Supply and Demand (for security)

February 13, 2019 Jacob Ansari

2018 was the year that raised the alarm in earnest about potential vulnerabilities in the supply chain for enterprise computing systems.

But with such diverse networks and widespread dependence on third parties, how can organizations expect to plug all potential leaks? Karen Epper Hoffman reports.

It sounds like the stuff of a modern-day John LeCarre novel: The Chinese government asserting influence into the operations of hardware developer Super Micro Computer Inc. to spy on the enterprises to which Supermicro supplies computer chips.

First detailed in an early October Bloomberg Businessweek article, this story was quickly denied and recanted by several high-profile industry experts, including some of the 17 sources cited in the initial piece. However, this tale of seeming cyberspy intrigue along with similar stories in recent years have shown a spotlight on the vulnerabilities of the enterprise supply chain.

“This story is an extreme use case, but it justifies the need for governments [and companies] to do extensive and thorough assessments of their vendors and hardware,” says Itay Kozuch, director of threat research for IntSights Cyber Intelligence. “While it may seem inefficient, the one time in a million assessments that you catch something is worth the cost.”

A potential problem at Supermicro raised alarms because the company manufactures computer hardware used by business giants like Amazon and Apple, as well as the U.S. government, including the Department of Defense and the Central Intelligence Agency.

...the typical supply chain is “bigger than manufactured components in factories and older than the Supermicro event or non-event, depending on how you regard that [story].”

Jacob Ansari, senior manager for Schellman & Company LLC, points out the typical supply chain is “bigger than manufactured components in factories and older than the Supermicro event or non-event, depending on how you regard that [story].”

The supposed Supermicro compromise is not an isolated event, he adds, since there have long been well-documented supply chain attacks in point-of-sale software, where the attackers had compromised a third-party component, thus backdooring the POS before it even shipped to the merchant.

Matt Wilson, chief information security advisor at BTB Security, believes the Supermicro story highlights a supply chain risk which is “well-known in government circles, but relatively unknown to most [private-sector] organizations.” On the heels of this and similar cyberspying stories, Wilson and his team have seen “a slight uptick in interest from some of our enterprise customers, as well as smaller organizations that have more mature information security programs.”

Read full article at SC Magazine >


About the Author

Jacob Ansari

Jacob Ansari is the Chief Information Security Officer at Schellman & Company, where he develops and manages the company-wide information security program. Jacob oversees the processes for risk and security assessment, vulnerability management, software security, awareness and education, and incident response. Jacob has also performed in a client facing role as the technical lead for Schellman’s PCI services, and represents Schellman to the payments industry. Additionally, Jacob has experience with other Payment Card Industry assessment services, namely Software Security Framework, PA-DSS, P2PE, 3DS, and PIN. Jacob has extensive technical expertise on matters of information security, compliance, application security, and cryptography, and has been performing payment card security assessments since the card brands operated the predecessor standards to PCI DSS. Over the 20 years of his career, Jacob has spoken extensively on PCI-related matters, trained and mentored assessors, and contributed to groups on emerging standards, advisory bodies, and special interest groups.

More Content by Jacob Ansari
Previous Article
Phishing: Think like a cybercrook
Phishing: Think like a cybercrook

Phishing still steamrolls organizations Phishing attacks rely on a single moment of inattention...

Next Article
Microsoft Supplier Security and Privacy Assurance (SSPA) Program Attestation
Microsoft Supplier Security and Privacy Assurance (SSPA) Program Attestation

If your organization is a current or aspiring Microsoft vendor, you’re probably familiar with th...


First Name
Error - something went wrong!