Last month’s ASUS APT attack doesn’t come as a surprise to any security-conscious industry watcher – this highlights a long-standing flaw in many software supply chains today. Attackers have been engaged in spoofing websites, stealing credentials and gaining unauthorized access for years. Injecting malicious code into legitimate tools that are designed to protect represents the next evolution in putting companies and their customers at risk. Code signing was established as a digital seal that allows an organization to verify the identity of the software publisher and ensure that code has not been tampered or changed prior to download. However, if the code singing certificates are not properly managed, then an attack like the recent ASUS hack (or potentially worse) is the result.
In the case of ASUS, attackers exploited code, planting and deploying malware in an update that looked legitimate. With no way to disseminate whether valid signed certificates contain good or bad updates, businesses consuming the software and running standard updates then became vulnerable to attack.
In many ways, code signing has become an extension of brand trust. Digital signatures establish the authenticity for end users, using cryptography to verify the supplier of the code. PKI has graduated from the IT room to the boardroom and for business leaders, reputational risk, increasing standards and compliance measures. This has elevated certificate and key management to the top of the cybersecurity agenda.
The ASUS attack offers three lessons that all CEOs should apply within their security infrastructure:
- Have confidence in the custody of the company’s code signing keys. Understand where keys live and how they’re stored. Consider a hardware security module (HSM) to secure keys and prevent leaks.
- Have a solution in place to audit and track the use of code signing keys. Identify who is using the keys within the organization and gain visibility through the chain of custody associated with those keys – a critical component in any security audit.
- Introduce checks and balances in the DevOps pipeline. Ensure controls are in place to protect keys from inappropriate access. Like any other asset on the network, key access should be granted to only those who need it. Keys should be continuously monitored for unauthorized access attempts.
At its core, the ASUS attack underscores the importance of managing reputational risk. Whether enterprises consume software or sell it, all business leaders need to invest in the trust that is associated with their digital brand - and expect the same of their vendors.