If you run a website or eCommerce site, you are probably vulnerable to supply chain hacking. To understand how the hack works and how your site may be vulnerable, we will look at the major supply chain attack that has been in the news recently.
In 2020 the United States government and up to 250 major US-based companies fell victim to a devastating IT supply chain attack that targeted software made by the company SolarWinds. Many companies might be asking themselves how they can prevent similar attacks from occurring again.
In a supply chain attack, the attacker adds malicious code to a software project or product before it reaches the final product. For example, if a project that requires a certain library and one of the files in that code library is compromised, the compromised file in turn gets added to the final software distribution. The malicious code then leaks data, or, even more seriously, provides back-door access to the affected systems for the hackers to take control.
A hacker must circumvent security countermeasures to get access to at least one of the source code files during the Software Development Life Cycle (SDLC) as the product is being developed or in subsequent version updates. In other words, hackers alter the code files without being detected and then that code is bundled with the software distribution.
For the highly publicized SolarWinds Supply Chain Attack, many factors contributed to the ability of the attackers to gain access to SolarWinds source code as reported by the New York Times. Those factors include:
Once the malicious code was in the software distribution, large companies bought and installed SolarWinds software without analyzing for these security defects themselves.
“None of the SolarWinds customers contacted by The New York Times in recent weeks were aware they were reliant on software that was maintained in Eastern Europe. Many said they did not even know they were using SolarWinds software until recently.”
-New York Times As Understanding of Russian Hacking Grows, So Does Alarm (David E. Sanger, Nicole Perlroth and Julian E. Barnes) Jan. 2, 2021
Up to 250 US-based companies were affected by the software supply chain hack of SolarWinds. A website supply chain attack is very similar, affecting website vendors instead of software vendors, and over 90% of websites today are vulnerable.
The process of a website supply chain attack is the same in this case, but with more potential vectors for malicious code to infiltrate a site. For an attack to occur, a hacker could add malicious code to any first-party code written and maintained by the host website, but they could also target any of the third-party tags that load while pages of the site are rendering.
Virtually every website uses dozens of third-party JS tags, and this is especially true for eCommerce websites. An affected third-party tag would load as usual on your end user’s browsers as they interact with your site, collecting private information. Hackers target important customer data, including credit card numbers, names, and other personally identifying information (PII).
Over the course of several years, the number of third-party tags can accumulate on sites. The tags may stay on the site even after the tag providers have stopped conducting business with the owners of the host web site, or in some cases even after the tag providers have discontinued updates to their tag. The website owner has responsibility and liability for website content, including tags, which highlights the need for tag governance. Good tag governance includes active management of all website content including the third-party tags and services, as well as protection through other means.
Website owners should insist on good tag governance. Every piece of content should be inventoried at a central repository that allows for disciplined active management of website content. Good tag governance will reduce the opportunity for PII theft and other dangerous and embarrassing attacks, but ultimately each site needs a strong Content Security Policy (CSP) to protect against website supply chain attacks as well. A CSP will prevent some data theft even if malicious code is introduced to the site or its tags.
Blue Triangle can help you to automate this process. Blue Triangle will automatically catalog all the tags and software you use on your site and help you create and manage Service-Level Agreements with the vendors that you rely on. Each step of the process is highly automated and keeps you in the driver’s seat to make sure you do not unnecessarily block desired content or services. This proven practice will keep your site fast, safe, and secure. Blue Triangle also offers an automated Tag Governance with a built-in content security policy (CSP) manager that helps prevent attacks and browser hijacking from happening on your websites and web-based applications.