Dear Reader,
In our first newsletter of 2023, we put a spotlight on one of the security issues many have predicted to remain a major pain point this year: supply chain security. Whether it’s large organizations with complex supplier ecosystems or individual developers, anybody can be affected by supply chain attacks. Read on to find out more about recent attacks and best practices for how to prevent them.
Same name, different contents
The popular PyTorch project was not off to a good start into 2023, getting hit by a dependency confusion attack over the holidays. When the Python package manager tried to locate one of the project’s dependencies on the Python Package Index (PyPI), an attacker had already registered a malicious package with the same name. As a result, people who downloaded the project’s nightly builds were served spyware.
Supply chain threats on the rise
The attack on PyTorch may have been the latest, but certainly not the only attack of this kind. In fact, Python and its package index have been subject to similar supply chain attacks before. In a similar fashion, a malware called W4SP stealer was shipped to PyPI users last year.
Common attack vectors
Cybersecurity Magazine recently featured an article providing an overview of supply chains security risks. It outlines attack vectors commonly abused by malicious actors which are overlooked all too often in interaction with suppliers, incl. API vulnerabilities, third-party data breaches, and social engineering.
How to do better
To support organizations with managing associated security risks, NSA and CISA recently published recommended practices for securing software supply chains. In it, they provide practical advice on how to vet third-party code, produce secure software, and ensure the organization is ready to handle an attempted attack.
Slightly broader in scope is the supply chain security guidance by NCSC. On just a few web pages, the authors provide attack examples, assessment criteria, and best practices that are actionable and easy to understand.
Cybersecurity Magazine Editorial Team
----------------
We are pleased to be a media partner for the Privacy-Enhancing Technology Europe Summit, which will be taking place on 28th February to the 1st March. The Privacy-Enhancing Technology Europe Summit heads to London with a focus on strategy, use cases and steps for the implementation and adoption of privacy-enhancing technologies.
Across two days, hear from, network with and benchmark against industry peers and a leading speaker faculty of early adopters, innovators and drivers. Explore how PETs enable collaboration and sharing of sensitive data in a privacy-preserving manner – and the unprecedented opportunities they bring.’
Quote CYBERSECMAG15 to save 15% on passes
-----------------
For our latest video discussion on the security and production systems please see the River Publishers YouTube.
The latest journal articles from River Publishers in all areas of cyber security can be found on the River Publishers website.
https://cybersecurity-magazine.com/
https://www.linkedin.com/showcase/cybersecuritymagazine
@magcybersec
https://www.facebook.com/Cybersecurity-Magazine-100535232117942
