SolarWinds Public Sector Cybersecurity Survey Report 2021

SolarWinds released the findings of its seventh Public Sector Cybersecurity Survey Report. The Public Sector Cybersecurity Survey Report includes responses from 400 IT operations and security decision makers, including 200 federal, 100 state and local, and 100 education respondents.

“These results demonstrate that while IT security threats have increased—primarily from the general hacking community and foreign governments—the ability to detect and remediate such threats has not increased at the same rate, leaving public sector organizations vulnerable,” said Brandon Shopp, Group Vice President, Product Strategy, SolarWinds. “But the data also shows an increased awareness and adoption of zero trust, as well as a commitment to invest in IT solutions and adopt cybersecurity best practices outlined in the Administration’s Cybersecurity Executive Order. It’s through these steps that public sector organizations can enhance their cybersecurity posture and fight the rising tide of external threats.”

Press Release: SolarWinds – For the First Time in Five Years, External Threats Overshadow Internal Threats as the Greatest Cybersecurity Concern for the Public Sector

NIST SP 800-160v1 Revision 1 Initial Public Draft out for Review

NIST is releasing the draft of a major revision to Special Publication (SP) 800-160 Volume 1, Engineering Trustworthy Secure Systems. This publication is intended to serve as a reference and educational resource for engineers and engineering specialties, architects, designers, and personnel involved in the development of trustworthy secure systems and system components. The guidance can be applied selectively by organizations, individuals, or engineering teams to improve the security and trustworthiness of systems and system components.

In particular, Draft SP 800-160 Volume 1, Revision 1 focuses on the following strategic objectives, which drove the majority of changes to the publication:

  • More strongly positioning Systems Security Engineering (SSE) as a sub-discipline of Systems Engineering (SE)
  • Emphasizing that the responsibility for engineering trustworthy secure systems is not limited to security specialties and that the achievement of security outcomes must properly align with SE outcomes
  • Aligning SSE practices with safety practices and other disciplines that deal with the loss of assets and the consequences of asset loss
  • Focusing on the assurance of the correctness and effectiveness of the system’s security capability to achieve authorized and intended behaviors and outcomes and control adverse effects and loss
  • More closely aligning systems security engineering work to international standards

NIST is interested in feedback on the specific changes made to the publication during this update, including the organization and structure of the publication, the presentation of the material, its ease of use, and the applicability of the technical content to current or planned systems engineering initiatives.

Submit comments using the comment template provided.

https://csrc.nist.gov/publications/detail/sp/800-160/vol-1-rev-1/draft

Automatic Diversity in the Software Supply Chain

ArXiv.org

Abstract

Despite its obvious benefits, the increased adoption of package managers to automate the reuse of libraries has opened the door to a new class of hazards: supply chain attacks. By injecting malicious code in one library, an attacker may compromise all instances of all applications that depend on the library. To mitigate the impact of supply chain attacks, we propose the concept of Library Substitution Framework. This novel concept leverages one key observation: when an application depends on a library, it is very likely that there exists other libraries that provide similar features. The key objective of Library Substitution Framework is to enable the developers of an application to harness this diversity of libraries in their supply chain. The framework lets them generate a population of application variants, each depending on a different alternative library that provides similar functionalities. To investigate the relevance of this concept, we develop ARGO, a proof-of-concept implementation of this framework that harnesses the diversity of JSON suppliers. We study the feasibility of library substitution and its impact on a set of 368 clients. Our empirical results show that for 195 of the 368 java applications tested, we can substitute the original JSON library used by the client by at least 15 other JSON libraries without modifying the client’s code. These results show the capacity of a Library Substitution Framework to diversify the supply chain of the client applications of the libraries it targets.

What are Weak Links in the Node.js Package Manager (NPM) Supply Chain?

What are Weak Links in the npm Supply Chain?

ArXiv.org

Abstract

Modern software development frequently uses third-party packages, raising the concern of supply chain security attacks. Many attackers target popular package managers, like npm, and their users with supply chain attacks. In 2021 there was a 650% year-on-year growth in security attacks by exploiting Open Source Software’s supply chain. Proactive approaches are needed to predict package vulnerability to high-risk supply chain attacks.

The goal of this work is to help software developers and security specialists identify weak links in a software supply chain by empirically studying npm package metadata.

In this paper, we analyzed the metadata of 1.63 million JavaScript npm packages. We propose six signals of a security weakness in a software supply chain, such as the presence of install scripts, maintainer accounts associated with an expired email domain, and inactive packages with inactive maintainers. Our analysis identified 11 malicious packages from the install scripts signal. We also found 2,818 maintainer email addresses associated with expired domains, allowing an attacker to hijack 8,494 packages by taking over the npm accounts.

We obtained feedback on our weak link signals through a survey responded to by 470 npm package developers. The majority of the developers supported three out of our six proposed weak link signals. The developers also indicated that they would want to be notified about weak links signals before using third-party packages. Additionally, we discussed eight new signals suggested by package developers.

On the Feasibility of Detecting Software Supply Chain Attacks

Published in: MILCOM 2021 – 2021 IEEE Military Communications Conference (MILCOM)

Date of Conference: 29 Nov.-2 Dec. 2021

Abstract

The Supply chain attack is the stealthy and sophisticated cyberattack that aims to compromise a target by exploiting weaknesses and vulnerabilities in its supply chain. Recent supply chain attacks (e.g., SolarWinds attack) have compromised some of the most secured IT infrastructures of government agencies and enterprises. The European Union Agency for Cybersecurity, ENISA, has predicted that there will be 3 times more supply chain attacks in 2021 than in 2020. In this paper, we look into the problem of supply chain attacks, the challenges of defending software supply chain attacks. We analyze what it takes to effectively prevent software supply chain attacks, and show that it is indeed feasible and practical for the customers to detect certain software supply chain attacks. We propose an information flow based detection approach that enables end users to detect many software supply chain attacks without dealing with any of the underlying software suppliers.

China Locks Down City Containing One of World’s Busiest Ports, Could Impact Supply Chain

China Locks Down City Containing One of World’s Busiest Ports, Could Impact Supply Chain
Source: Newsweek
Published: January 7, 2022

The Chinese industrial city of Ningbo has been shut down due to COVID-19 and the lockdown has its port continuing to be backed up. Located in the Zhejiang province of China, Ningbo is home to the third-largest port in the world. However, lockdown measures could worsen the already-disrupted port as worldwide supply chain woes persist.

Log4j Highlights Need for Better Handle on Software Dependencies

Dark Reading
January 3, 2022

Log4j Highlights Need for Better Handle on Software Dependencies

It’s a new year and the cybersecurity community now faces the long-term consequences of yet another software supply chain security nightmare. After a year full of application security zero-day fallout, the Log4j vulnerability debacle (also referred to as Log4Shell) was like a thematic bookend for 2021 that closed out the year much in the way SolarWinds started it. The real-world consequences of these incidents schooled enterprise IT teams in too many ways to count. But perhaps the most important lesson to bubble up is how much work many organizations need to do to truly understand and manage what code is running under the hood across their software portfolios. Like the SolarWinds incident before it, the Log4j fiasco highlighted how many hidden software dependencies exist in enterprise software — and how hard it is to stamp out critical underlying flaws when these dependencies aren’t sufficiently understood.

The Impact of Business Intelligence on Supply Chain Performance with Emphasis on Integration and Agility–a Mixed Research Approach

International Journal of Productivity and Performance Management

The impact of business intelligence on supply chain performance with emphasis on integration and agility–a mixed research approach | Emerald Insight

Purpose

The paper aims to explore how business intelligence (BI), integration and agility influence supply chain performance.

Design/methodology/approach

The study was performed by the exploratory sequential mixed method in two phases including meta-synthesis as a qualitative method and survey as a quantitative method. Data were collected through a survey of 369 Iranian companies across various industries. Structural equation modeling was used to test hypotheses.

Findings

The results show that BI, integration and agility play an important role in achieving better supply chain performance. In the meantime, BI has the greatest impact on supply chain performance. Additionally, BI has a positive and significant effect on the integration and agility of the supply chain. The study also found that integration has a direct effect on supply chain agility.

Originality/value

To the best of the authors’ knowledge, the paper theoretically and empirically presents a new conceptual model of the relationship between BI, integration, agility and supply chain performance. The study helps researchers and practitioners to achieve insights into supply chain performance improvement.

2021 Semiconductor Industry Association (SIA) Annual Report

While the semiconductor industry has achieved great successes in 2021, it also faces significant challenges. Chief among them is a widespread global semiconductor shortage. Unanticipated rising demand for semiconductors needed during the pandemic response, coupled with significant fluctuations in chip demand for other products such as cars, triggered a rippling supply-demand imbalance felt across the world. The semiconductor
industry has worked diligently to increase production to address high demand, shipping more semiconductors on a monthly basis than ever before by the middle of 2021, but most industry analysts expect the shortage to linger into 2022.

Read the full report here: 2021-SIA-State-of-the-Industry-Report.pdf (semiconductors.org)

Cybersecurity Reference and Resource Guide

2019 Cybersecurity Resource and Reference Guide_DoD-CIO_Final_2020FEB07

The purpose of this document is to provide a useful reference of both U.S. and International resources, in order to develop cybersecurity programs and to build and maintain strong network protection. Extensive reference materials exist that support efforts to build and operate trusted networks and ensure information systems maintain an appropriate level of confidentiality, integrity, authentication, non-repudiation, and availability. The resources compiled here support security cooperation and shared best practices to help achieve collective cybersecurity goals. This guide provides readily available and unclassified information pertaining to cybersecurity norms, best practices, security cooperation, policies and standards authored and adopted by the United States (U.S.) government, the U.S. Department of Defense (DoD), and recognized international institutes and workforce development training resources provided by government, industry, and academia.

Aspects related to Cyber Supply Chain Risk Management in the document:

Cyber Supply Chain Risk Management (SCRM) is the process of identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of information and operational technology product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an information and operational technology product or service at any stage.

Website: https://csrc.nist.gov/Projects/Supply-Chain-Risk-Management

NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, April 2015

Federal agencies are concerned about the risks associated with information and communications technology (ICT) products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the ICT supply chain. These risks are associated with the federal agencies decreased visibility into, understanding of, and control over how the technology that they acquire is developed, integrated, and deployed, as well as the
processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the products and services. This publication provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations. This publication integrates SCRM into federal agency risk management activities by applying a multi- tiered, SCRM-specific approach, including guidance on supply chain risk assessment and mitigation activities.

Website: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pd