Risk
11/5/2009
01:45 PM
Connect Directly
RSS
E-Mail
50%
50%

Securing The Cyber Supply Chain

Many parties touch your organization's systems and software, potentially exposing them to malware, breaches, or worse. A new end-to-end approach is required to minimize the risks.

Security pros draw a line at the firewall--what happens "out there" might be beyond their control, but a secure perimeter is intended to protect the data and systems within. That view, however, fails to take into account the role of developers, vendors, customers, users, and others along the supply chain of IT systems, hardware, and software coming into the enterprise. A new school of practice advocates a more encompassing approach to security that leaves none of those touch points unchecked.

It's called the cybersecurity supply chain, and, as it sounds, it applies the principles of supply chain management--product assembly and acquisition, data sharing among partners, governance, and more--to the security of IT systems and software. "Organizations need to realize that their borders are porous," says Jim Lewis, director and senior fellow of the Center for Strategic and International Studies' technology and public policy program. "We're no longer living behind a moat. It's not just how secure you are, but how secure the people you connect with are as well."

What comprises a cyber supply chain? Researchers at the University of Maryland's Robert H. Smith School of Business and the IT services firm SAIC, in a white paper published in June, define it as "the mass of IT systems--hardware, software, public, and classified networks--that together enable the uninterrupted operations" of government agencies, public companies, and their major suppliers. "The cyber supply chain includes the entire set of key actors and their organizational and process-level interactions that plan, build, manage, maintain, and defend this infrastructure."

Foreign nations already are carrying out supply chain attacks on IT systems belonging to the U.S. government, according to a presentation by Mitch Komaroff, director of the Department of Defense CIO's globalization task force. A simple example is hardware being delivered with malware installed. In the private sector, financial firms have become regular targets. These two sectors are also the most aggressive in looking at ways to fight the problem.

Two government efforts--the Bush administration's Comprehensive National Cyber Initiative and the Obama administration's Cybersecurity Policy Review--direct federal agencies to shore up their cyber supply chains. "The growing sophistication and diversity of cyberattacks makes this a threat," says Nicole Dean, deputy director of the Department of Homeland Security's National Cybersecurity Division, which oversees the Comprehensive National Cyber Initiative.

DIG DEEPER
Government IT On The Leading Edge
Learn more about how government agencies are helping to drive what's next in the technology industry, including software that learns your schedule and networks resilient enough for the rigors of outer space.
Avenues of attack include malware inserted into software or hardware, vulnerabilities found by hackers poking and prodding software, and compromised systems that are unwittingly brought in house. In recent years, Apple, Hewlett-Packard, Sony, and others have shipped pre-owned laptops, hard drives, and other devices with viruses, worms, and Trojans on them, according to a 2007 presentation to the Internet Security Alliance by Verizon executive Marcus Sachs, who's also director of the SANS Internet Storm Center.

In most companies, tackling this problem will require new levels of collaboration among security, IT, and supply chain managers. "From a defensive standpoint, few supply chain managers or supply chain risk managers have aligned their mission with their computer security center, and they're not commissioned to conduct joint operations," says Hart Rossman, CTO of cybersecurity solutions with SAIC and co-author of the cyber supply chain white paper. "If you think hardware or software has been compromised out of the box and you call your cybersecurity team, they're probably not prepared to deal with it because they're looking for viruses."

Counterfeiting is another risk. The Department of Justice recently arrested three California residents on counterfeiting charges. According to the indictment, the three imported counterfeit microprocessors from China. They also obtained legitimate chips, removed their original markings, then resold them to government agencies as "military grade" components.

Previous
1 of 5
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5142
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb 1.09 and earlier, as used in Mimbo Pro 2.3.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the src parameter.

CVE-2010-5302
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb before 1.15 as of 20100908 (r88), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING.

CVE-2010-5303
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in the displayError function in timthumb.php in TimThumb before 1.15 (r85), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to $errorString.

CVE-2014-0965
Published: 2014-08-21
IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x before 8.0.0.9, and 8.5.x before 8.5.5.3 allows remote attackers to obtain sensitive information via a crafted SOAP response.

CVE-2014-3022
Published: 2014-08-21
IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x before 8.0.0.9, and 8.5.x before 8.5.5.3 allows remote attackers to obtain sensitive information via a crafted URL that triggers an error condition.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.