Risk
11/5/2009
01:45 PM
50%
50%

Securing The Cyber Supply Chain

Many parties touch your organization's systems and software, potentially exposing them to malware, breaches, or worse. A new end-to-end approach is required to minimize the risks.

Security pros draw a line at the firewall--what happens "out there" might be beyond their control, but a secure perimeter is intended to protect the data and systems within. That view, however, fails to take into account the role of developers, vendors, customers, users, and others along the supply chain of IT systems, hardware, and software coming into the enterprise. A new school of practice advocates a more encompassing approach to security that leaves none of those touch points unchecked.

It's called the cybersecurity supply chain, and, as it sounds, it applies the principles of supply chain management--product assembly and acquisition, data sharing among partners, governance, and more--to the security of IT systems and software. "Organizations need to realize that their borders are porous," says Jim Lewis, director and senior fellow of the Center for Strategic and International Studies' technology and public policy program. "We're no longer living behind a moat. It's not just how secure you are, but how secure the people you connect with are as well."

What comprises a cyber supply chain? Researchers at the University of Maryland's Robert H. Smith School of Business and the IT services firm SAIC, in a white paper published in June, define it as "the mass of IT systems--hardware, software, public, and classified networks--that together enable the uninterrupted operations" of government agencies, public companies, and their major suppliers. "The cyber supply chain includes the entire set of key actors and their organizational and process-level interactions that plan, build, manage, maintain, and defend this infrastructure."

Foreign nations already are carrying out supply chain attacks on IT systems belonging to the U.S. government, according to a presentation by Mitch Komaroff, director of the Department of Defense CIO's globalization task force. A simple example is hardware being delivered with malware installed. In the private sector, financial firms have become regular targets. These two sectors are also the most aggressive in looking at ways to fight the problem.

Two government efforts--the Bush administration's Comprehensive National Cyber Initiative and the Obama administration's Cybersecurity Policy Review--direct federal agencies to shore up their cyber supply chains. "The growing sophistication and diversity of cyberattacks makes this a threat," says Nicole Dean, deputy director of the Department of Homeland Security's National Cybersecurity Division, which oversees the Comprehensive National Cyber Initiative.

DIG DEEPER
Government IT On The Leading Edge
Learn more about how government agencies are helping to drive what's next in the technology industry, including software that learns your schedule and networks resilient enough for the rigors of outer space.
Avenues of attack include malware inserted into software or hardware, vulnerabilities found by hackers poking and prodding software, and compromised systems that are unwittingly brought in house. In recent years, Apple, Hewlett-Packard, Sony, and others have shipped pre-owned laptops, hard drives, and other devices with viruses, worms, and Trojans on them, according to a 2007 presentation to the Internet Security Alliance by Verizon executive Marcus Sachs, who's also director of the SANS Internet Storm Center.

In most companies, tackling this problem will require new levels of collaboration among security, IT, and supply chain managers. "From a defensive standpoint, few supply chain managers or supply chain risk managers have aligned their mission with their computer security center, and they're not commissioned to conduct joint operations," says Hart Rossman, CTO of cybersecurity solutions with SAIC and co-author of the cyber supply chain white paper. "If you think hardware or software has been compromised out of the box and you call your cybersecurity team, they're probably not prepared to deal with it because they're looking for viruses."

Counterfeiting is another risk. The Department of Justice recently arrested three California residents on counterfeiting charges. According to the indictment, the three imported counterfeit microprocessors from China. They also obtained legitimate chips, removed their original markings, then resold them to government agencies as "military grade" components.

Previous
1 of 5
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.