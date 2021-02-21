from the vigilance-is-key dept.
Developer and entrepeneur Bert Hubert has written about how software supply chain safety is similar to food supply safety. Both are about recognizing hazards and finding critical control points to monitor. Strict rules about handling must also be followed, in both fields.
You can’t just buy the required stuff and declare the food is now safe. It requires constant vigilance.
The analogies to cybersecurity are overwhelming. Food safety is the proper analogy for cybersecurity.
Compare:
- The enemy is invisible (germs)
- You can get infected via your supply chain, which is also your responsibility
- A single employee not paying attention can sink you
- Out of sight, bugs can fester for years before causing harm
- Without the right infrastructure, you are doomed
- But even if you buy the right stuff, there are no silver bullet solutions - only paths to improvement
So I looked into this a bit more, as related fields can often provide very good inspiration. And I was blown away by what I found.
Food safety has been around for a while now and they are light years ahead of us. A mainstay of providing safe food is HACCP[*].
[*] HACCP: Hazard analysis and critical control points.
The key in both areas is recognition that safety is an ongoing process and not a product or appliance which can be tacked on aftermarket.
Previously:
(2020) Supply-Chain Attack Hits RubyGems Repository with 725 Malicious Packages
(2020) A Better Kind of Cybersecurity Strategy
Related Stories
Supply-chain attack hits RubyGems repository with 725 malicious packages:
More than 725 malicious packages downloaded thousands of times were recently found populating RubyGems, the official channel for distributing programs and code libraries for the Ruby programming language.
The malicious packages were downloaded almost 100,000 times, although a significant percentage of those are likely the result of scripts that automatically crawl all 158,000 packages available in the repository, Tomislav Pericin, the cofounder and chief software architect of security firm ReversingLabs, told Ars. All of them originated from just two user accounts: "JimCarrey" and "PeterGibbons."
The accounts, which ReversingLabs suspects may be the work of a single individual, used a variation of typosquatting—the technique of giving a malicious file or domain a name that's similar to a commonly recognizable name—to give the impression they were legitimate. For instance, "atlas-client," a booby-trapped package with 2,100 downloads, was a stand-in for the authentic "atlas_client" package. More than 700 of the packages were uploaded from February 16 to 25.
Once installed, the packages executed a script that attempted to intercept Bitcoin payments made on Windows devices.
Bruce Schneier has done an analysis of Russia's (alleged) recent attack on U.S. government agencies:
Here’s what we know: Orion is a network management product from a company named SolarWinds, with over 300,000 customers worldwide. Sometime before March, hackers working for the Russian SVR — previously known as the KGB — hacked into SolarWinds and slipped a backdoor into an Orion software update. (We don’t know how, but last year the company’s update server was protected by the password “solarwinds123” — something that speaks to a lack of security culture.) Users who downloaded and installed that corrupted update between March and June unwittingly gave SVR hackers access to their networks.
This is called a supply-chain attack, because it targets a supplier to an organization rather than an organization itself — and can affect all of a supplier’s customers. It’s an increasingly common way to attack networks. Other examples of this sort of attack include fake apps in the Google Play store, and hacked replacement screens for your smartphone.
Schneier later adds:
While this is a security failure of enormous proportions, it is not, as Senator Richard Durban said, “virtually a declaration of war by Russia on the United States.” While President-elect Biden said he will make this a top priority, it’s unlikely that he will do much to retaliate.
MIT news had a recent piece on a new model that demonstrates why countries that retaliate too much against online attacks make things worse for themselves: