Cyber & IT Supervisory Forum - November 2023

Software Supply Chain Attacks

Software supply chain attacks typically follow a sequence of events

•Attackers gain access to the software supply chain, which may include software development environments, code repositories, build systems, and distribution networks. •Once inside the supply chain, attackers insert malicious code, backdoors, or vulnerabilities into the legitimate software. This can be done at various stages, including during development, distribution, or even updates. •The compromised software, now containing the attacker's payload, is distributed to unsuspecting customers, including banks, who believe they are using legitimate and secure software. •Attackers exploit the compromised software to gain unauthorized access, exfiltrate sensitive data, deploy malware, or conduct other malicious activities within the targeted banks or financial institutions.

Impact on Banks

•Data Breaches •Financial Loss •Operational Disruption

37

SolarWinds Case Study: A Call for Enhanced Supply Chain Cybersecurity 1. Incident Overview: 1. The SolarWinds breach, revealed in late 2020, highlighted critical weaknesses in software supply-chain security. 2. Significant breaches occurred, impacting entities like NATO, the European Parliament, and various US government agencies. 2. Transparency & Trust Issues: 1. The episode exposed the risk of limited insight into third-party security practices within the software supply chain. 2. The vulnerability arises from the lack of clear and verifiable cybersecurity measures, creating a hidden source of danger. 3. Precedent Cybersecurity Challenges: 1. A CrowdStrike report from 2018 disclosed that two-thirds of surveyed organizations had faced a software supply-chain attack, with 90% suffering financial damages. 4. Regulatory Response: 1. In October 2023, the SEC filed a complaint against SolarWinds, charging former CISO Timothy G. Brown with fraud. 2. Key allegations included making false cybersecurity claims, inadequate risk disclosure in SEC filings, and misleading information about the SUNBURST attack's consequences. The SolarWinds case underscores the necessity for robust cybersecurity protocols and the importance of transparency in third-party software and service procurement. The recent SEC action further highlights the legal and financial consequences of failing to maintain and disclose adequate cybersecurity measures.

38