Back in December, the world learned about one of the biggest and most sophisticated cyberespionage attacks to date that involved state-sponsored Russian hackers breaking into the networks of US federal agencies and numerous companies. The attackers compromised their victims by injecting malicious code into the legitimate software updates for a popular network management platform developed by a company called SolarWinds.
Several months later, the US government and private industry are still working on uncovering the full scope of the attack, but the incident has brought widespread attention to an issue that security researchers have been warning about for years: the security of the software supply chain.
As companies scramble to investigate whether their own systems and data were potentially impacted by the SolarWinds compromise, executives, boards, and customers are discovering that the threat of supply chain attacks expands beyond this one single incident and that mitigating the risks associated with them is not straightforward. Here’s what security leaders and experts say are the most important questions CISOs need to be able to answer following a software suppy chain breach like SolarWinds.
1. Are we at risk even if we’re not using the backdoored software?
After an attack like SolarWinds happens, business leaders will and should ask IT and cybersecurity managers whether their organization directly uses the impacted software. If the answer is yes, the company’s security incident response plan will be triggered to identify, contain, and remove the threat and establish the extent of the impact to the business.