CIS (Center for Internet Security) has published an interesting guide on software supply chain security.
Even if you do not build software on your own, it still is useful to to pick the relevant security measures/controls as part of your information security management to protect yourself and your enterprise.
As we all learned from the log4j issue which impacted many generally used platforms, it has become very clear that you need to look beyond the first level of control (your own)…
It’s critical to manage 2nd (your suppliers) and even third level (suppliers of suppliers)
In high level overview, the document discusses:
Third party packages
Access to artifacts
Supply chain guide access (need to register on CIS)
Use Microsoft Hyper-V (free) or Oracle Virtual box (free) and install a client OS in the virtual machine. Snapshot the machine before the test, perform the test, return to snapshot to avoid any left overs of malware.
Run the link on a mobile phone
Less secure, but better than running malware on your most important machine, is running the link on a browser on your mobile device. There is lower risk of infection and less impact than loosing your primary working machine, although… be aware, there is still a small risk of infection even for smartphones…
Additional security measures
To permit some stupidity and protect against accidents, please make sure
to implement all the latest OS security updates, patch on a continuous basis
have an anti-malware and anti-virus that is updated continuously
keep the default OS security features enabled including local system firewall and malware detection
consider a paid antivirus subscription, it’s worth the money and keep it up to date every hour
get a mail protection against malware, tracking, phishing and ransomware (like Windows defender for 365) have regular backups (1 online and 1 offline) and test the restores
use cookie/tracking/advertisement blockers
use a DNS blackhole system to protect your network from accessing suspicious URLs (including tracking and phishing websites, advertisements, C&C Command and control malware domains, …)
You must be logged in to post a comment.