CIS guide software supply chain security | How not to respond to a data breach
CyberInsights #58
A little longer than usual, but a lot more happening this week. Not just the Apple security updates.
Yet another guide on Software Supply Chain risks
In this newsletter, we have often spoken of the risks related to software supply chains. You can read more about it in this post:
NIST has released a standard on Cybersecurity supply chain risk management (C-SCRM). We wrote about it here:
And we did a LongReads on Software Bill of Material (SBOM) and supply chain risks here:
Now, the Centre for Internet Security (CIS) has released a guidance document on software supply chain security. You can download it from here. The reason everyone is coming up with a document on software supply chain is that it is getting more and more important.
Now, NPM (Node Package Manager) and PyPi (the Python Package Index) have Linux Cryptominers.
The probability of an attack through the software supply chain has increased dramatically. From cyber-protestors or hactivists to run of the mill ransomware guys, everyone seems to want to get on the software supply chain malware bandwagon.
Open source software and libraries are the bedrock of the Internet and software supply chain attacks target this foundation.
Take Action: Like the last few times that we have mentioned this - get your Software Bill of Material (SBOM) in place and identify software supply chain risks. If you are not doing it already, start doing Static Application Security Testing (SAST) on all your software. Let the frequency of this depend on the rate of change to your code and libraries.
When you try to kill the messenger…
This article on Brian Kreb’s website is worth reading for every cyber incident response professional. It teaches you how not to handle a data breach.
A cybersecurity firm was hired to respond to a post offering to sell breached data on the cybercrime forum ‘Breached’. They chose to take the unusual path of trying to get the post down by a cease and desist letter and trying to invoke the DMCA (Digital Millenium Copyright Act). The administrator of Breached just bought the data and posted it for everyone to download. This is what he posted:
“I bought this data to leak (With permission from the seller) because Group-IB was sending emails to me complaining about it. They also attempted to submit DMCAs against the website. Make sure to tell BANORTE that now they need to worry about the data being leaked instead of just being sold Mr. Group-IB. Next time do not bother me.”
Take Action: Check your Cyber Crisis Response Plan (CCMP) again. Also, check with the cybersecurity firm you have agreement for CCMP with about their methods of response and get it validated from your legal counsel.
Enjoyed reading? Receive this in your email every week.