That unusual cyberattack saw software developed by the Texas-based company SolarWinds infiltrated with malicious code, which was then unwittingly distributed far and wide to customers as part of a regular and certified software update.

It wasn’t a good look for SolarWinds which counts most of the Fortune 500 companies as customers using its network management products in one form or another. Even a giant like Microsoft isn’t immune to escalating cyber attacks.

Last week the world’s largest software maker was scrambling to respond to security exploits in its widely-used Microsoft Exchange Server software. Microsoft started issuing patches for the exploits in early March but dealt with an escalation of activity last week as hackers used software tools to try and identify and access insecure Exchange Server software before patches were applied.

The perils of sharing

Curiously, Microsoft is investigating the prospect that the hackers may have got hold of proof of concept (PoC) attack code that Microsoft shared with antivirus companies as part of its Microsoft Active Protections Program, an industry collaboration intended, ironically, to help keep Microsoft’s products secure.

SolarWinds and the Microsoft Exchange exploits are considered to be examples of software supply chain exploits. The threat effectively comes from within an ecosystem of partners, where a vulnerability exploited in one party is used to infiltrate its partners’ systems.

Supply chain hacks are particularly challenging as smaller companies are at the mercy of their software partners to deliver secure products – and to swiftly issue patches as soon as exploits are discovered.

But many Kiwi companies are, on a smaller scale, themselves using and often developing and deploying web-based applications for their customers. There, the threat landscape is rapidly evolving too, says Elf Eldridge, cybersecurity consultant at Wellington-based IT consultancy, ZX Security.

“What we’re seeing is that architecture becomes more complex, the points at which things can be misconfigured increases, and so the chances of something simply being overlooked increases as well,” he told an IT Professionals New Zealand webinar last week.

Eldridge says that anything web-facing, which is pretty much everything these days, is potentially vulnerable to attack. But some fairly standard techniques can be used to lessen the risk of websites and applications being infiltrated.

Scroll down to hear Eldridge’s advice on how to minimise the impacts of software supply chain exploits.

But first, here are five things Eldridge recommends deploying to secure business-critical web applications. He also adds a caveat – all of these things will only help keep you secure if you are following NZCERT’s “critical controls” – it’s advice for getting the cybersecurity basics right. 

1. HTTP security headers

“The most common vulnerability that people don’t address… is HTTP security headers,” says Eldridge.

HTTP security headers are exchanged between a web client (a web browser) and a server to deliver specific security details for that HTTP communication. Many common types of attacks, such as cross-site scripting (XSS) and “clickjacking” can be cut off at the pass with properly deployed HTTP security headers.

“There are a bunch of headers that can be configured by a web application firewall, or on a server that will give broad-spectrum resistance to really common attacks,” Eldridge says.

He regularly checks out the OWASP Foundation’s Secure Headers Project for the latest security developments relating to HTTP headers.

2. Content security policy

This is a type of HTTP header that adds a layer of content-related security for a web application. When it is added to a web page, it allows control over exactly what content can be populated on that page.

As web browser developer Mozilla explains: “A page that uploads and displays images could allow images from anywhere, but restrict a form action to a specific endpoint. A properly designed Content Security Policy helps protect a page against a cross-site scripting attack.”

Check out Google’s developers’ info on the content security policy for more information.

3. Web application firewall

ZX Security’s Elf Eldridge

We’ve all heard of a firewall, designed to keep unauthorised actors, viruses and malicious code from getting past your network defences. In a similar way, a web application firewall (WAF) helps protect potential exploits targeting Hypertext Transfer Protocol (HTTP) traffic. 

Web applications are delivered via a browser interface from a remote server. A WAF analyses HTTP traffic to try and detect malicious traffic before it reaches the user of the web app. As more apps are deployed via the web, many utilising application programming interfaces (APIs), they are being targeted by hackers, so a good WAF with accompanying policies is a basic security requirement.

“An international WAF which is regularly updated won’t completely prevent cyber-attacks but reduces the burden on IT teams to keep up with the high pace at which new attacks and exploits are discovered,” says Eldridge.

“Of course this only works when WAFs are configured correctly”

Robust network security remains crucial, but more attention needs to be paid to the security of applications that are primarily accessed via the internet.

4. The cloud is probably safer

Everyone is migrating to the cloud and, from a security point of view, that’s a good thing, says Eldridge.

“The baseline security just seems to be getting better and better for cloud services,” he explains.

“It’s not to say that that doesn’t open up new avenues of attack, because it absolutely does.”

By and large, however, the scale of the security provisions large cloud providers invest in, adds better protection and a faster response when an exploit is discovered.

“When enabled, the security defaults on the likes of Office 365 are head and shoulders above where they used to be,” says Eldridge. 

“A lot of them will enforce multi-factor authentication and have security tools which tell you this account is causing big problems, fix it now.”

5. Responsible disclosure

One way to help protect against the bad guys getting in is encouraging the good guys to point out the security flaws so they can be fixed. Eldridge recommends that every company running web applications have a responsible disclosure process.  

“Quite often, as I’m browsing the internet, I will find something that I shouldn’t be able to see. And the first thing I want to do is to tell the company about it,” he says.

“In most companies, I have no idea who to talk to where to find the information, where to report it, or even how it will be received. If you have a process of receiving that information, even if it’s as simple as, here’s an email address on my website, that will get noticed. That is a fantastic first step.”

He admits that securing your online environment is a never-ending task.

“It is a combination of diligence and serendipity, consistently having good software security practices when you’re creating code, having checks and balances, development test pipelines and test cases,” he says.

“You don’t want to be at the bottom of the barrel, where everything is open. Those are the ones they will go for.”

So what about those supply chain hacks?

The reason the SolarWinds exploit was so unnerving for software makers and users alike is that managing your dependency on third-party software is very hard to do well.

Eldridge points to tools designed to identify dependency issues, such as OWASP’s Vulnerable Dependency Management Cheat Sheet and the OWASP Dependency Check. Again, he sees Web application firewalls as a good line of defence.

“If you have them and they are reputable and configured correctly then as soon as something new is discovered, you can rely that some protections will be almost immediately put in place to protect against those attacks but international security teams. That gives you a little protection when you’re scrambling to identify and patch a new issue that you didn’t know about.”

If you are using a lot of third-party software (most large organisations are) having good back-ups to draw on, an incident response plan and pre-emptive communications are essential. You may not be able to prevent every exploit, but you can reduce the impact of a subsequent attack.

Cloud security + WAF = meltdown avoided

Eldridge gives an example that small businesses will relate to.

“I run a website for my mum’s company, which has no dedicated IT staff (they’re too small). It runs wordpress (in AWS), behind a Cloudflare WAF. Staff accounts are set up with limited access and multi-factor authentication is turned on wherever possible.

“There’s a huge software supply chain risk associated with me choosing WordPress,” Eldridge admits.

“But because I have both daily backups and a WAF and that WordPress is regularly maintained if an issue is found, I can recover from it quickly from backups. The WAF provides me with a little immediate protection against the issue as soon as it becomes known, and all I likely need to do to fix the issue is log in and apply an update that has already been written by someone smarter than me and checked on thousands of other sites before I get to it.

“So the likelihood is high, but the impact is low so the overall risk is reduced. Unfortunately this isn’t a nice one-size-fits-all model.

“Beyond that – the most important thing (and this is true for all cloud systems) is clarity around what you are responsible for securing and what someone else is responsible for securing. If you can prioritise your limited resources towards critical components and systems then you can effectively reduce risk that way as well,” says Eldridge.

“Generally I would advise focussing attention on components that are not already regularly tested. For example, Silverstripe runs a robust web platform that has been tested and improved thousands of times as it’s used by the government Common Web Platform. Consistently we find that it’s the customised components existing off this framework where the security vulnerabilities lie, so we recommend clients also focus defensive efforts on those areas.”

General tips to keep safe – Elf urges you to adopt NZCERT’s Critical Controls

Patch your stuff – IT teams need to be fastidious about applying new patches to software products in a timely manner. 

Use multi-factor authentication – The way into a company’s network is more often than not via insecure devices and easy to pick passwords and usernames. Multi-factor authentication, common now across Microsoft’s software products as well as other 

Log and monitor – make sure you have security logs so you can track attempted or successful exploits. Monitor the logs regularly for irregular activity.

Back-up data – Schedule regular back-ups of all of your data and practice disaster recovery.

Use password managers – make it easy for people to select and use complex and therefore more secure passwords. Don’t allow staff to re-use passwords.

Use the principle of least privilege – Don’t give everyone access to absolutely everything if they don’t need it for their job.

Use applications allow lists – These designed to prevent the execution of unauthorized and malicious programs. Only specifically selected EXE programs will run. Everything else will be blocked.

Secure internet-exposed services – Keeping unused and unnecessary services running on a system can leave it vulnerable, especially if the host is exposed to the internet. Disabling these services, or segmenting them so they are not exposed unnecessarily, can reduce the risk and your attack surface.

Isolate network components – Try and separate parts of your networks (network segemntation) based on the amount of trust that they have and how important those components are.

Avoid random Macros – As Microsoft explains, “macro malware can hide in Microsoft Office files and is delivered as email attachments or inside ZIP files. These files use names that are intended to entice or scare people into opening them.” 

Find out more about ZX Security’s cybersecurity and training services.