Top | |
Newsletter 05/01/2022 |
Back to Contents A Printable PDF of this post is available here. |
The Next Looming Supply Chain Crisis, Remember this? |
The problems of open source software have been known for some time.
Yet, open source is and continues to be the foundation upon which the
Internet works. Paradigms do shift, though. And our global
conflict is forcing a reevaluation of our reliance on open source
software. What brought open source software to the forefront of public discussions of the Internet was the Log4j debacle. The Log4j vulnerability was easy to exploit. A malformed string of characters could break the application. One of the first known exploits of Log4j were script kiddies. "Some of the earliest attacks were kids pasting the malicious code in Minecraft servers." But those kid games shortly became nation states exploiting the code. It is projected that despite all the patching, Log4j will remain a threat for as long as anyone can see. The logging software and its use are ubiquitous; but not all organizations will patch. Smaller organizations will simply not accept the downtime patching requires. The long term concern here is that criminals will remain active, but undetected in unpatched systems, and then use those hacked systems as platforms for future attacks. Reporting by CNET, January 10, 2022, expressed the long term threat Log4j represents thusly: If left unpatched or otherwise unfixed, the major security flaw discovered a month ago in the Java-logging library Apache Log4j poses risks for huge swaths of the internet. The vulnerability in the widely used software could be exploited by cyberattackers to take over computer servers, potentially putting everything from consumer electronics to government and corporate systems at risk of a cyberattack. It is one thing for the federal government to dictate to its own department heads, "Patch or else!" The US government cannot, however, compel US private industries to temporarily shut down their operations and install these recommended patches to their systems. Moreover, the complexity of effective patching software has become an hindrance to patching for small and medium sized businesses. The admins in smaller enterprises may not know how to install the patches. Moreover, with an increasing number of information workers of all types now working remotely, effective patching is even more problematical. “Work from home and remote work have brought a real and significant shift in the way medium- and large-size companies have to think about and perform patching... Almost all of our endpoints and workstations now are outside of the protections corporate networks offered. This makes it harder to reach and verify that computers have been patched.” Of course, it is not just vulnerabilities in open source Java based applications that are now considered threats if not patched. A release dated April 27, 2022, updated 4/28/2022, listed the 2021 Top Routinely Exploited Vulnerabilities. Of the top 15, applications listed, 6 are open source, and 8 are Microsoft products. Of those 8 Microsoft applications, 7 are the same application, the Exchange Email Server.
This chart above points out the primary difference between open source
and proprietary software. There many different sources of open
source software. Who is going to patch and how quickly becomes the
crux of the problem.
Ransomware has been documented to encrypt an infected system's
files within 5 minutes. Both open source software and proprietary
often share similar vulnerabilities. "Both involve poorly
written code, leaving “holes” or gaps that attackers can use to carry
out malicious activities, such as modifying the code to extract
sensitive data or damage the system," as reported by
Security Today, Aug 19, 2019. Here’s how supply chain hacks work. Rather than targeting organizations directly, cybercriminals and nation-state hackers target software makers and software services providers. They inject attack code into software that is then used by other organizations. These attackers specifically target vulnerable software development pipelines and insecure cloud configurations, or they exploit software update processes.
Managing open-source software risks requires security teams to closely examine the software’s code. That doesn’t mean just checking for known vulnerabilities and believing there’s an all-clear if all patches are up-to-date... Instead, security teams must look at all of the components and the software dependencies within an open-source project, and understand how the various components have been assessed and tested for security vulnerabilities.
What is being proposed here are more stringent quality controls be
applied to open source software, and similar to those quality controls
of proprietary software vendors. Deeper examinations of the source
code could reveal defects that cannot be remedied. Adobe
discontinued Flash. Microsoft is fervently trying to discontinue
Internet Explorer. Those popular applications could simply not be fixed.
If that happens to a critical piece of open source — it is deemed to be
broken beyond all repair — the effects of such a supply system breakdown
could well be devastating.
When companies buy digital products, they expect them to be
secure. In most cases, they don’t test for vulnerabilities down the
digital supply chain — and don’t even have adequate processes or tools
to do so. Hackers have taken note, and incidents of supply chain
cyber-attacks, which exploit weaknesses within the digital supply chain
to break into organizations’ internal networks, are on the rise. As a
result, there have been many headline incidents that not only bring
shame to the companies involved, but rachet up the visibility of these
threats to top executives who want to know their offerings are secure.
The problem has been identified by all those with a stake in modern day
distribution of goods and services. Implementing solutions that will
stick will require actions that can cause as much temporary disruptions
as the attacks themselves. We are, however, as a society, a
nation, and a community of users, way past singing the same ol blues
about the same ol problems. Solutions will be implemented. And
somewhere up and/or down the distribution line, real people will suffer
the fallout from finally fixing real problems long know about, but left
to fester. And why were these problems left to fester? When
everyone and anyone is responsible for mitigation and remediation, then really no one is
responsible for mitigation and remediation.
|
Back to Top Gerald Reiff |
Back to Top | next post → |