What is a supply chain attack?A supply chain attack, also called a value-chain or third-party attack, occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data. This has dramatically changed the attack surface of the typical enterprise in the past few years, with more suppliers and service providers touching sensitive data than ever before.The risks associated with a supply chain attack have never been higher, due to new types of attacks, growing public awareness of the threats, and increased oversight from regulators. Meanwhile, attackers have more resources and tools at their disposal than ever before, creating a perfect storm. The recent SolarWinds attack is a prime example.SolarWinds attack highlights supply chain riskThe news about last year\u2019s nation-state attack against up to 18,000 customers of networking tools vendor SolarWinds just keeps getting worse. According to a recent report by the New York Times, the SolarWinds attacks, attributed to Russia, penetrated many more than a \u201cfew dozen\u201d government and enterprise networks, as first believed. As many as 250 organizations were affected, and the attackers took advantage of multiple supply chain layers.It\u2019s a violation of the chain of trust, says Steve Zalewski, deputy CISO at Levi Strauss. \u201cThat\u2019s the big issues with all of this third party stuff,\u201d he says. \u201cWe don't keep it in house anymore. We're having to rely on third-party ways to establish this trust, and there's no national way or international way to do that.\u201dThe problem is continually getting worse, with enterprises more and more reliant on outside providers, Zalewski says, adding that it\u2019s time to look at the whole ecosystem of the software industry to address this problem. \u201cTo solve it completely, what we need is an international chain of trust, like a global PKI system,\u201d he says, \u201cwhere we can all agree on a global set of tools and practices.\u201dUnfortunately, there\u2019s no practical way to do that. \u201cWe need a legal, regulatory, collective defense,\u201d Zalewski says. \u201cBut it\u2019s going to take years and years and years to do this.\u201dSecurity rating firm Bitsight estimates that the SolarWinds attack could cost cyber insurance companies up to $90 million. That\u2019s only because government agencies don\u2019t buy cyber insurance. Plus, the attackers tried to keep as low a profile as possible to steal information, so didn\u2019t do much damage to systems.Another supply chain attack in 2017, also attributed to Russia, compromised Ukrainian accounting software as part of an attack designed to target the country's infrastructure, but the malware spread quickly to other countries. NotPetya wound up doing more than $10 billion in damage and disrupted operations for multinational corporations such as Maersk, FedEx and Merck.Supply chain attacks are attractive to hackers because when commonly used software is compromised, the attackers could potentially gain access to all the enterprises that use that software.All tech vendors vulnerable to supply chain attacksAny company that produces software or hardware for other organizations is a potential target of attackers. Nation-state actors have deep resources and the skills to penetrate even the most security-conscious firms.Even security vendors can be targets. In the case of SolarWinds, for example, one of the higher-profile companies breached was FireEye, a cybersecurity vendor. FireEye says that the attackers didn't get into customer-facing systems, just the penetration tools used for security testing. The fact that it got hit at all is worrisome.Other vendors hit by the Solar Winds attackers include Microsoft and Malwarebytes, another security vendor. \u201cConsidering the supply chain nature of the SolarWinds attack, and in an abundance of caution, we immediately performed a thorough investigation of all Malwarebytes source code, build and delivery processes, including reverse-engineering our own software,\u201d company CEO Marcin Kleczynski said in a January 19 post.Email security vendor Mimecast announced in January that it was also hit by a sophisticated threat actor, and there have been reports that it\u2019s the same group as the one behind the SolarWinds hack.These attacks show that any vendor is vulnerable and could be compromised. In fact, this fall, security vendor Immuniweb reported that 97% of the world's top 400 cybersecurity companies had data leaks or other security incidents exposed on the dark web \u2013 and 91 companies had exploitable website security vulnerabilities.These kinds of attacks aren't a recent development. In 2011, RSA Security admitted that its SecurID tokens were hacked. One of its customers, Lockheed Martin, was attacked as a result.In addition to attacks like SolarWinds, which involve compromises of commercial software vendors, there are two other types of supply chain attacks -- attacks against open-source software projects and cases where governments directly interfere in vendor products that originate in their jurisdictions.The open-source supply chain threatCommercial software isn't the only target of supply chain attacks. According to Sonatype's 2020 State of the Software Supply Chain Report, supply chain attacks targeting open-source software projects are a major issue for enterprises, since 90% of all applications contain open-source code and 11% of those have known vulnerabilities.For example, in the 2017 Equifax breach, which the company says cost it nearly $2 billion, attackers took advantage of an unpatched Apache Struts vulnerability. Twenty-one percent of companies say they experience an open-source-related breach in the previous 12 months.More recently, attackers have exploited vulnerabilities in the open-source Apache Log4 logging library used in millions of Java-based applications. The exploits are difficult to detect and mitigate. One of the Log4j exploits allows remote-code execution on the servers running vulnerable applications without requiring authentication. That has earned the vulnerability a severity rating of 10 on the CVSS scale.\u00a0Another vulnerability can lead to a denial-of-service condition.Because Log4j is used in many commercial applications, organizations might be vulnerable without knowing that they are actually using the logging library. This has led to companies scrambling to determine their level of risk from the threat and hoping that the vendors provide effective patches in a timely manner.Attackers don't have to wait around for a vulnerability to magically appear in open-source software. Over the past few years, they've begun deliberately compromising the open-source development or distribution process, and it's working. According to the Sonatype survey, these kinds of next-generation attacks increased 430% over the previous year.The foreign sourcing threatWhy bother to hack into a software company when you can just march in and order them to install malware in their products? That's not so much of an option for Russia, since it's not exactly known as a technology exporter. But China is."Compromised electronics in US military, government and critical civilian platforms give China potential backdoors to compromise these systems," says US Senators Mike Crapo (R-Idaho) and Mark Warner (D-Virginia) in a statement announcing the bipartisan 2019 MICROCHIPS Act.Nearly every government organization and private company is exposed, to some degree, to technology that originates in China or other low-cost countries, says Steve Wilson, VP and principal analyst at Constellation Research.How to guard against supply chain attacksSo, what can enterprises do? Some regulatory frameworks, such as those in the financial sector or healthcare, already provide for third-party risk testing, or have some standards that vendors need to comply with. \u201cWithin PCI, there\u2019s a software quality component to test the quality of mobile payment components,\u201d says Wilson, referring to the Payment Card Industry Data Security Standard (PCI-DSS).There are also more general frameworks, such as the Capability Maturity Model (CMM), ISO 9001, Common Criteria, SOC 2. \u201cI\u2019m a huge fan of CMM audits,\u201d says Wilson. \u201cOn the other hand, I acknowledge the cost. The only people who insist on Common Criteria, until recently, are the spooks.\u201dThere\u2019s also FiPS-140 accreditation for cryptographic modules. \u201cIt\u2019s really expensive,\u201d says Wilson. \u201cIt\u2019s a million dollars to get an app certified to FIPS-140 and unless you\u2019re selling Blackberries to the federal government, you don\u2019t do it.\u201dEnterprises have gotten too comfortable with software that is cheap and fast. \u201cWe need to accept that we\u2019ve been writing software on the cheap for decades and the chickens are coming home to roost,\u201d Wilson says.If enterprises start demanding more testing, however, or regulators step in and mandate better controls, then the costs of the audits are likely to drop. \u201cIf people start investing more in testing then the testing business will see more revenue and more competition,\u201d Wilson says. There will also be more innovation, such as in automated testing.At Levi Strauss, the company vets its software vendors, says Zalewski. \u201cWe require them to have demonstrable, auditable proof that they have implemented a security framework and can demonstrate compliance with that framework,\u201d he says. Levi Strauss doesn\u2019t dictate what specific framework vendors have to follow, he adds. \u201cBut we want a commitment that you\u2019re willing to write down what your security controls and practices are, so we can make sure they\u2019re compatible with ours. That\u2019s how we manage the risk and that\u2019s about the best you can do.\u201dOne thing that data centers should not do is stop deploying patches. In fact, Levi Strauss\u2019 patch management process meant that the fixes to the SolarWinds software were installed before the news hit, protecting the company against any other attackers who might have wanted to jump on the SolarWinds train.However, he admitted that the company\u2019s systems weren\u2019t able to catch the malware inside the SolarWinds update. Of course, nobody did \u2014 FireEye and Microsoft both missed it, as well. The problem, Zalewski says, is that it\u2019s difficult to scan updates for suspicious behavior since the update is, by definition, designed to change the way that software behaves.\u201cIt\u2019s simply the nature of how software works,\u201d Zalewski says. \u201cThe problem is in the ecosystem and the way it\u2019s put together. The bad guys are looking at the gaps and exploiting them.\u201dSupply chain attacks are still a lot more rare than attacks against known vulnerabilities, says Shimon Oren, VP of research at security firm Deep Instinct. \u201cThe risk of an unpatched vulnerability or a security update that hasn\u2019t been implemented greatly, I\u2019d say, greatly outweighs the risk of a supply chain attack.\u201d According to IBM\u2019s 2020 Cost of a Data Breach report, vulnerabilities in third-party software are the root cause of 16% of all breaches.Instead of delaying patches, Oren suggests that enterprises ask their vendors what mechanism they have in place to protect their software from compromise. \u201cWhat kind of security posture do they have? What kind of code verification mechanisms do they have in place today?\u201dUnfortunately, there isn\u2019t a set of standards available that specifically addresses the security of the software development process, he says. \u201cI don\u2019t think there\u2019s anything that says that your code is safe.\u201dOne organization working to address that lack is the Consortium for Information and Software Quality, a special interest group under the technology standards body Object Management Group. One of the standards the organization is working on is the software equivalent of a bill of materials, for example. It will let enterprise customers know the components that go into the software they\u2019re using, and if any of those components have known security problems.\u201cIt\u2019s in the process right now and we anticipate it will be completed sometime this spring,\u201d says executive director Bill Curtis. Microsoft is involved, he says, as is the Linux Foundation and other big players \u2014 about 30 companies total.Gaps in supply chain risk assessmentsDoing proper due diligence is critical, says attorney Ieuan Jolly, co-chair of the privacy, security and data innovations practice at Loeb & Loeb, is as important, or even more important than the contract that the enterprise can negotiate with its vendor. If the vendor goes out of business as a result of a breach they caused, then their customers won\u2019t be able to recover any damages. If they do recover damages, \u201cIt will never be an adequate remedy for the reputation costs the company suffers,\u201d he says.According to a recent survey of risk management professionals by Mastercard\u2019s RiskRecon and the Cyentia Institute, 79% of organizations currently have formal programs in place to manage third-party risk. The most common risk assessment methods are questionnaires, used by 84% of companies and documentation reviews, used by 69%. Half of companies use remote assessments, 42% use cybersecurity ratings, and 34% use onsite security evaluations.Despite the popularity of questionnaires, only 34% of risk professionals say they believe the vendors\u2019 responses. \u00a0However, when a problem is found, 81% of companies rarely require remediation, and only 14% are highly confident that the vendors are meeting their security requirements.In the wake of the SolarWinds attack in particular, organizations need to look at their software suppliers, particularly those with software that has privileged access to company assets, says Kelly White, CEO and co-founder of RiskRecon.\u00a0 That includes expanding assessment criteria to include the integrity of the software development process, he says, \u201cto ensure that controls are sufficient to prevent introduction of malicious code.\u201dThis is also the time to double-down on least privilege, White says. \u201cDuring my time as CISO of a large financial institution, any software that required communication with the internet was limited in its web access permissions to only accessing pre-determined update sites,\u201d he says. White was previously CISO at Zions Bancorporation.Such a policy not only prevents software from communicating with malicious command and control servers, but also has the benefit of raising alerts if it tries to do so, White says.Editor's note: This article, originally published in May 2017, has been updated to reflect current trends.