Guidance: Defending Against Supply Chain Threats
Organizations and IT departments can use various processes and technological solutions to minimize the risk they face from malware transmitted through unsecure supply chains. Processes include the following:
- Create policies that state what constitutes acceptable and unacceptable downloading and use of third-party tools and media. Institute policies that govern the download and execution of music, movies, and game media. Create and enforce disciplinary actions for repeat policy offenders.
- Block peer-to-peer (P2P) applications from communicating into or out of the organizationâ€™s internal network.
- Ensure that all new hardware is purchased by an internal procurement team. Procurement processes might include formatting computers and devices upon receipt and reinstalling the operating systems from known good images. Such images should include antimalware software, intrusion detection tools, software firewalls, monitoring and reporting tools, and other security software, all of which should be enabled by default.
Technology solutions to implement include the following:
- Use the AppLocker feature in Windows to create blacklists for potentially unsafe applications, programs, and scripts on client computers.
- On proxy servers, implement rules to block known malicious websites as well as other websites that violate the organizationâ€™s acceptable media usage policy for content such as music, movies, games, shopping, pornography, and so on.
- Regularly update the organizationâ€™s hardware and software standards, and limit the amount of old hardware and software. A 64-bit computer running Windows 7 and Internet Explorer 9, for example, is inherently more secure than a 32-bit computer running Windows XP and Internet Explorer 6 because of technologies such as ASLR, DEP, and SmartScreen Filter.
Vendors should use code signing and digital rights management to ensure customers can trust and confirm the authenticity of downloads.
Individual users can protect themselves by running antimalware software from a reputable vendor and keeping it up to date, and by only downloading software and content from trustworthy sources. Software updates and free software should only be obtained from the original vendors or from known, reputable sources. Using Internet Explorer with SmartScreen Filter enabled can help provide protection from malicious downloads.