The XZ Incident and the Value of Being Security-Conscious

After developer Andres Freund recently found a backdoor into an open-source Linux tool that could’ve affected billions of systems worldwide, much of the media commentary focused on the incident as a lucky escape. But there’s a different angle worth exploring from a cybersecurity standpoint—namely, that this story serves as a strong reminder of how valuable it is for all employees to have a security-conscious mindset. 

What Happened in the XZ Incident?

Freund is a developer whose primary role is with Microsoft. In his spare time, he volunteers as a maintainer to the open-source database project PostgreSQL. It was within this maintainer role that the Microsoft developer spotted some weird anomalies in XZ Utils, a Linux compression tool. One of these anomalies was how much CPU space encrypted logins via SSH were taking up in the tool.

After further probing for the reasons behind these performance issues, Freund concluded that a threat actor managed to compromise the XZ tool by inserting a backdoor into its code. This was a pretty severe backdoor because it facilitated remote code execution on affected systems. Luckily, the developer’s diligence and fast warning enabled companies in charge of affected Linux distributions like Red Hat and Debian to fix the vulnerability. 

The targeting of XZ was a slow burn of an attack that demonstrated the lengths to which hackers go to achieve their aims. A full two years ago, a threat actor named Jia Tan started contributing in legitimate ways to the XZ project in order to gain credibility within its community. Jia Tan also created sock puppet accounts to make complaints that there were not enough maintainers on the XZ project. 

Eventually, the complaints and contributions worked, and the hacker achieved maintainer status to XZ, which allows direct code contributions. After almost two years of legitimate contributions, the actor inserted a malicious backdoor into the code that was luckily spotted by Freund, a security-conscious developer. 

The Value of a Security-Conscious Mindset

If Freund didn’t think much about security when helping to maintain the XZ project, this incident would have potentially compromised the 3 billion systems on which the widely used XZ tool is installed. The impact would’ve been seen on a global scale, with huge financial losses at a minimum.  

Rather than seeing the XZ incident as a stroke of almost miraculously good fortune or trying to portray it as evidence of how fragile open source security can be, though, it’s worth examining the value of a security-conscious mindset, which is clearly how Freund approaches his work.

Bear in mind that not all developers work with security at the forefront of their thoughts. Modern development practices prioritize features and functionality over security concerns. This trend isn’t the fault of developers; it’s driven by market pressures where companies strive to release products quickly to stay competitive, meet customer demands, and capitalize on new technologies. Aside from the underlying development practices, a lack of awareness also comes from inadequate or absent training in secure coding practices. 

Developers and maintainers who are vigilant about security will look in-depth into unusual or unexpected changes in code or weird performance anomalies. This is a security-first mindset in action. 

However, it’s not just developers who can and should think about and understand security threats. When the majority of your employees think this way, you vastly strengthen your overall security posture and are far less susceptible to many cyber threats like social engineering, malware, and misconfigurations. 

Tips for Cultivating a Security-Conscious Mindset

Here are some tips and ways to cultivate a strong security-conscious mindset among employees:

• Remember that security commitments must start at the top of your business. Senior leaders should demonstrate a strong commitment to security practices, and emphasize their importance during meetings, communications, and through their actions. This includes participating in security training and awareness alongside employees rather than just requiring employees to complete training.

• Regularly communicate about security policies, potential threats, and the state of your company’s security. Transparency helps build trust and reinforces the importance of security as everyone's responsibility. Use newsletters, emails, or regular meetings to share updates. 

• Develop and maintain security policies that involve input from all levels of the company. This inclusiveness helps ensure the policies are realistic and consider the diverse perspectives and challenges different departments face when trying to stay secure.

• Different roles within your company need different levels of security knowledge. Developers like Freund for example, should receive in-depth training on secure coding practices and the importance of auditing code. Security teams need regular experience working in live-fire simulations to hone skills and ensure strong communication and collaboration. Finance and accounting teams probably need more guidance on social engineering techniques and scams that are likely to target them. 

• Consider appointing security champions within different teams. These are people who have a keen interest in cybersecurity or have demonstrated solid security awareness. They can act as inspirations and leaders to drive stronger security practices within different departments.

• On a similar note, recognize and reward employees who exemplify good security practices or who contribute positively to the security of your business. This could be through formal recognition programs or informal accolades. When people feel seen, recognized, and rewarded, this can drive behavioral change. 

• Ensure that security considerations are part of the standard procedures for all business operations (not just software development). This integration helps to ensure that security is not an afterthought but a fundamental aspect of how everyday business is conducted.

• Regularly schedule security drills, like phishing simulations or incident response drills, to keep security awareness high and help employees practice their response in a controlled, safe environment. During a simulated attack, employees get to practice what they have learned in theory. They can recognize signs of an attack, learn to respond appropriately, and understand the importance of following security procedures. These simulations also reinforce training content and ensure that security best practices are fresh in peoples’ minds. Make sure to review the outcomes of these exercises and provide constructive feedback to improve.

Cloud Range’s Simulations

Cloud Range provides dedicated cybersecurity skills development labs and attack simulations to help employees and cybersecurity teams gain new knowledge and skillsets that’ll make them more security-conscious in their work. FlexLabs cybersecurity courses come with realistic environments and exercises for practicing what’s learned. Learning materials cater to all levels of technical security knowledge with over 1,500 labs. Additionally, simulations are designed for incident response and security operations teams to work together to detect and remediate real-world attacks mapped to the MITRE ATT&CK Framework.

Learn more about FlexLabs and team-based, live-fire simulations.