Although it was far from the first one, the software supply chain attack against SolarWinds was truly devastating. We are still suffering from related attacks, and no one yet knows what the full consequences of the compromise will be. Since the attack, organizations of all sorts have been scrambling to prepare themselves for similar attacks and to find ways to prevent them from affecting them. The good news for these organizations is that now there is new authoritative guidance just published to help them.

This month, the CISA and NIST released a joint paper entitled “Defending Against Software Supply Chain Attacks.” This document provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks.

The paper begins by explaining what the larger information and communications technology (ICT) supply chain framework is, how the software supply chain fits into it and what the six phases of the ICT Supply Chain Lifecycle are. They illustrate how vulnerabilities can creep into each phase of this life cycle and give examples of past compromises. They explain some particular reasons why software supply chain attacks are so attractive to cyber-criminals, who is most likely to be behind such attacks and some of the most common attack vectors used by these criminals.

One of the big points they make is how difficult it is for network defenders to quickly mitigate the consequences of a software supply chain attack after it has occurred. They emphasize that only by being prepared for software supply chain attacks before they occur can organizations hope to properly prevent and effectively respond to these attacks. They recommend that a formal C-SCRM approach should be employed across the organization, business and system tiers of the organization.

NIST includes a list of eight key practices for customers for establishing a C-SCRM approach which include:

1. Integrate C-SCRM across the organization.
2. Establish a formal C-SCRM program.
3. Know and manage critical components and suppliers.

4. Understand the organization’s supply chain.
5. Closely collaborate with key suppliers.
6. Include key suppliers in resilience and improvement activities.

7. Assess and monitor throughout the supplier relationship.
8. Plan for the full lifecycle.

The paper then goes into actions customers can take to prevent acquiring malicious or vulnerable software, actions customers can take to mitigate deployed malicious or vulnerable software and actions customers can take to increase resilience measures to help mitigate the impact of a successful attack. The paper then provides valuable recommendations for software vendors themselves to take in fighting this problem.

I highly recommend that organizations at risk from software supply chain attacks download this guidance and take it to heart. Only an organized, prepared and resilient information security program has any hope of helping organizations fight software supply chain attacks. Happily, instituting a proper infosec program such as described will also help you protect your organization from the other types of cyber-attacks that currently plague us.

Every week while I am reviewing the infosec news I read about more and bigger compromises of user account information. If users themselves are not falling for phishing attacks and entering their user name and passwords into bogus webpages, then their user name and passwords are being compromised when some company database gets hacked. The danger becomes much greater when we consider that most of us use just a few different passwords for all of our accounts. Savvy hackers could take advantage of this and clean you out before you even realized that your secrets had been compromised.

The easiest and most effective way that you personally can help protect yourself in this horrible online environment is to implement multi-factor authentication (MFA) for everything you access. This includes email, online banking, social media, online shopping and everything else that you can think of. And, believe me, I know what a pain it can be to always be hassling with MFA mechanisms! You often have to get a code from another device or carry a dongle with you. It takes time, and you keep having to do it over and over again. It gets old very quickly.

But wait! There are more problems involved than just the hassle of using MFA. Once you have implemented it, you also have to worry about being locked out of your account. Say for example you are trying to get a code to enter into your laptop but your phone is dead or out of range. You are left high and dry. Having at least two options for authentication can help you here.

Another thing to consider is the danger of using SMS for sending MFA authentication codes. The main weakness here is depending on the cell phone providers themselves. These providers are susceptible to the same weaknesses as the rest of us and are vulnerable to phishing, spoofing, malware and social engineering. Also, providers can be tricked into porting a phone number into a new device; a hack called SIM swapping.

There is a better alternative available in the form of authentication apps such as Google Authenticator. The advantage here is that to get a code, you are not relying on your carrier. The codes stay with the app, and hackers can’t get them even if they manage to move your number to a different phone.

Once again, you have to be careful that using MFA doesn’t cause you to be locked out of your own account. Google Authenticator provides you with a number of recovery codes when you first sign up that allow you to access your account if there is a problem. But these codes now need to be protected from hacker access. Make sure you have a good way to store these codes that hackers are not likely to be able to get at. If not, you have just lost all the security advantages you have just instituted.