Security Content Security Policy

Supply Chain Attacks - Actions All Websites Should Take

By Julian Wilkison-Duran on January 7, 2021
Julian Wilkison-Duran

I have been a full stack developer at Blue Triangle for a little over a year. Previously I worked in the government and healthcare sectors as a Scientist and Engineer.

If you run a website or eCommerce site, you are probably vulnerable to supply chain hacking. To understand how the hack works and how your site may be vulnerable, we will look at the major supply chain attack that has been in the news recently.

In 2020 the United States government and up to 250 major US-based companies fell victim to a devastating IT supply chain attack that targeted software made by the company SolarWinds. Many companies might be asking themselves how they can prevent similar attacks from occurring again.

What is a Supply Chain Attack?

In a supply chain attack, the attacker adds malicious code to a software project or product before it reaches the final product. For example, if a project that requires a certain library and one of the files in that code library is compromised, the compromised file in turn gets added to the final software distribution. The malicious code then leaks data, or, even more seriously, provides back-door access to the affected systems for the hackers to take control.

A hacker must circumvent security countermeasures to get access to at least one of the source code files during the Software Development Life Cycle (SDLC) as the product is being developed or in subsequent version updates. In other words, hackers alter the code files without being detected and then that code is bundled with the software distribution.

For the highly publicized SolarWinds Supply Chain Attack, many factors contributed to the ability of the attackers to gain access to SolarWinds source code as reported by the New York Times. Those factors include:

  • Underfunded security audit processes
  • Engineering that was outsourced to various Eastern European countries
  • Upper management failing to implement security measures recommended by their own internal security teams

Once the malicious code was in the software distribution, large companies bought and installed SolarWinds software without analyzing for these security defects themselves.

“None of the SolarWinds customers contacted by The New York Times in recent weeks were aware they were reliant on software that was maintained in Eastern Europe. Many said they did not even know they were using SolarWinds software until recently.”
-New York Times As Understanding of Russian Hacking Grows, So Does Alarm (David E. Sanger, Nicole Perlroth and Julian E. Barnes) Jan. 2, 2021

Website Supply Chain Attacks

Up to 250 US-based companies were affected by the software supply chain hack of SolarWinds. A website supply chain attack is very similar, affecting website vendors instead of software vendors, and over 90% of websites today are vulnerable.

The process of a website supply chain attack is the same in this case, but with more potential vectors for malicious code to infiltrate a site. For an attack to occur, a hacker could add malicious code to any first-party code written and maintained by the host website, but they could also target any of the third-party tags that load while pages of the site are rendering.

Virtually every website uses dozens of third-party JS tags, and this is especially true for eCommerce websites. An affected third-party tag would load as usual on your end user’s browsers as they interact with your site, collecting private information. Hackers target important customer data, including credit card numbers, names, and other personally identifying information (PII).

Over the course of several years, the number of third-party tags can accumulate on sites. The tags may stay on the site even after the tag providers have stopped conducting business with the owners of the host web site, or in some cases even after the tag providers have discontinued updates to their tag. The website owner has responsibility and liability for website content, including tags, which highlights the need for tag governance. Good tag governance includes active management of all website content including the third-party tags and services, as well as protection through other means.

Website owners should insist on good tag governance. Every piece of content should be inventoried at a central repository that allows for disciplined active management of website content. Good tag governance will reduce the opportunity for PII theft and other dangerous and embarrassing attacks, but ultimately each site needs a strong Content Security Policy (CSP) to protect against website supply chain attacks as well. A CSP will prevent some data theft even if malicious code is introduced to the site or its tags.

4 Steps to Protect your Website from Supply Chain Attacks

  1. Inventory All Site Services: The process to protect against this threat has to start with website owners getting a full inventory of all software running on their web systems and periodically doing self-checks for anomalies in the first- and third-party code. Automation is key to making this a complete and sustainable process.
  2. Approve Services and Domains: This should include a careful analysis of all of the respective domains of each third-party service on the site. Each domain should be compared against the industry to see if it is a fake service or domain or one that is trusted in the industry.
  3. Build and Deploy a Strong CSP: Your website should have a CSP that explicitly lists out all of the approved tag domains that are allowed to be on your web pages. Once the CSP is added to your web pages it will block any attempts to access unauthorized content from new domains and it will prevent malicious code that may already be present from being able to send customers' sensitive information to the hacker behind the attack. Once you have the strong domain blocking CSP on your site, your end user’s browser will stop any malicious code from sending data back to the hackers and it will create a CSP violation for reporting purposes.
  4. Automatically Monitor for Evidence of a Supply Chain Attack: Once you have a strong CSP on your site you need a system to detect when CSP violations happen on your end user’s browsers. The automation should send you alerts to tell your web teams that a CSP violation is happening along with the offending service and target domains. The great news about these CSP violations is that they are evidence that the hackers were blocked from receiving the data or getting the code onto your web pages, to begin with.

Blue Triangle can help you to automate this process. Blue Triangle will automatically catalog all the tags and software you use on your site and help you create and manage Service-Level Agreements with the vendors that you rely on. Each step of the process is highly automated and keeps you in the driver’s seat to make sure you do not unnecessarily block desired content or services. This proven practice will keep your site fast, safe, and secure. Blue Triangle also offers an automated Tag Governance with a built-in content security policy (CSP) manager that helps prevent attacks and browser hijacking from happening on your websites and web-based applications.

 

Want to Learn More? Schedule a Demo Today!

 

Stay up to date