Loose lips sink ships, warned US anti-espionage posters during World War II. It turns out loose code can do a lot more.
The world first caught wind of a massive breach linked to cyber firm SolarWinds last December. The breach was unique not only in its scale, but also in its method of attack. Hackers targeted the very first stop of the entire cyber line of defense: the cybersecurity software.
The compromised software let hackers into thousands of government agencies and companies, sending shockwaves throughout the world. GovInsider spoke with cyber experts to understand what Singapore and its neighbours can learn from the SolarWinds attacks.
What made these attacks particularly insidious was the way it exploited trust in cybersecurity companies, notes Terence Siau, General Manager of Singapore at the global research institution Center for Strategic Cyberspace + International Studies. Many organisations never thought to second guess their security tools, trusting that cyber firms had done their “due diligence”.
But the hackers targeted the software right from the coding stage, sneaking into it as developers built it. Any vulnerabilities would then be passed down to companies, their employees, and even external customers, Siau explains.
“Imagine you’re using an Android phone, and the compromisation comes in from the Android OS,” he says.
Another surprising factor was the scale of these attacks, say Abhik Roychoudhury, Provost’s Chair Professor at the National University of Singapore’s Department of Computer Science, and Liang Zhenkai, who is Associate Professor at the same department.
There were more than 18,000 SolarWinds customers affected, and an estimated 1000 attackers involved, according to Reuters. But it’s likely that we won’t know the full extent of these attacks until much later, Siau says.
First, we need to rethink what makes ‘trustworthy’ software, say Roychoudhury and Liang. “Think of this as extra vigilance – why trust software because it comes from a trusted supplier?” they add.
The second lesson is to prioritise application security, which means making services that run on individual devices more secure. Every device – be it a mobile phone, laptop or IoT sensor – that connects to an organisation’s central network presents an opportunity for attackers to strike.
The bad news is that software for these devices are “most fragile (and poorly written), allowing attackers easy access,” Roychoudhury and Liang note.