Supply and Demand (for security)

February 13, 2019 Jacob Ansari

2018 was the year that raised the alarm in earnest about potential vulnerabilities in the supply chain for enterprise computing systems.

But with such diverse networks and widespread dependence on third parties, how can organizations expect to plug all potential leaks? Karen Epper Hoffman reports.

It sounds like the stuff of a modern-day John LeCarre novel: The Chinese government asserting influence into the operations of hardware developer Super Micro Computer Inc. to spy on the enterprises to which Supermicro supplies computer chips.

First detailed in an early October Bloomberg Businessweek article, this story was quickly denied and recanted by several high-profile industry experts, including some of the 17 sources cited in the initial piece. However, this tale of seeming cyberspy intrigue along with similar stories in recent years have shown a spotlight on the vulnerabilities of the enterprise supply chain.

“This story is an extreme use case, but it justifies the need for governments [and companies] to do extensive and thorough assessments of their vendors and hardware,” says Itay Kozuch, director of threat research for IntSights Cyber Intelligence. “While it may seem inefficient, the one time in a million assessments that you catch something is worth the cost.”

A potential problem at Supermicro raised alarms because the company manufactures computer hardware used by business giants like Amazon and Apple, as well as the U.S. government, including the Department of Defense and the Central Intelligence Agency.

...the typical supply chain is “bigger than manufactured components in factories and older than the Supermicro event or non-event, depending on how you regard that [story].”

Jacob Ansari, senior manager for Schellman & Company LLC, points out the typical supply chain is “bigger than manufactured components in factories and older than the Supermicro event or non-event, depending on how you regard that [story].”

The supposed Supermicro compromise is not an isolated event, he adds, since there have long been well-documented supply chain attacks in point-of-sale software, where the attackers had compromised a third-party component, thus backdooring the POS before it even shipped to the merchant.

Matt Wilson, chief information security advisor at BTB Security, believes the Supermicro story highlights a supply chain risk which is “well-known in government circles, but relatively unknown to most [private-sector] organizations.” On the heels of this and similar cyberspying stories, Wilson and his team have seen “a slight uptick in interest from some of our enterprise customers, as well as smaller organizations that have more mature information security programs.”

Read full article at SC Magazine >

 

About the Author

Jacob Ansari

Jacob Ansari is a Senior Manager at Schellman & Company. Jacob performs and manages PCI DSS assessments. Additionally, Jacob oversees other Payment Card Industry assessment services, namely PA-DSS, P2PE, and 3DS. Jacob's career spans nearly 20 years of information security consulting and assessment services, including network and application security assessments, penetration testing, forensic examinations, security code review, and assessment of cryptographic systems. Jacob has performed payment card security compliance assessments since the payment card brands operated their own standards prior to the advent of PCI DSS.

More Content by Jacob Ansari
Previous Article
Phishing: Think like a cybercrook
Phishing: Think like a cybercrook

Phishing still steamrolls organizations Phishing attacks rely on a single moment of inattention...

Next Article
Microsoft Supplier Security and Privacy Assurance (SSPA) Program Attestation
Microsoft Supplier Security and Privacy Assurance (SSPA) Program Attestation

If your organization is a current or aspiring Microsoft vendor, you’re probably familiar with th...

×

First Name
!
Success
Error - something went wrong!