Saturday, October 16, 2021

Supply chain attacks are on the rise: NCSC warns

Must Read

Cyber Criminals Exploit zero-day vulnerability in FTA servers for Data Theft and Extortion

Cybersecurity company FireEye said today cybercriminal gang known as FIN11 performed a zero-day attack on Accellion FTA servers that...

DuckDuckGo passes 100M daily search queries for the first time in 12 years

DuckDuckGo reaches a historic milestone in a week when both Signal and Telegram saw a huge influx of new...

Philly Food Bank Loses $1m in BEC Scam

A Philadelphia food bank was scammed from almost $1m after a small business email compromise (BEC) attack, it's emerged.Philabundance...

Addressing big business and government agencies, the UK’s National Cyber ​​Security Center (NCSC) has issued a warning that attacks on software pipelines “could have a significant impact.”

The compromise of SolarWinds’s updates, which the US says was “likely” carried out by Russian hackers as part of a broader campaign, has put the software supply chain and software development processes in the spotlight. It wasn’t the first software supply chain attack, but Microsoft has called it the “biggest attack ever to happen in the world.”

The NCSC does not name SolarWinds but notes that the software development process is often “overlooked” despite broad awareness of software developers’ security.

It states that automated software development with continuous integration and continuous delivery (CI / CD), a popular development method with standard updates that test built-in security, can be a great way to protect the software pipeline.

“It is important that the pipeline is well protected, and that it protects the construction of each of the existing structures,” the NCSC said.

The key message here is to ensure that the different structures are adequately separated from each other to ensure that if some systems are damaged, each construction is protected from the other.

Organizations that take advantage of automated software development also need to ensure that processes can reflect the compulsion of security tests – or that testing will not be too expensive.

Attackers who compromise the software development pipeline may: add malicious code to software built and used by that pipeline, access any secrets used by the pipeline, and get access to other sources of source code and locations.

“The pipeline needs to be protected from the most effective invasion of the environment,” notes the NCSC.

Its recommendations are very consistent with Microsoft, Google, and the NSA. These include using multi-item authentication, designing system access with a minimum right, and using network security and monitoring attacks.

But the NCSC also has advice on how organizations should choose concrete equipment for development work.

“Performing each build on a single-use machine will make it very difficult to build one and attack another using shared Hardware (such as CPU), and the two that make up the OS kernel sharing will have many distractions,” NCSC Notes.

“If a builder can access information stored in another building (such as their source code or create art objects), then it can steal secrets or alter what builds.”

By verifying software development integrity, the NCSC warns companies to ensure the use of encrypted downloads from the code shelter and when architecture is sent to the archive, where they are still distributed in storage.

Defending against supply chain attacks is more than trying to stop the theft of encryption keys to access protected cloud resources.

Finally, organizations should use cryptographic checksums to record data processed by the pipeline.

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Unified endpoint management automation software to boost endpoint security

Endpoints are constantly connected to the internet, so they offer a gateway for cyberattacks. Endpoint security is simply the process...

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft also revealed the workings of...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

More Articles Like This