Possibility
Explore our work: what we do, how we do it, and the value we create for our clients.
Impact
Culture
Possibility
Explore our work: what we do, how we do it, and the value we create for our clients.
Global Shifts
Empowered consumers
Healthier humans
Future organisations
Business for better
Safer societies
Sustainable world
Industries
Consumer and manufacturing
Defence and security
Energy and utilities
Financial services
Government and public sector
Health
Life sciences
Transport
Services
Set growth strategy
Build brands, products, and services
Reimagine AI, digital, and data
Improve organisational performance
Deliver complex programmes
Empower your people
Impact
Culture
In the media

Software supply chain attacks – everything you need to know

By Stephen Pritchard

The Daily Swig

11 February 2021

PA Consulting’s head of cybersecurity, Elliot Rose, discusses the SolarWinds breach and how organisations must tighten their security to avoid software supply chain attacks.

The article discusses how, in December 2020, with much of the world distracted by a Covid-19 resurgence and the aftermath of the US presidential election, security researchers were busy tracking a new malware campaign – UNC2452 – which had grave implications for cybersecurity in the western world.

Subsequently linked with Russian state-sponsored cybercrime gang APT29 (or Cozy Bear) the attack ‘trojanized’ software updates to Orion, an IT monitoring and management application from SolarWinds.

Withn days, dozens of global businesses and government departments were reporting Sunburst infections, including Microsoft and the US Department of Homeland Security.

The world had just witnessed its largest ever software supply chain attack.

What is a software supply chain attack?

A software supply chain attack happens when hackers manipulate the code in third-party software components in order to compromise the ‘downstream’ applications that use them.

Attackers leverage compromised software to steal data, corrupt targeted systems, or to gain access to other parts of the victim’s network through lateral movement.

Can you prevent or mitigate supply chain attacks?

At the technical level, increasing security awareness among DevOps teams is the first and – many experts argue – most critical step.

Teams need to incorporate security into the entire development process, have a comprehensive map of the dependences used by their applications, be alert to vulnerability disclosures, and have a robust system for patching security bugs.

Organizations should also tighten up their software acquisition strategies. IT departments, which often rely on questionnaires and vendor self-certification to perform due diligence, should also consider audits, source code reviews and penetration testing – more robust, if costlier, alternatives.

More organizations should follow this lead, suggests Elliot: “Many organisations recognize that they need to put in place continuous monitoring and assessment of critical third parties.”

“This is not easy but is increasingly necessary, and there are new tools and approaches available to ease the burden.”

Read the full article in The Daily Swig

Explore more

Woman at laptop.
In the media

It's time to take a modern approach to password management

PA Consulting's Raul Zeppenfeldt Molina urges organisations to take a modern approach to password management as we move towards an ever more passwordless future.
Woman at laptop.
City skyline at night.
In the media

Glass Lewis tightens cyber security voting policies after SEC changes

PA Consulting's Adam Stringer discusses what shareholders expect of Boards when it comes to cybersecurity from a governance and disclosure perspective.
City skyline at night.
Man with glasses.
In the media

What we learned in cyber in 2023, and what to look out for

PA Consulting's Rasika Somasiri reflects on the key cyber lessons learnt in 2023 and what we need to consider in 2024.
Man with glasses.
Portrait of woman using mobile phone while lying on bed
In the media

Online advertisers are getting better at identifying you

Richard Watson-Bruhn, US Head of Digital Trust and Cybersecurity at PA Consulting, discusses privacy concerns with targeted advertising.
Portrait of woman using mobile phone while lying on bed

Contact the team

We look forward to hearing from you.
Get in touch

Get actionable insight straight to your inbox via our monthly newsletter.