Directions for strengthening the protection of software processing state electronic information resources and used at critical infrastructure facilities
DOI:
https://doi.org/10.20535/2411-1031.2024.12.1.306259Keywords:
cybersecurity, software, software security, supply chain, supply chain attackAbstract
In the modern world, where more and more aspects of our lives become dependent on computer systems and networks, cybersecurity becomes increasingly critical. One of the key elements of cybersecurity is protecting the software used in these systems. Software can contain vulnerabilities that attackers can exploit to gain unauthorized access to systems, data, and resources. These vulnerabilities may arise from coding errors, improper configurations, or inadequate software updates. Attackers continuously refine their methods and tactics not only to exploit software vulnerabilities but also to influence their emergence by targeting the supply chain. This makes software cybersecurity an increasingly complex challenge. This article addresses the pressing issue of cybersecurity in the context of the proliferation of cyberattacks on software, including supply chain attacks. Examples of known cyberattacks targeting the supply chain are provided. The shortcomings in the existing system of standards and rules for secure software development are highlighted, as well as the lack of security requirements and vulnerability management. A comprehensive approach to ensuring software security is proposed, which includes the development of appropriate requirements, standards, and control mechanisms.
References
Yu. Svitlyk, “The Biggest Hacker Attacks: What They Were and What Is Known About Them”, Root Nation, 2023. [Online]. Available: https://root-nation.com/en/articles-en/tech-en/the-biggest-hacker-attacks. Accessed on: Feb. 01, 2024.
“Kaseya VSA Supply Chain Ransomware Incident”, Cloudsek, 2024. [Online]. Available: https://www.cloudsek.com/blog/kaseya-vsa-supply-chain-ransomware-incident. Accessed on: Feb. 01, 2024.
C. Osborne, “Colonial Pipeline ransomware attack: Everything you need to know”, ZDNet, 2021. [Online]. Available: https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know. Accessed on: Feb. 01, 2024.
K.S. Sidhu, “Top 5 Famous Software Supply Chain Cyber Attacks in 2023”, Cloudsek, 2024. [Online]. Available: https://www.cloudsek.com/blog/top-5-famous-software-supply-chain-cyber-attacks-in-2023. Accessed on: Feb. 01, 2024.
S. Oladimeji, and S.M. Kerner, “SolarWinds hack explained: Everything you need to know”, TechTarget, 2023. [Online]. Available: https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know. Accessed on: Feb. 02, 2024.
B.K. Jena, “SolarWinds Attack And All The Details You Need To Know About It”, Simplilearn, 2023. [Online]. Available: https://www.simplilearn.com/tutorials/cryptography-tutorial/all-about-solarwinds-attack. Accessed on: Feb. 05, 2024.
“SUNBURST”, MITRE ATT&CK, 2023. [Online]. Available: https://attack.mitre.org/software/S0559. Accessed on: Feb. 03, 2024.
“Previous M-Trends Reports”, Mandiant, 2023. [Online]. Available: https://www.mandiant.com/m-trends. Accessed on: Feb. 05, 2024.
“M-Trends Report 2021”, Mandiant, 2021. [Online]. Available: https://services.google.com/fh/files/misc/m-trends-report-2021-en.pdf. Accessed on: Feb. 05, 2024.
“M-Trends 2022: Insights Today's Top Cyber Trends and Attacks”, Mandiant, 2022. [Online]. Available: https://www.mandiant.com/resources/reports/m-trends-2022-insights-todays-top-cyber-trends-and-attacks. Accessed on: Feb. 10, 2024.
“M-Trends 2023 Report”, Mandiant, 2023. [Online]. Available: https://services.google.com/fh/files/misc/m_trends_2023_report.pdf. Accessed on: Feb. 10, 2024.
“ATT&CK”, MITRE ATT&CK. [Online]. Available: https://attack.mitre.org. Accessed on: Feb. 10, 2024.
R. Fetterman, “Zoom: Enhance Finding Value in Macro-Level Attack Reporting”, Splunk, 2022. [Online]. Available: https://www.splunk.com/en_us/blog/security/zoom-enhance-finding-value-in-macro-level-att-ck-reporting.html. Accessed on: Feb. 20, 2024.
S. Abbasi, “Qualys Survey of Top 10 Exploited Vulnerabilities in 2023”, Qualys Blog, 2023. [Online]. Available: https://blog.qualys.com/qualys-insights/2023/09/26/qualys-survey-of-top-10-exploited-vulnerabilities-in-2023. Accessed on: Feb. 20, 2024.
“CVE – Common Vulnerabilities and Exposures”, CVE Details. [Online]. Available: https://www.cve.org. Accessed on: Feb. 15, 2024.
“2023 Threat Detection Report”, Red Canary, 2023. [Online]. Available: https://resource.redcanary.com/rs/003-YRU-314/images/2023_ThreatDetectionReport_RedCanary.pdf?mkt_tok=MDAzLVlSVS0zMTQAAAGOorTMDhCsZgrN8O46VVgWSU6Z5b99BYE13gmUp_M-ik7Spkc2uCXkCCTPY2MvmmB5l8vouwcM4y4UHWxkp5_6wfIiscmgeDmuRnilFlnbLK0. Accessed on: Feb. 20, 2024.
“2022 Threat Detection Report”, Red Canary, 2022. [Online]. Available: https://redcanary.com/wp-content/uploads/2023/03/2022_ThreatDetectionReport_RedCanary.pdf. Accessed on: Feb. 14, 2024.
“Cybersecurity Alerts & Advisories”, CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories?f%5B0%5D=advisory_type%3A94. Accessed on: Feb. 21, 2024.
“2022 Top Routinely Exploited Vulnerabilities”, CISA, 2023. [Online]. Available: https://www.cisa.gov/sites/default/files/2023-08/aa23-215a_joint_csa_2022_top_routinely_exploited_vulnerabilities.pdf. Accessed on: Feb. 18, 2024.
“Top 10 Routinely Exploited Vulnerabilities”, CISA, 2020. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a. Accessed on: Feb. 12, 2024.
“Top Routinely Exploited Vulnerabilities”, CISA, 2021. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a. Accessed on: Feb. 12, 2024.
“2021 Top Routinely Exploited Vulnerabilities”, CISA, 2022. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a. Accessed on: Feb. 12, 2024.
“Report on the work of the system for detection of vulnerabilities and response to cyber incidents and cyber attacks (2021)”, CERT-UA, 2021. [Online]. Available: https://cert.gov.ua/files/pdf/SOC_Annual_Report_2022.pdf. Accessed on: Feb. 07, 2024.
“Report on the work of the system for detection of vulnerabilities and response to cyber incidents and cyber attacks (Q1 2022)”, CERT-UA, 2022. [Online]. Available: https://scpc.gov.ua/api/docs/4eeb6a10-b7aa-4396-8b04-e0e4b7fca1b7/4eeb6a10-b7aa-4396-8b04-e0e4b7fca1b7.pdf. Accessed on: Feb. 07, 2024.
“Report on the work of the system for detection of vulnerabilities and response to cyber incidents and cyber attacks (Q3 2022)”, CERT-UA, 2022. [Online]. Available: https://scpc.gov.ua/api/docs/4eeb6a10-b7aa-4396-8b04-e0e4b7fca1ba/4eeb6a10-b7aa-4396-8b04-e0e4b7fca1ba.pdf. Accessed on: Feb. 17, 2024.
“Report on the results of the system for detecting vulnerabilities and responding to cyber incidents and cyber attacks (2022)”, CERT-UA, 2023. [Online]. Available: https://scpc.gov.ua/api/docs/sseb6a10-b7aa-4396-8b04-e0e4b7fca1l1/sseb6a10-b7aa-4396-8b04-e0e4b7fca1l1.pdf. Accessed on: Feb. 17, 2024.
“Report on the work of the system for detection of vulnerabilities and response to cyber incidents and cyber attacks (Q1 2023)”, CERT-UA, 2023. [Online]. Available: https://scpc.gov.ua/api/files/a7de388d-14d3-4248-b8be-ada8b5cb0710. Accessed on: Feb. 19, 2024.
“Report on the work of the system for detection of vulnerabilities and response to cyber incidents and cyber attacks (Q2 2023)", SCPC, 2023. [Online]. Available: https://scpc.gov.ua/api/files/e4eaafb7-99de-4a60-89f2-f0c05b777b69. Accessed on: Feb. 19, 2024.
“Report on the work of the system for detection of vulnerabilities and response to cyber incidents and cyber attacks (Q3 2023)”, CERT-UA, 2023. [Online]. Available: https://scpc.gov.ua/api/files/22c75b41-d1d8-4da6-bd46-fa5489af9c6e. Accessed on: Feb. 19, 2024.
“Report on the work of the system for detection of vulnerabilities and response to cyber incidents and cyber attacks (Q4 2023)”, CERT-UA, 2023. [Online]. Available: https://scpc.gov.ua/api/files/3d552013-d5f6-4c75-9ea3-9e77b429d7a7. Accessed on: Feb. 20, 2024.
“Report on the results of the system for detecting vulnerabilities and responding to cyber incidents and cyber attacks (2023)”, CERT-UA, 2023. [Online]. Available: https://scpc.gov.ua/api/files/9c21855d-74da-45d1-90f9-5d4f6795996a. Accessed on: Feb. 20, 2024.
“List of Cyber Incident Categories”, CERT-UA, 2021. [Online]. Available: https://cert.gov.ua/recommendation/16904. Accessed on: Feb. 20, 2024.
“Russia’s Cyber Tactics: Lessons Learned 2022 – an analytical report by the State Service of Special Communications and Information Protection of Ukraine on the year of Russia’s full-scale cyber war against Ukraine”, SSSCIP, 2023. [Online]. Available: https://cip.gov.ua/ua/news/russia-s-cyber-tactics-lessons-learned-in-2022-ssscip-analytical-report-on-the-year-of-russia-s-full-scale-cyberwar-against-ukraine. Accessed on: Feb. 22, 2024.
“OWASP SAMM (Software Assurance Maturity Model)”, OWASP. [Online]. Available: https://owasp.org/www-project-samm. Accessed on: Feb. 22, 2024.
“Publicly Available Standards”, ISO, 2023. [Online]. Available: https://standards.iso.org/ittf/PubliclyAvailableStandards/index.html. Accessed on: Feb. 22, 2024.
ISO/IEC 27034-3, Information technology. Application security. Part 3: Application security management process, ISO, 2018. [Online]. Available: https://www.iso.org/standard/55583.html. Accessed on: Feb. 22, 2024.
ISO/IEC 29147, Information technology. Security techniques. Vulnerability disclosure, ISO, 2018. [Online]. Available: https://cdn.standards.iteh.ai/samples/72311/06fe3b1905aa4f3f8d9c5824ebc3c396/ISO-IEC-29147-2018.pdf. Accessed on: Feb. 22, 2024.
ISO/IEC 30111, Information technology. Security techniques. Vulnerability handling processes, ISO, 2019. [Online]. Available: https://cdn.standards.iteh.ai/samples/69725/127b437f4f0c4b9196fd5b8d3fd294b1/ISO-IEC-30111-2019.pdf. Accessed on: Feb. 22, 2024.
ISO/IEC 25010, Systems and software engineering. Systems and software Quality Requirements and Evaluation (SQuaRE). System and software quality models, ISO, 2023. [Online]. Available: https://cdn.standards.iteh.ai/samples/78176/13ff8ea97048443f99318920757df124/ISO-IEC-25010-2023.pdf. Accessed on: Feb. 22, 2024.
ISO/IEC 25022: 2016, Systems and software engineering. Systems and software Quality Requirements and Evaluation (SQuaRE). Measurement of quality, ISO, 2016. [Online]. Available: https://www.iso.org/standard/35746.html. Accessed on: Feb. 22, 2024.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2024 Collection "Information Technology and Security"
This work is licensed under a Creative Commons Attribution 4.0 International License.
The authors that are published in this collection, agree to the following terms:
- The authors reserve the right to authorship of their work and pass the collection right of first publication this work is licensed under the Creative Commons Attribution License, which allows others to freely distribute the published work with the obligatory reference to the authors of the original work and the first publication of the work in this collection.
- The authors have the right to conclude an agreement on exclusive distribution of the work in the form in which it was published this anthology (for example, to place the work in a digital repository institution or to publish in the structure of the monograph), provided that references to the first publication of the work in this collection.
- Policy of the journal allows and encourages the placement of authors on the Internet (for example, in storage facilities or on personal web sites) the manuscript of the work, prior to the submission of the manuscript to the editor, and during its editorial processing, as it contributes to productive scientific discussion and positive effect on the efficiency and dynamics of citations of published work (see The Effect of Open Access).
