Cyber Attacks, Code Signing, and the Digital Supply Chain

Hello again! Welcome to my second blog.  Going to shift gears a bit from my personal PKI journey to discuss cyber-attacks. With the recent SolarWinds and Colonial Pipeline incidents, cyber-attacks have been dominating the news.  These are just two of the latest in a string of attacks that are becoming all too frequent.  These assaults present a growing threat to businesses, government, and individuals.  They have become a major cause for concern and the search for a solution is now an item on the President’s agenda. The techniques deployed by malefactors have grown increasingly sophisticated as the digital supply chain has grown to equal, even surpass, the complexity and inherent vulnerability of its analog counterpart.

The term “digital supply chain” was coined by Tony Hines in his 2001 book “From Analogue to Digital Supply Chains”; (London, Amsterdam, New York: Elsevier). Originally meant to describe the development and delivery of purely digital products (e.g. photos, music) the term has grown to describe both the purely digital deliverable (a Microsoft product key), as well as the hybrid environment wherein the physical (a graphics card), is inseparable from its digital components (drivers).  From content creation through quality control/asset management to content delivery, each node in the digital supply chain introduces weaknesses as well as opportunities for savings and/or new business models.

Digital supply chain management involves complex systems built on Web-enabled capabilities including software development, distribution, app stores, and downloads.  Signing is the primary means by which trust is created and supported up and down the chain. Code signing is the process of digitally signing executables and scripts to confirm the software author and to guarantee that the code has not been altered or corrupted since it was signed. The entire web of interlocking processes that comprises the digital supply chain depends on a stable, well-managed, and trustworthy public key infrastructure. Remember, on the web, nobody knows you are a dog (or a malefactor). We depend on the integrity of the trust infrastructure that has grown up to support web-based business.

How do the digital supply chain and code signing play a role in cyber-attacks and who is at risk?  Every organization and every person who is involved in the supply chain – from the developers to the consumer- is at risk. Supply chain risks can come from many different sources and impact different parts of the chain. A digital supply chain attack occurs, for example, when a software vendor’s network is infiltrated, and malefactors enable the execution of malicious code to compromise the software before it is sent to customers (Solar Winds). The compromised software then compromises the customer’s data or system, all the while using a legitimate signature to cloak its true identity.

In 2015, Sony Pictures Entertainment was the target of a cyber-attack that resulted in the release of stolen data and personal employee information (social security numbers and salaries). Not only was this attack devastating for the employees, one being a close friend of mine, but quite damaging and embarrassing for the organization. More recently,  SolarWinds and Colonial Pipeline have been victims.  SolarWinds was the subject of a massive cybersecurity attack that spread to the company’s clients, compromising vast and still largely unknown amounts of sensitive data. To defend against this surge in attacks, we must be continually expanding our knowledge base and tactics.

Last week, Mark B. Cooper, President and Founder of PKI Solutions hosted a Webinar discussing this very topic.   Mark and his guest, Ted Shorter of Keyfactor, shared insights into code signing’s role in the supply chain. They spoke about how organizations should carefully review code, even code from trusted sources. They also touched on the general lack of protections around code signing for organizations and the steps you can take to improve code signing awareness and processes.  They reviewed actions to take to mitigate supply chain risks such as deploying secure signing mechanisms, implementing software validation processes and protections of not only exfiltration of information, but also indiscriminate ransomware, and most importantly ensuring secure code from inception to delivery.  Effective commerce and trustworthy computing require a secure channel and a trusted lifecycle must be created.

To learn more about this topic, check out our latest Webinar: The Role of Code Signing – Digital Supply Chains in the Era of SolarWinds and Colonial Pipeline Attacks.

For additional info and to learn more about how PKI Solutions can assist you with any of your PKI initiatives, connect with me on Linkedin: https://www.linkedin.com/in/carolyn-ballo/