While it may be unrealistic to completely lock down an organization’s cyber supply chain, companies need to take a look at how products up and down the chain are managed.
At a time when thousands of hungry consumers were walking out of their favorite sandwich shop with foot long heroes, money-hungry crooks were walking off with their credit card information.
Since some point in 2008 until May 2011, a band of Romanian hackers had allegedly been stealing credit card data from the point-of-sale (POS) systems used by a popular chain restaurant’s franchisees and other small businesses, gathering the credit and debit card data from over 80,000 consumers and ringing up more than $3 million in fraudulent charges.
The POS system, provided to the stores by the parent company, left open a ready-made backdoor for the hackers to gain entry. With store owners failing to activate the requisite security and configuration standards, hacking into the system proved to be child’s play for the thieves. It was akin to a bank leaving open the door to the safe.
This example, which is far from an isolated case and has become more frequent over time, raises questions over the integrity of the cyber supply chain. The standards and regulations have become dated, designed in a time when technology was far more straightforward, innovation was more limited, and cyber attacks were far less sophisticated.
Today, organizations must think differently in order to protect sensitive data and critical infrastructures. It’s no longer a case of simply securing the perimeter by purchasing better security products. Organizations need to take into account the role of those developers, vendors and customers that comprise their cyber supply chain. They can no longer have implicit trust that the software, hardware, infrastructure and networks they use are secure.
What comprises an organization’s cyber security supply chain? It is the mass of IT systems – hardware, software, public and classified networks – that together enable the uninterrupted operations of governments, public and private companies and their major suppliers, as well as those that plan, build, manage, maintain and defend this infrastructure.
While it may be unrealistic to completely lock down an organization’s cyber supply chain, companies need to begin to take a hard look at how products up and down the chain are managed. Organizations need to take nothing for granted and ask tough questions. Where was that router made? Was the firmware and software developed in a trusted environment? Who manages the software and IT kit? Just because the name on the product is well-known and reputable doesn’t mean that chip set or firmware or piece of software wasn’t developed and/or bought from a third party. These products too have been found with trapdoors, backdoors, kill capabilities, data exfiltration and covert channels embedded within them.
While no common lexicon or template for describing supply chain integrity presently exists, the creation of a cyber supply assurance model is not far off. Such a model would need to include assurances from both software and hardware vendors that their products have gone through appropriate code reviews and formal methodologies in the systems development lifecycle. A software pedigree – where the organization knows who developed the code at every step and can verify its trustworthiness – is one of the most critical and challenging steps that must be included.
This cyber supply assurance model would provide a full audit trail, showing that the proper steps have been taken to ensure the security and integrity of the product. This means establishing new coding standards and measuring against those standards, monitoring offshore software development, making sure critical software has been properly documented and analyzed before being used, determining that proper tools were used to analyze the codes for vulnerabilities, and ascertaining that any application management or outsourcing aspects have been conducted in accordance with safe code standards.
Once the integrity of the product has been determined, the next stage is to monitor the baseline network traffic that travels up and down through the infrastructure. Not just governments, but also financial service and pharmaceutical companies have begun using signature analysis to create snapshots of traffic to determine if anything has changed or if anomalous behavior has taken place. In the case of a bank that deals primarily with customers and relationships in the United States, for example, snapshots of IP addresses outside the U.S. might set off a red flag that something unusual is happening.
A push towards a common framework, one that looks not only at how you buy or configure products, but how it needs to be maintained – which, in some cases, will be by third parties – will help assure a cyber supply chain that can be trusted. In the meantime, the challenge is for organizations to view this as a quality control process. Otherwise, breaching the cyber supply chain will be as easy for cyber criminals as, well, buying a sandwich.