Software supply chain attacks and ransomware have been common security themes in recent months. Malicious content injected in some widely used software such as Solarwinds and explotation of 0-day vulnerabilities software such as Kaseya VSA, have in recent months caused major concerns with downtime and substantial financial losses to big companies globally, most recently Coop.
Sami Hyytiäinen, technical expert at Advenica, explains how updates can be a major security risk and what measures are needed to ensure the security of software updates and the software supply chain.
As the businesses in IT rely more on more on 3rd parties and service providers, the resilience of the supply chains becomes critical. Supply chains can many times form complex web of interconnected, multi-level delivery chains, where different providers are linked to customers and also to each other. A breach in just one of these links can have a direct ramification on vast number of businesses. The effects spread from a local incident to global in an instance, when taking into account that many businesses and IT providers are international.
Nowadays, practically all businesses have to rely on software supply chains, even in the case of an on-premise IT-infrastructure and local maintenance. Also, all software, whether it is an operating system or business application, need updates from vendors to implement new features, fix bugs or patch critical vulnerabilities. These updates are downloaded from the vendor, or from some other trusted party through internet. In some cases, also manually using portable media to decrease the risk of it to be tampered by a malicious outside actor.
When implementing software updates, it is good security practice to use only trusted sources and verify the integrity of the update packages by checking that the HASH-sum of each downloaded package matches the sum informed by the vendor.
But what if someone tampers the package by placing additional payload, like a backdoor, ransomware or any other malicious content to the package at the source, the vendor? In this case, the vendor’s infrastructure would have been breached and the malicious content is placed to the software package without the vendor’s knowledge. For the businesses using or providing it to their customer, the integrity of the software packages would appear to be ok and also the source would seem trustworthy.
So, how can the risk of the infected software updates be managed?
By using trustworthy source, checking the integrity of the packages and also putting all the packages through a stringent content validation and filtering. It is a common practice to scan the downloaded files with an AntiVirus-software. However, the coverage of one or a few AV-software can be limited. In many cases, the threat actors tune the malicious content to go undetected by the most common AV-software. More coverage and more in-depth analysis are needed to verify the security of the file content.
In Advenica we have a unique, high assurance solution, File Security Screener to ensure the security of the transferred files and considerably reduce the risk of transferring malicious file content placed in files such as software updates. The File Security Screener is an automated solution to analyse and sanitize the file content with 30+ AntiVirus engines. The solution uses our high assurance unidirectional gateways, datadiodes to ensure the highest possible segregation of the customer infrastructure from external networks. File Security Screener provides the most secure and comprehensive up-to-date protection in the market for businesses against software supply chain attacks and other for other file-based vulnerabilities. The solution has been through a thorough testing in Defense and in Private Sector.
Want to know more? Read our product sheet, available here.
Need help with how to do secure udates? Contact us at Advenica – we have many years of experience in this field!
Sami Hyytiäinen, Technical expert, Advenica Oy