Risk
11/5/2009
01:45 PM
50%
50%

Securing The Cyber Supply Chain

Many parties touch your organization's systems and software, potentially exposing them to malware, breaches, or worse. A new end-to-end approach is required to minimize the risks.

Beware Back Doors

Software pedigree--knowing who developed code at every step, and being able to verify its trustworthiness--is one of the most critical, yet challenging, steps. Earlier this year, Arab telecom provider Etisalat pushed to BlackBerry users what it said was a software update for improving performance. In fact, it was spyware capable of providing access to information on the devices.

Brian Chess, chief scientist at Fortify, a company that specializes in assuring software security, recommends a three-step process: Take a software inventory and apply tools that analyze code for vulnerabilities; ask software vendors to document the steps in their development processes; and recognize that neither of those steps is enough, and therefore be rigorous in your other cybersecurity efforts.

Once software is installed, to make sure hackers aren't using back doors built into code, it's important to baseline network traffic, says NetForensics VP Tracy Hulver. If something looks amiss, "I can be alerted and do something about it," he says. That applies to anomalies in user behavior, as well. "You say, I'm getting database access from an IP address that's outside the United States, and that's unusual, so I need to terminate that," Hulver says.

Verizon's Sachs recommends a multitiered approach to risk mitigation, including establishing new coding standards in the software industry, close monitoring of offshore software development, and a mandate that all critical software used by government agencies be written domestically.

The software industry is in the early days of figuring out how to discuss supply chain issues. SAFECode is working with Adobe, EMC, Juniper, Microsoft, Nokia, SAP, and Symantec to develop best practices in secure software development. "We discovered there really wasn't a common lexicon or template for describing supply chain integrity," says Paul Kurtz, executive director of SAFECode and a top White House cybersecurity official in the Bush administration. "Now they're looking at this collectively, which is incredibly important because they're developing a common framework."

Bill Billings, chief security officer for Microsoft's federal group, believes the computer industry should adopt what he calls the Campbell's soup model, where a product-tracking number on every can makes it possible for consumers to get information on where and when soup was made. "You're not changing the quality of it, but you are changing the fact that it comes from somebody you knew rather than somebody you didn't," he says. "It's getting rid of the man-in-the-middle attacks."

chart: Alignment is Off

Previous
3 of 5
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.