world  attacks  on  open-source  software  supply  chains,”  between  2015  and  2019  to  highlight  the
            challenges that the software applications face from potential breaches.

            While  the  open-source  community  is  adept  at  monitoring  and  quickly  patching  vulnerabilities,  the
            diffuseness of open-source packages means that when an attack occurs, it can spread quickly before
            being detected. Once those open-source software applications are breached, it becomes difficult for a
            zero-trust architecture to combat the attack because the software infected with malware has already been
            accounted for in the IT environment.

            And while zero trust can help secure legitimate points of access and limit data exposure, it cannot itself
            recover compromised data in the event of an attack. Zero Trust is an architecture, a design, a mindset –
            not a foolproof copy of data, nor a single product.

            To prepare for the potential impact of attacks on open-source supply chains, agencies need to think
            beyond traditional zero trust methods to put in place defensive strategies that account for the complete
            supply chain and a strong data protection plan should a breach occur.



            Protect the entire software supply chain

            The dependency on open-source software is not expected to ebb, especially in the public sector, where
            the federal government continues to see its value in innovation.

            That means in addition to zero trust protections, IT officers also need to incorporate cybersecurity efforts
            against possible software supply chain attacks. This could include steps like requiring a software bill of
            materials (SBOM) to provide IT personnel with data on the components of a software product.

            It also requires strong cyber hygiene from IT managers, including frequent patching and updating of
            software components across the enterprise to protect against possible vulnerabilities.



            Safeguard your data

            To combat an attack that may have already occurred, IT managers need to ensure their data is also
            protected.

            As we discovered with NotPetya, a strain of malware first identified in a 2017 attack on Ukraine, the attack
            itself was originally thought to be ransomware installed in a legitimate software update that merely left
            users unable to access their data. However, it was ultimately found to be a fast-spreading wiper attack
            that irretrievably destroyed data on infected computers and globally caused $10 billion in damages.

            Because of the inherent risk of these threats, it is vital for enterprises to implement a data backup strategy
            that is reliable, verified and tested and can be deployed across all mission-critical workloads.

            That means taking steps like ensuring that a backup’s integrity is verifiable from the moment it is made
            and quickly retrievable in the event of such an attack. Backups must also possess resiliency from attack






            Cyber Defense eMagazine – September 2022 Edition                                                                                                                                                                                                         105
            Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.