Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

The Need to Secure the Cyber Supply Chain

While it may be unrealistic to completely lock down an organization’s cyber supply chain, companies need to take a look at how products up and down the chain are managed.

While it may be unrealistic to completely lock down an organization’s cyber supply chain, companies need to take a look at how products up and down the chain are managed.

At a time when thousands of hungry consumers were walking out of their favorite sandwich shop with foot long heroes, money-hungry crooks were walking off with their credit card information.

Since some point in 2008 until May 2011, a band of Romanian hackers had allegedly been stealing credit card data from the point-of-sale (POS) systems used by a popular chain restaurant’s franchisees and other small businesses, gathering the credit and debit card data from over 80,000 consumers and ringing up more than $3 million in fraudulent charges.

Securing Electronics Supply ChainThe POS system, provided to the stores by the parent company, left open a ready-made backdoor for the hackers to gain entry. With store owners failing to activate the requisite security and configuration standards, hacking into the system proved to be child’s play for the thieves. It was akin to a bank leaving open the door to the safe.

This example, which is far from an isolated case and has become more frequent over time, raises questions over the integrity of the cyber supply chain. The standards and regulations have become dated, designed in a time when technology was far more straightforward, innovation was more limited, and cyber attacks were far less sophisticated.

Today, organizations must think differently in order to protect sensitive data and critical infrastructures. It’s no longer a case of simply securing the perimeter by purchasing better security products. Organizations need to take into account the role of those developers, vendors and customers that comprise their cyber supply chain. They can no longer have implicit trust that the software, hardware, infrastructure and networks they use are secure.

What comprises an organization’s cyber security supply chain? It is the mass of IT systems – hardware, software, public and classified networks – that together enable the uninterrupted operations of governments, public and private companies and their major suppliers, as well as those that plan, build, manage, maintain and defend this infrastructure.

While it may be unrealistic to completely lock down an organization’s cyber supply chain, companies need to begin to take a hard look at how products up and down the chain are managed. Organizations need to take nothing for granted and ask tough questions. Where was that router made? Was the firmware and software developed in a trusted environment? Who manages the software and IT kit? Just because the name on the product is well-known and reputable doesn’t mean that chip set or firmware or piece of software wasn’t developed and/or bought from a third party. These products too have been found with trapdoors, backdoors, kill capabilities, data exfiltration and covert channels embedded within them.

While no common lexicon or template for describing supply chain integrity presently exists, the creation of a cyber supply assurance model is not far off. Such a model would need to include assurances from both software and hardware vendors that their products have gone through appropriate code reviews and formal methodologies in the systems development lifecycle. A software pedigree – where the organization knows who developed the code at every step and can verify its trustworthiness – is one of the most critical and challenging steps that must be included.

Advertisement. Scroll to continue reading.

This cyber supply assurance model would provide a full audit trail, showing that the proper steps have been taken to ensure the security and integrity of the product. This means establishing new coding standards and measuring against those standards, monitoring offshore software development, making sure critical software has been properly documented and analyzed before being used, determining that proper tools were used to analyze the codes for vulnerabilities, and ascertaining that any application management or outsourcing aspects have been conducted in accordance with safe code standards.

Once the integrity of the product has been determined, the next stage is to monitor the baseline network traffic that travels up and down through the infrastructure. Not just governments, but also financial service and pharmaceutical companies have begun using signature analysis to create snapshots of traffic to determine if anything has changed or if anomalous behavior has taken place. In the case of a bank that deals primarily with customers and relationships in the United States, for example, snapshots of IP addresses outside the U.S. might set off a red flag that something unusual is happening.

A push towards a common framework, one that looks not only at how you buy or configure products, but how it needs to be maintained – which, in some cases, will be by third parties – will help assure a cyber supply chain that can be trusted. In the meantime, the challenge is for organizations to view this as a quality control process. Otherwise, breaching the cyber supply chain will be as easy for cyber criminals as, well, buying a sandwich.

Related: Consortium Pushes Security Standards for Technology Supply Chain

Related: Students Develop Techniques to Keep Malware Out of the Electronics Supply Chain

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.