4. The Need for Cybersecurity: Cyber Attacks 79 including computer and network access. If the supplier’s cybersecurity is weaker than the target’s, then it may make sense to use them as a means to compromise the target. Large companies frequently have many suppliers, making them more susceptible to supply chain attacks. One of the first highly publicized mega data breaches occurred in 2013 against the retail department store Target and compromised over 100 million Target customers (confusingly, in this case, Target was the target!). Target had a trust relationship with a refrigeration vendor and the attackers exploited that trust to gain a foothold in Target’s network by first compromising the vendor. Once they had trusted access to Target’s networks, they were able to obtain customer records. Many organizations rely on vendors to supply IT support. These relationships entail a significant level of trust because many IT functions require privileged access. SolarWinds is a software company that provides IT monitoring tools for large organizations. In 2019, hackers obtained unauthorized access to SolarWinds’ computers and network, but SolarWinds did not detect the attack. Over a period of time, the hackers used their access to SolarWinds to compromise SolarWinds’ customers, many of whom were United States government agencies. This attack was highly effective. From the perspective of the organizations being hacked, the attack came from SolarWinds, but SolarWinds would never attack their own clients and were therefore beyond suspicion! This is how trust relationships can be exploited. Software is complex, creating opportunities for bad actors to implant malicious code in software supply chain attacks. Ken Thompson won the Turing Award (the “Nobel Prize” of computer science) along with Dennis Ritchie in 1983 and in his acceptance lecture titled, “Reflections on Trusting Trust,” he made the point that trust is inherent in software. He wrote, “You can’t trust code that you did not totally create yourself…No amount of source-level verification or scrutiny will protect you from using untrusted code.” His point is that organizations have no choice but to trust the companies that developed the software they use. But, even if software companies are honest, this still does not eliminate the threat of a software supply chain attack. As we saw in Chapter 3, software developers rely on software libraries written by other developers. Software libraries are imported into software development projects. They become de facto standards and save software developers from “reinventing the wheel” when they need routine code. It is prohibitively expensive to analyze software libraries for security vulnerabilities or malicious code, so developers typically just trust the code to be secure when they incorporate it into their products. When software libraries are compromised, all the customers using those libraries become vulnerable. The Heartbleed vulnerability in OpenSSL affected hundreds of thousands of systems around the globe because it is such a popular software library. In this case, it is not known for sure whether the vulnerability was accidentally introduced or if it was malicious implanted. Either way, it demonstrates the potential power of software supply chain attacks.
RkJQdWJsaXNoZXIy MTM4ODY=