文学文享（93）：泛读文献

摘要：Today, the editor will interpret and share "Focusing on Software Supply Chain: New Attack Implantation Methods" from the three sec

分享兴趣，传播快乐，增长见闻，留下美好。

亲爱的您，这里是LearningYard新学苑！

今天小编为大家带来文献泛读。

欢迎您的访问！

Share interest, spread happiness, increase Knowledge, and leave beautiful.

Dear, this is the LearingYard New Academy!

Today, the editor brings you the literature reading.

Welcome to visit!

1 内容摘要（Content summary）

今天小编将从“思维导图、精读内容、知识补充”三个板块，解读分享文献《关注软件供应链：新型的攻击植入方式》。

Today, the editor will interpret and share "Focusing on Software Supply Chain: New Attack Implantation Methods" from the three sections of "mind map, intensive reading content, and knowledge supplement".

2 思维导图（Mind mapping）

3 精读内容（Intensive reading content）

本次阅读的文章较为简单，更像是一篇新闻，供读者了解2017年软件供应链的特点及那时候遇到的软件供应链攻击方式。文章题为关注软件供应链：新型的攻击植入方式，来自于当年11月8日举办的一场国际反病毒大会中360集团副总的演讲。

The article read this time is relatively simple, more like a news article, providing readers with an understanding of the characteristics of software supply chain in 2017 and the software supply chain attack methods encountered at that time. The article titled "Focusing on Software Supply Chain: New Attack Implantation Methods" comes from a speech given by the Vice President of 360 Group at an international anti-virus conference held on November 8th of that year.

演讲者张聪指出在万物互联时代，被利用的不只是合法软件本身，智能硬件也可能因为开发制造阶段忽略软件安全问题，或者受到自身使用的开源系统影响而成为黑客攻击的对象。针对软件供应链攻击，张聪表示，无论是免费软件、付费软件还是内部/外包的开发软件，在供应链的各个环节都可能被攻击者利用。因此，防御软件供应链攻击也需要全面设防。

Speaker Zhang Cong pointed out that in the era of the Internet of Things, not only legitimate software itself is being exploited, but smart hardware may also become the target of hacker attacks due to neglecting software security issues during the development and manufacturing stage, or being influenced by its own open source systems. Regarding software supply chain attacks, Zhang Cong stated that whether it is free software, paid software, or internal/outsourced development software, attackers may exploit them at various stages of the supply chain. Therefore, comprehensive defense against software supply chain attacks is also necessary.

对于软件供应链上游，企业IT安全管理者有必要为员工构建安全可靠的软件下载平台，而对于下游用户应重点布防以下方面：1把控软件升级通道，具备封堵软件更新的网络通道的能力，并部署安全设备进行强有力的管控；2掌控全网终端的软件分布情况，精准、实时、全面掌控软件资产信息，安全策略、安全基线才能有的放矢；3分析和感知互联网软件的网络通信行为，并具备进一步管控的能力；4具备安全应急响应能力，以便在软件供应链攻击事件发生时，第一时间封锁网络通信链路，避免造成进一步损失。

For the upstream of the software supply chain, it is necessary for enterprise IT security managers to build a secure and reliable software download platform for employees, while for downstream users, the following aspects should be emphasized: 1. Control the software upgrade channel, have the ability to block the network channel for software updates, and deploy security devices for strong control; 2. Control the software distribution of all network terminals, accurately, in real-time, and comprehensively control software asset information, in order to have targeted security policies and baselines; 3 Analyze and perceive the network communication behavior of Internet software, and have the ability to further control; 4. Possess security emergency response capabilities to block network communication links in the event of a software supply chain attack, in order to prevent further losses.

最后，作者总结道万物互联的背景下，任何一类安全问题都会牵一发而动全身。针对软件供应链攻击所提出的防范措施，旨在应对网络安全新挑战，推动技术革新，响应国家在网络安全、移动安全和反病毒领域的主张。

Finally, the author concludes that in the context of the Internet of Things, any type of security issue can have a ripple effect. The preventive measures proposed for software supply chain attacks aim to address new challenges in network security, promote technological innovation, and respond to the country's propositions in the fields of network security, mobile security, and anti-virus.

4 知识补充（Knowledge supplement）

什么是万物互联？

What is the Internet of Things?

万物互联（IoE）定义为将人，流程，数据和事物结合一起使得网络连接变得更加相关，更有价值。万物互联将信息转化为行动，给企业，个人和国家创造新的功能，并带来更加丰富的体验和前所未有的经济发展机遇。

The Internet of Everything (IoE) is defined as the combination of people, processes, data, and things to make network connections more relevant and valuable. The Internet of Things transforms information into action, creating new functions for businesses, individuals, and countries, and bringing richer experiences and unprecedented economic development opportunities.

今天的分享就到这里了。

如果您对今天的文章有独特的想法，

欢迎给我们留言，

让我们相约明天，

祝您今天过得开心快乐！

That's all for today's sharing.

If you have a unique idea about the article,

please leave us a message,

and let us meet tomorrow.

I wish you a nice day!

参考资料：

翻译：ChatGPT 4