CSY102 Week 10 Beginner

Practice patching workflows and supply chain thinking before moving to reading resources.

Computing Systems & OS

Track your progress through this week's content

Opening Framing: The Safest Door Is the One You Must Open Regularly

In Week 9 we studied evidence: how systems record truth and how attackers distort it. Now we confront a deeper reality:

Most systems are not compromised by "breaking in." They are compromised by being changed.

And change in modern computing is routine and necessary. Operating systems update. Packages update. Libraries update. Dependencies update. A system that never updates becomes vulnerable; a system that updates carelessly becomes compromised.

Updates are the primary mechanism by which defenders fix vulnerabilities — and the primary mechanism by which attackers try to insert "legitimate" malicious code. The update pipeline is both your greatest defense and a critical attack surface.

An update mechanism is a privileged delivery channel. If attackers can compromise it, they can deliver malware that looks like legitimate software.

Mental Model: The Medicine Supply Chain

Imagine a hospital. Medicines save lives — but only if:

  • They come from a trusted manufacturer: verified source, licensed facility
  • They are not tampered with in transit: sealed packaging, chain of custody
  • They are correctly labeled: right medicine, right dosage, right expiration
  • They are administered to the right patient: correct recipient, correct timing

Software updates are "medicine" for vulnerabilities. They fix security flaws, patch bugs, and keep systems healthy. But if the supply chain is poisoned, the medicine becomes the attack.

If a system accepts updates, it is accepting code that will run with authority. Therefore, updating is not merely maintenance — it is an act of trust. Security depends on answering: Who is allowed to publish updates? How does the system verify authenticity and integrity? What happens if verification fails?

Mental model: updates are medicine delivered through a supply chain. Poison the supply chain, and every patient who trusts it is compromised.

1) Patching: The Defender's Dilemma

Patching exists because vulnerabilities exist — and vulnerabilities are inevitable. Every piece of software has bugs; some bugs have security implications. The real security question is:

How long can you tolerate known weakness?

This creates a genuine dilemma:

  • Patch too slowly: you remain exposed to known vulnerabilities that attackers are actively exploiting
  • Patch too fast: you risk instability, outages, or breaking critical systems with untested changes
  • Don't patch at all: you accumulate technical debt and eventually become impossible to secure

This is not a technical argument. It is a risk-management argument. The "right" patching speed depends on your threat model, your tolerance for downtime, your testing capacity, and the criticality of your systems.

Zero-day vulnerabilities (unknown to defenders) get the headlines, but most breaches exploit known vulnerabilities that simply weren't patched in time.

Key insight: patching is risk management, not just maintenance. The question is which risk you prefer — exposure or instability.

2) What "Supply Chain" Means in Software

In software, the supply chain is everything that stands between you and the code you run:

  • Operating system vendor repositories: Microsoft Update, apt repositories, Red Hat repos
  • Package managers and registries: npm, PyPI, Maven Central, NuGet
  • Mirrors and CDNs: geographic distribution of packages
  • Build pipelines and CI systems: where source code becomes binaries
  • Dependency graphs: your dependencies' dependencies (transitive dependencies)
  • Signing keys and certificates: cryptographic proof of authenticity

If any link in this chain is compromised, an attacker can deliver malicious code that looks completely legitimate. The code is signed, comes from expected sources, and installs through normal channels.

Modern applications have deep dependency trees. A single web application might depend on hundreds of packages, each with their own dependencies. You're not just trusting your direct dependencies — you're trusting the entire tree.

Key insight: your supply chain includes everyone whose code runs in your environment. That's far more people than most organizations realize.

3) Trust Chains: Authenticity vs Integrity

Two fundamental properties matter when accepting updates:

  • Authenticity: "This update really came from who it claims to come from." Verified through digital signatures and certificates.
  • Integrity: "This update was not altered in transit or storage." Verified through cryptographic hashes.

Systems try to enforce these using mechanisms like:

  • Code signing: vendor signs packages with private key; you verify with public key
  • Hash verification: published checksums let you verify downloaded files match
  • Certificate chains: trust anchored in root certificates you already trust
  • Secure transport: HTTPS prevents tampering during download

If you can't verify origin and integrity, you are downloading uncertainty.

But these mechanisms only work if the signing keys themselves aren't compromised. If an attacker steals a vendor's signing key, they can create "authentic" malware. If an attacker compromises the build system, they can inject malicious code before signing.

Key insight: cryptographic verification proves the update came from whoever holds the key. It doesn't prove the key holder is trustworthy or uncompromised.

4) Why Attackers Target Update Systems

Update systems are extremely attractive targets because they offer:

  • Scale: compromise one pipeline, affect thousands or millions of machines that pull from it
  • Privilege: updates typically run with administrator/root authority to modify system files
  • Legitimacy: malicious code arrives through trusted channels, signed with trusted keys, installed by trusted tools
  • Persistence: code is installed into normal system locations, survives reboots, and may be difficult to distinguish from legitimate software
  • Stealth: update activity is expected and often not scrutinized

This is why sophisticated attackers — especially nation-state actors — invest heavily in compromising build systems, signing keys, and distribution infrastructure. It's not about breaking a lock — it's about becoming the locksmith.

A successful supply chain attack turns every organization's security practices against them. The more diligent they are about patching, the faster they install the compromise.

Key insight: supply chain attacks weaponize trust. The same mechanisms that make updates secure (signatures, trusted sources) make supply chain attacks devastating.

Real-World Context: Supply Chain Attacks in Practice

Supply chain attacks are not theoretical. They are among the most devastating attack vectors in modern cybersecurity:

SolarWinds / SUNBURST (2020): Attackers compromised the build system for SolarWinds Orion, a widely-used IT monitoring platform. Malicious code was inserted into legitimate updates, signed with SolarWinds' own keys, and distributed to approximately 18,000 organizations including US government agencies. The backdoor provided persistent, stealthy access for months before discovery. This is the canonical supply chain attack.

Codecov (2021): Attackers modified a bash uploader script used in CI/CD pipelines. For two months, the compromised script exfiltrated environment variables — including credentials and tokens — from thousands of build environments. The attack targeted the build pipeline itself, not the final product.

NotPetya (2017): Attackers compromised the update mechanism for M.E.Doc, Ukrainian accounting software. The malicious update deployed destructive malware that spread globally, causing over $10 billion in damages. Organizations were compromised because they did the "right thing" — they kept their software updated.

Supply chain compromise interacts with everything we've studied: malicious updates can install services (Week 6), create scheduled persistence (Week 7), and disable logging (Week 9). A compromised update is the cleanest intrusion — no noisy exploit required.

Common thread: in each case, attackers targeted the delivery mechanism rather than individual systems. Compromise the source, and every downstream consumer is affected.

Guided Lab: Examining Your Update Trust Chain

This lab focuses on understanding how your system trusts updates and what mechanisms exist to verify authenticity and integrity.

Lab Objective

Examine the update mechanisms on your system, identify trust anchors, and understand what you're implicitly trusting when you install updates.

Environment

Step 1: Identify Your Update Sources

On Linux (Debian/Ubuntu):

cat /etc/apt/sources.list
ls /etc/apt/sources.list.d/
apt-key list                          # List trusted signing keys (deprecated but informative)
cat /etc/apt/trusted.gpg.d/*.asc      # View key files

On Linux (RHEL/Fedora):

cat /etc/yum.repos.d/*.repo
rpm -qa gpg-pubkey*                   # List imported GPG keys

On Windows:

# Check Windows Update settings
Get-WindowsUpdateLog                  # Generate update log
# Or: Settings → Windows Update → View update history

Observe: how many different sources does your system trust? Did you configure them all?

Step 2: Examine Package Verification

On Linux:

apt-get download coreutils             # Download without installing
dpkg --info coreutils*.deb             # View package metadata
dpkg-sig --verify coreutils*.deb       # Verify signature (if available)

Observe: what information identifies the package source? How is integrity verified?

Step 3: Trace a Dependency Chain

Pick an installed package and trace its dependencies:

apt-cache depends firefox | head -20   # Direct dependencies
apt-cache rdepends openssl             # What depends on this package?

Observe: how deep is the dependency tree? How many packages do you implicitly trust?

Reflection (mandatory)

  1. How many different entities must you trust when you run a system update?
  2. What would happen if one of your repository signing keys were compromised?
  3. How would you detect a supply chain attack against your update mechanism?

Lab: Trusting Code You Did Not Write (Updates & Supply Chains)

Goal: observe how software updates are delivered, identify trust anchors, and reason about why update mechanisms are privileged attack paths.

Choose ONE path (Linux or Windows). Both are valid.

Linux Path (observation only)

  1. Identify your package manager and list configured repositories: 
    # Debian/Ubuntu
cat /etc/apt/sources.list
# RHEL/Fedora
ls /etc/yum.repos.d/
  2. Examine how packages are verified: 
    # Debian/Ubuntu - list trusted keys
apt-key list
# RHEL/Fedora - list imported GPG keys
rpm -qa gpg-pubkey*
  3. Check when your system was last updated: 
    # Debian/Ubuntu
ls -la /var/log/apt/history.log
# RHEL/Fedora
dnf history
  4. Concept question: Why does the system trust updates from these sources without asking you each time? What mechanism enables this automatic trust?
  5. Concept question: What would happen if a repository signing key were compromised? How would you know?

Windows Path (built-in tools)

  1. Open Windows Update: Settings → Windows Update. Note:
    • Are updates automatic or manual?
    • When was the last update installed?
    • Are there any pending updates?
  2. View update history: Windows Update → View update history. Observe:
    • Types of updates (Feature, Quality, Security, Driver)
    • Success/failure status
  3. Identify the Windows Update service: 
    Get-Service wuauserv | Format-List *
    Note what account it runs under.
  4. Check for third-party update mechanisms (e.g., Chrome, Adobe) in: Task Scheduler → look for update-related tasks
  5. Concept question: Why is the update mechanism itself a high-privilege component? What would an attacker gain by compromising it?

Deliverable (submit):

Checkpoint Questions

  1. Why are update systems considered privileged delivery channels? What makes them attractive to attackers?
  2. Explain the difference between authenticity and integrity in software updates. How is each verified?
  3. Why does patching speed represent a risk trade-off rather than a purely technical decision? What are you balancing?
  4. What does "software supply chain" include beyond the original vendor? How deep does trust extend?
  5. How does Week 10's focus on supply chain trust connect to Week 6's services, Week 7's scheduling, and Week 9's logging?

Week 10 Outcome Check

By the end of this week, you should be able to explain:

Next week: Virtualisation, hypervisors, and containers — how modern systems partition reality, where isolation succeeds, and where it fails under pressure.

🎯 Hands-On Labs (Free & Essential)

Practice patching workflows and supply chain thinking before moving to reading resources.

🎮 TryHackMe: Security Principles

What you'll do: Review core security principles including defense-in-depth and update hygiene.
Why it matters: Patching is a security control, not just maintenance.
Time estimate: 1-1.5 hours

Start TryHackMe Security Principles →

📝 Lab Exercise: Update Audit

Task: List pending OS updates and identify one security-related patch.
Deliverable: Patch name + CVE reference (if available) + why it matters.
Why it matters: Visibility into update status is the first defense against known exploits.
Time estimate: 45-60 minutes

🏁 PicoCTF Practice: General Skills (Supply Chain Awareness)

What you'll do: Complete beginner challenges that reinforce careful validation of inputs and downloads.
Why it matters: Supply chain attacks often exploit trust in sources.
Time estimate: 1-2 hours

Start PicoCTF General Skills →

🧪 Lab: Malware Triage Basics (Safe Test File)

What you'll do: Download the EICAR test file, generate hashes, and document how scanners detect it.
Why it matters: Triage begins with safe identification, hashing, and evidence capture.
Time estimate: 1-2 hours

Start EICAR Test File →

💡 Lab Tip: If you can't verify update authenticity, treat it as untrusted code.

🛡️ Secure Configuration & Patch Integrity

Updates are privileged code execution. Secure configuration ensures update channels are authenticated, verified, and monitored for anomalies. 

Patch integrity checklist:
- Use signed repositories and package verification
- Enforce TLS for update channels
- Maintain asset inventory for patch scope
- Track patch SLAs for critical systems

📚 Building on CSY101 Week-13: Threat model supply chain trust boundaries. CSY204: Incident response often starts with identifying malicious updates.

Resources

Mark the required resources as complete to unlock the Week completion button.

Verified Resources & Videos

Update systems exist to fix vulnerabilities. That same trust makes them one of the most powerful attack paths when compromised. A secure system changes carefully, with trust that is earned and verified at every step.

Weekly Reflection

Reflection Prompt (200-300 words):

Consider a system or application you use regularly. Trace its update supply chain:

Now consider the patching dilemma: this system has a critical security update available. The update fixes a known, actively-exploited vulnerability. However, applying the update requires a restart during business hours, and the update has only been available for 48 hours (limited testing time).

What factors would you consider in deciding whether to apply the update immediately? How would you balance the risk of the known vulnerability against the risk of an untested update? Connect your reasoning to this week's concept of "patching as risk management."

A strong response will identify specific trust relationships in a real supply chain, articulate the competing risks in the patching decision, and demonstrate understanding of why supply chain security is fundamentally about managing trust.

← Previous: Week 09 Next: Week 11 →

Week 10 Quiz

Test your understanding of the weekly concepts.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Take Quiz