know vulnerabilities. But know that these updates can themselves introduce other vulnerabilities.
This article was written by Dave Ehman and edited by Kristina Weber. For more content like this, be sure to subscribe to Centry Blog for new articles every other week on topics relevant to the security industry. Follow us on Twitter @CentryCyber and @CentryLTD!