Mel Migrino is the Vice President and Group CISO of MERALCO, the largest Power Distribution Conglomerate in the Philippines. She is part of the Executive Committee of the ASEAN CIO Association. She is concurrently the Chairman and President of the Women in Security Alliance Philippines (WiSAP). She has been cited as 2022 Influencer by the International Security Journal and has been recently cited by Technology Magazine, Energy Digital and Cyber Magazine as a leading CISO among global cybersecurity leaders and a regular contributor in Women in Security Magazine in Australia. She is the former Cyber Security Leader of a Big 4 auditing firm and the largest fintech in the Philippines. She has more than 15 years of combined experience in Cyber and IT Governance, Application and Infrastructure Security, Operational Technology (OT) Security, Business Continuity, Privacy, IT Audit, Project Management across multiple industries. She led the PCIDSS Certification for the largest payments network in the Philippines. Further, through her leadership, Meralco’s Fintech Subsidiary, Bayad won the W Media Awards for Southeast Asia under Cybersecurity Implementation on 2021.
Supply chain ecosystem is a network of people, applications and systems, governance processes, workflows and devices to enable to procurement and use of required products and services to meet certain business requirements towards achievement of overall business objectives.
In this age of digital transformation happening in enterprise and operational technology triggered by the challenges in this pandemic, paved the way to streamline operations, develop platforms that are within the reach of your customers and allow hyper personalization to adjust to the changing lifestyle, more and more integration points and collaborations from third parties emerged and are making progress to enable faster data exchange and seamless processing of online transactions.
This progressive change led the way to expand the attack surface. The trust that was initially founded on a few vetted processes and technologies has now expanded to business groups where we have no concrete visibility on the depth of the data protection controls and risk management processes that are ingrained in the business-as-usual activities.
A common yet high risk attack vector is the software supply chain platform that fits within the Technology organization. The IT supply chain is the network of principals, distributors, and resellers that participate in the sale, delivery, and production of hardware, software, and managed services. Software supply chain attacks usually require strong technical aptitude and time, so they are often difficult to execute. These attacks aim to compromise trusted relationship and brand in which threat actors infiltrate a malicious script to exploit and access an existing trusted connection that the third party has with the target organization. Some of the less complex types of software supply chain attacks includes modifying open-source code or app store attacks. In general, advanced persistent threat (APT) actors are more likely to have both the intent and capability to conduct the types of highly technical and prolonged software supply chain attack campaigns that may harm the greater majority.
Common attack techniques that threat actors used to execute software supply chain attacks are as follows:
- Hijacking – Software receives routine updates to address bugs and security issues. Software vendors distribute updates from centralized servers to customers as a routine part of product maintenance. Threat actors can hijack an update by infiltrating the vendor’s network and either inserting malware into the outgoing update or altering the update to grant the threat actor control over the software’s normal functionality.
- None performance of Code signing – This aims to validate the identity of the authenticity of the code/ author and the integrity of the code. Attackers undermine codesigning by self-signing certificates, breaking signing systems, or exploiting misconfigured account access controls. Threat actors are able to successfully hijack software updates by impersonating a trusted vendor and inserting malicious code into an update.
- Compromising Open-Source Code – This occurs when threat actors insert malicious code into publicly accessible code libraries, which unsuspecting developers—looking for free blocks of code to perform specific functions—then add into their own third-party code.
To prevent the occurrence of this type of attack, organizations should :-
- Implement an organization-wide program for supply chain risk management – This includes executives and managers within operations and personnel across supporting roles, such as IT, business teams, procurement, legal, risk management, and security as these roles can influence risk mitigation across suppliers’ pool through due diligence and contracting activities
- Document and roll out a set of cybersecurity requirements for suppliers – The complexity of the control requirements may vary on the nature of the project.
- Put in place a secure system development lifecycle policy and standards – Adopt the Security by Design as a software development practice especially for high value assets. Vendors should incorporate security features in their software design plans. Customers can assist by communicating security requirements to their vendors.
- Perform Binary Code Scanning to carefully assess the patch or update from the vendor – This could be an expensive investment, but it is all worth the effort. For this to work effectively, this cyber technology must be neatly integrated with the patch management standards and procedures of the technology and cyber teams.
- Require a regular updated of the software component inventory that states the components and other attributes of delivered software developed by the third parties.
- Proactively identify threats and vulnerabilities of software and 3rd parties thru the use of threat intelligence to enrich decision making. Identified indicators of compromise must be defined and blocked in various cyber technology platforms and should be reviewed in a periodic basis.
The end state is really to have a resilient supply chain that empowers people to make objective and wise decisions that will yield to greater efficiency and success in the procurement and production lifecycles. Organizations should be agile enough to quickly pivot as business direction evolves and resilient enough to withstand potential challenges that may emerge.