Supply chain attacks will get worse: Microsoft Security Response Center boss

Do you know all of your software dependencies? Spoiler alert: hardly anybody is on top of it


RSA Conference Major supply-chain attacks of recent years – we're talking about SolarWinds, Kaseya and Log4j to name a few – are "just the tip of the iceberg at this point," according to Aanchal Gupta, who leads Microsoft's Security Response Center.

"All of those have been big," she said, in an interview with The Register at RSA Conference. "But I feel they will continue and there will be more. And there's a reason I think that."

As the head of MSRC, Gupta has a unique vantage point. Her view spans all of Microsoft's products and services, as well as visibility across industry partners' software and tools plus customers' environments including government agencies. 

"The reason we will have a continuation of these supply chain attacks is our reliance on third party software and open source software is only growing," she said. "It's not going to come down anytime soon."

That reliance benefits cybercriminals, because they can find an unpatched vulnerability in one company's environment and use that to infect those organizations' customers and partners – "Like we saw with Nobelium," Gupta noted, referring to the Russian miscreants who hacked SolarWinds. "It also gives them economies of scale."

"And one thing, which came to light with Log4j: how pervasively it's used," she added.

Because the popular Apache Log4j logging library is so widely used among enterprise apps and cloud services, the remote code execution flaw made it an especially attractive target for criminals to exploit.

"I compare it to salt in the food items in your pantry," Gupta said. "If I were to tell you to throw out all the things that have salt, you would say: do you want my pantry to be empty? Because it's just everywhere."

Gupta, who previously worked as a developer at Microsoft and Facebook, said she remembers when the news about the Log4j exploit broke. She recalled saying, "is that the same package I used in 2000 to code? It's the same package! Oh my god, people still use it? And its usage has grown."

Ingredients list for software products

This is why she believes companies need an "ingredients list" (some people call this a software bill of materials, or SBOM) – essentially an inventory of all the open source and third party code used in their products. 

"When we ship something, or when we consume something, what are the downstream dependencies? It's critical for us to be very well aware of that," and Microsoft maintains a software dependency index, which helped the MSRC respond quickly to Log4j, Gupta noted. "Organizations have to prioritize this work."

Continuing with the food metaphor: companies should know the sources of the ingredients, she said. This means asking vendors about their security policies and doing audits, as well as code reviews on open source software.

"And then the third thing I would say is trust but verify," Gupta said. "Even though you trust the vendor who is providing you the dependency, you should still have this program to verify." ®


Other stories you might like

  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading
  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading
  • Microsoft unboxes Exchange Online certification in bid to push customers off-prem
    More support engineers needed to keep the email flowing, it seems

    Microsoft has added a certification to augment the tired eyes and haunted expressions of Exchange support engineers.

    The "Microsoft 365 Certified: Exchange Online Support Engineer Specialty certification" was unveiled yesterday and requires you to pass the "MS-220: Troubleshooting Microsoft Exchange Online" exam.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading

Biting the hand that feeds IT © 1998–2022