Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management

Analytics

6/27/2019
03:50 PM
Jai Vijayan
Jai Vijayan
Slideshows
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
7 comments
Comment Now

7 Ways to Mitigate Supply Chain Attacks

Breaches caused by external vendors and service providers have become a major and escalating problem for organizations.
2 of 8

Stipulate Security Requirements in Your Contracts

Security and risk mitigation requirements must be included in an organization's contractual agreement with third-party vendor and service providers, says Rocco Grillo, managing director with professional services firm Alvarez & Marsal. Requirements should include the ability for an organization to audit the third party's security practices and business continuity plans, establish performance standards, and clearly define default and termination terms. The contract should include provisions governing the use of foreign-based service providers and outline data governance and vendor subcontracting rules, he says.

"Ensure contracts include the right to audit the security posture of suppliers by your security team or a third party," adds Jason Haward-Grau, CISO at PAS Global. "For suppliers of software of any type, require certification of cybersecurity vulnerability assessment with each release by the supplier."

Image Source: Shutterstock

2 of 8
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
 User Rank: Ninja
7/19/2019 | 10:29:39 AM
Re: attack
I agree the customer doesn't care where they get their services from, as long as the service is consistent, on-time it meets their requirements, they would care if it came from Tim-Buck-Too. 

But there is a bigger question to this dilemma; what if they do care where the parts come from and if the supplier added components that were not listed on the SKU (parts listing) and they discovered this device was sending information back to an unknown location where this data was tagged, labeled and could be used for purposes to affect the lives of others. Now the severity and importance have changed (i.e. NSA Prism's - Cisco Firmware upgrade to boards sent to China, France's Monitoring/Phone Tampering, SuperMicro Embedded Micro-Chips, Google/Apple/Microsoft embedded applications to capture user patterns - Telemetry). So now the dynamic changes because now it is affecting the lives of others.



I think we can try to mitigate the process but the problem is not the process, it is the underlying spy game that is being played by nation-states and the competitive advantage they are trying to gain. The root cause of the problem is in front of us, there needs to be clear rules that we both (the US and others) follow where we keep each other accountable to deter the wrong-doings; more nation-state policing such as fines, penalties, and sanctions is the only way to address this problem (use Blockchain's immutable process of capturing purchases and following the process from start to finish but there are ways - Cisco FW and SuperMicro - to step around the process). If this is not addressed at the executive and presidential level, no matter how intricate a process we have in place to monitor and mitigate breaches, there will always be another way to circumvent what we have, there really needs to be a truce.

Supply Chain Process



Todd
tdsan
50%
50%
tdsan,
 User Rank: Ninja
7/16/2019 | 11:30:34 AM
Re: attack
That's a problem, because customers don't care if it was the company's supplier that lost the data, not the company itself.. —Lyngiten

Interesting comment, let me play devil's advocate; if a cloud vendor worked with another cloud vendor to provide a service, would you care where the service came from (if they put it under the AWS umbrella) or would you ignore it and continue?

I think in most instances people they don't care (just like utility companies) where the service comes from, as long as it is reliable, consistent and it meets their business requirements (SLAs).

However, in the case of supply chain mgmt, it is essential to determine if the vendor/supplier is reputable and they are not willing to compromise their integrity. Apple did this when they were faced with the possibility of violating its security framework giving the FBI the ability to hack into their iPhone series.

In the case of SuperMicro, it was evident that one of their suppliers was being influenced by the Chinese government to use microchips on their system boards; so, we would care because it is affecting organizations around the globe (this was a clear and blatant misuse of power).

Todd
Lyngiten
50%
50%
Lyngiten,
 User Rank: Apprentice
7/16/2019 | 8:09:49 AM
attack
Only 18 percent of companies says they knew if those vendors were, in turn, sharing that information with other suppliers. That's a problem, because customers don't care if it was the company's supplier that lost the data, not the company itself.
tdsan
50%
50%
tdsan,
 User Rank: Ninja
6/30/2019 | 6:27:35 PM
Re: interesting but there is something we are missing.
We need to implement a "BlockChain" methodology when it pertains to the supply chain (only allow approved vendors), at least we would be able to see who purchased what and how the solution was implemented; that way we can determine if components were added a later time; this gives all interested parties the ability to cross-reference the material purchased (SuperMicro micro-chip was hard to detect but at least we have a way of matching the serial numbers to the device). If there was some tampering, we would know it.

Think about this, if every device emits an RF reading or electrical signature, then we could look for electrical signatures not part of the device (remove the obvious and what remains is the answer). Some sort of inexpensive Xray device that pinpoints RF energy readings.

T
RyanSepe
50%
50%
RyanSepe,
 User Rank: Ninja
6/30/2019 | 8:28:51 AM
Re: interesting but there is something we are missing.
"(they denied it of course)" Deny, deny, deny. Same nonsense is currently going on the wake of the Chernobyl mini-series. Russia, not being a fan of the telling, has decided they would like to create their own where the meltdown was the cause of espionage performed by the Americans.

It's astounding when even Nation-States don't want to have accountability.
tdsan
50%
50%
tdsan,
 User Rank: Ninja
6/29/2019 | 6:54:24 PM
interesting but there is something we are missing.
Do you remember the China hack that occurred with SuperMicro - https://bloom.bg/2OCRfgO. This was an elaborate attempt to place a microchip on the system board where the chip could control and monitor the system from anywhere. This was an elaborate setup by the government of China (they denied it of course) but this chip was state-of-the-art.
Quote - Elemental's servers could be found in Department of Defense data centers, the CIA's drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.

 Also, remember, we are doing the same thing (go back and review Edward Snowden's remarks - https://bit.ly/2o3lvE5. So in order for us to validate the process, the nation-states need to agree to work together and stop this surreptious undercover spy game or it will only continue (I don't see it happening anytime soon), they will find a way.

T
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17478
PUBLISHED: 2020-08-10
ECDSA/EC/Point.pm in Crypt::Perl before 0.33 does not properly consider timing attacks against the EC point multiplication algorithm.
CVE-2020-15648
PUBLISHED: 2020-08-10
Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header. This vulnerability affects Thunderbird < 78 and Firefox < 78.0.2.
CVE-2020-15649
PUBLISHED: 2020-08-10
Given an installed malicious file picker application, an attacker was able to steal and upload local files of their choosing, regardless of the actually files picked. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR...
CVE-2020-15650
PUBLISHED: 2020-08-10
Given an installed malicious file picker application, an attacker was able to overwrite local files and thus overwrite Firefox settings (but not access the previous profile). *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Fir...
CVE-2020-15651
PUBLISHED: 2020-08-10
A unicode RTL order character in the downloaded file name can be used to change the file's name during the download UI flow to change the file extension. This vulnerability affects Firefox for iOS < 28.