CSIA350 week 4 discussion

docx

School

University of Maryland, University College *

*We aren’t endorsed by this school

Course

350

Subject

Information Systems

Date

Feb 20, 2024

Type

docx

Pages

3

Uploaded by libdon4life

Report
Kparkay Alvin Togba CSIA 350 Week 4: Which is a greater source of supply chain risk: Hardware or Software? Software is considered a greater threat to the supply chain than hardware. Globally, software attacks rank as the ninth most common attack vector, according to a report by Styran (2022). Despite the small size of these attacks, it is clear that cybercriminals still target companies' cybersecurity with software. It is usually caused by a threat that enters a vendor's network and allows malicious code, which can destroy the software, to take control. Customers' data becomes vulnerable to unauthorized users as soon as they gain access to the software (CISA, 2021). While the majority of the time, a compromise occurs during the patch process, there are some cases in which it occurs at the beginning. Often, software attacks are used to exploit the trust that customers place in software products and services. Revenue losses can be massive for companies as a result. In order to conduct software attacks, attackers use a variety of techniques, according to CISA. Hijacking updates is one of them. Through this method, they can access data and perform other tasks on behalf of an organization. Modern software security issues and efficiency improvements are often addressed through frequent updates. Clients receive these updates from centralized servers operated by vendors. Software can be controlled when attackers hijack these updates. One recent example is the Not Petya attack from 2017, which was perpetrated by Russian hackers. By using their central servers, vendors distribute these updates as part of their maintenance processes. Once these updates are installed, attackers can hijack the system and take control. An accounting program popular in Ukraine was targeted by Russian attackers during the Not Petya incident. Many industries were affected by this malware, including shipping and healthcare. This malware was able to steal vendor signatures, which are used to verify the integrity of their code. In addition to gaining access to victims' accounts, attackers can also steal their credentials. Vendor updates can also be hijacked using this method. China-based APT 41, for example, sabotaged the Open-Source Code of several countries in order to compromise the supply chain. Approximately 90% of the code in modern applications is open source, according to Coletta (2021). Often, developers are unaware that they have access to this type of code, and they add it to their own programs. Since open-source code generates a high amount of traffic, attackers consider this a common method of compromising software. As a result of this technique, security vulnerabilities, licensing complications, and malicious packages are more likely to occur. An attacker posted malicious code to the Python Package Index in 2018 that tricked developers into looking for the Django library. Despite sharing the same functionality and code, the libraries could still perform different tasks, such as boot persistence and reverse shell unlocking. Many organizations are vulnerable because of third-party products. It is common for customers to accept these default settings without considering the risks involved. By exploiting pre-installed vulnerabilities and malware, attackers can gain access to their systems.
Updates and security patches must be communicated regularly between companies and their vendors. Thus, their systems can be affected by illegitimate updates, resulting in malfunctions. Software should be protected in order to minimize the risk of exploitation. Companies should also pay close attention to security incidents that could affect their vendors, according to Iradier (2021). These issues can be addressed by ensuring that their software is developed with minimal safety requirements. Security should also be a concern for consumers and suppliers. A company should only use third-party software as a last resort since it is not under its control. Everyone involved should ensure that their responsibilities are protected. References: Coletta, J. (2021, October 11). "Understanding Software Supply Chain Risks and How to Mitigate Them. “Contrast Security [Security Influencers]. Retrieved April 11, 2022, from https://www.contrastsecurity.com/security-influencers/understanding-software-supply-chain-risks-and- how-to-mitigate-them Cybersecurity and Infrastructure Security Agency. (2021, April). "Defending Against Software Supply Chain Attacks. “National Institute of Standards and Technology [PDF]. Retrieved April11, 2022, from https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attack s_508_1.pdf Goodwin, C., & Bornstein, J. (2020, February 3). "Guarding Against Supply Chain Attacks—Part 2: Hardware Risks. “Microsoft [Security - Blog]. Retrieved April 12, 2022, from https://www.microsoft.com/security/blog/2020/02/03/guarding-against-supply-chain-attacks-part-2- hardware-risks/ Hagos, M. (2022, April 11). "Week 4 Discussion: Which is a Greater Source of Supply Chain Risk: Hardware or Software?" [Assignment]. Retrieved April 12, 2022, from UMGC Canvas. Iradier, A. (2021, November 9). "Secure Software Supply Chain: Why Every Link Matters. “Sysdig [Blog]. Retrieved April 11, 2022, from https://sysdig.com/blog/software-supply-chain-security/ Kenton, W. (2021, August 29). "Supply Chain. “Investopedia [Business Essentials]. Retrieved April 12, 2022, from https://www.investopedia.com/terms/s/supplychain.asp LMI Staff (2017, August 23). "Securing the Supply Chain: Cybersecurity and the Digital Supply Chain. “LMI [Blog]. "Retrieved April 12, 2022, from https://www.lmi.org/blog/securing-supply-chain-cybersecurity- and-digital-supply-chain Security Scorecard. (2021, February 10). "6 Strategies for Cyber Supply Chain Risk Management(C- SCRM)." [Blog]. Retrieved April 11, 2022, from https://securityscorecard.com/blog/strategies-for-cyber- supply-chain-risk-management-c-scrm
Styran V. (April 11, 2022). "Why Is Software Supply Chain Security Important? “Berezha Security Group [Blog]. Retrieved April 11, 2022, from https://bsg.tech/blog/why-is-it-supply-chain-security-so- important/ Tech Design Forum (April 12, 2022). "Hardware Trojan Attacks and Countermeasures." [Guides]. Retrieved April 12, 2022, from https://www.techdesignforums.com/practice/guides/hardware-trojan- security-countermeasures/ Tung, L. (2021, August 3). Supply Chain Attacks Are Getting Worse, And You Are Not Ready for Them. "ZDNet[Article]. Retrieved April 12, 2022, from https://www.zdnet.com/article/supply-chain-attacks-are- getting-worse-and-you-are-not-ready-for-them/
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

Develop critical thinking - A1.docx
DB 3.docx
A15LL.docx
A16LL.docx
THESIS STATEMENT AND ANNOTATED BIBLIOGRAPHY.docx
MHW 630 TOPIC 5 DQ 2.docm
CSIA350 Project 1 Supply Chain Risk Analysis. Assignment..docx
CSIA350 week 5 discussion.docx
CSIA350 week 1 discussion.docx
Follow_Up_Study_Guide.docx
Interview.docx
Week 6 Milestone 3 Final(3).docx