Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
7 Ways to Mitigate Supply Chain Attacks
Newest First  |  Oldest First  |  Threaded View
CharlieFrindle
50%
50%
CharlieFrindle,
User Rank: Apprentice
8/30/2019 | 8:39:39 AM
192.168.l.l
Thanks for the valuable information and insights you have so provided here.
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/19/2019 | 10:29:39 AM
Re: attack
I agree the customer doesn't care where they get their services from, as long as the service is consistent, on-time it meets their requirements, they would care if it came from Tim-Buck-Too. 

But there is a bigger question to this dilemma; what if they do care where the parts come from and if the supplier added components that were not listed on the SKU (parts listing) and they discovered this device was sending information back to an unknown location where this data was tagged, labeled and could be used for purposes to affect the lives of others. Now the severity and importance have changed (i.e. NSA Prism's - Cisco Firmware upgrade to boards sent to China, France's Monitoring/Phone Tampering, SuperMicro Embedded Micro-Chips, Google/Apple/Microsoft embedded applications to capture user patterns - Telemetry). So now the dynamic changes because now it is affecting the lives of others.



I think we can try to mitigate the process but the problem is not the process, it is the underlying spy game that is being played by nation-states and the competitive advantage they are trying to gain. The root cause of the problem is in front of us, there needs to be clear rules that we both (the US and others) follow where we keep each other accountable to deter the wrong-doings; more nation-state policing such as fines, penalties, and sanctions is the only way to address this problem (use Blockchain's immutable process of capturing purchases and following the process from start to finish but there are ways - Cisco FW and SuperMicro - to step around the process). If this is not addressed at the executive and presidential level, no matter how intricate a process we have in place to monitor and mitigate breaches, there will always be another way to circumvent what we have, there really needs to be a truce.

Supply Chain Process



Todd
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/16/2019 | 11:30:34 AM
Re: attack
That's a problem, because customers don't care if it was the company's supplier that lost the data, not the company itself.. —Lyngiten

Interesting comment, let me play devil's advocate; if a cloud vendor worked with another cloud vendor to provide a service, would you care where the service came from (if they put it under the AWS umbrella) or would you ignore it and continue?

I think in most instances people they don't care (just like utility companies) where the service comes from, as long as it is reliable, consistent and it meets their business requirements (SLAs).

However, in the case of supply chain mgmt, it is essential to determine if the vendor/supplier is reputable and they are not willing to compromise their integrity. Apple did this when they were faced with the possibility of violating its security framework giving the FBI the ability to hack into their iPhone series.

In the case of SuperMicro, it was evident that one of their suppliers was being influenced by the Chinese government to use microchips on their system boards; so, we would care because it is affecting organizations around the globe (this was a clear and blatant misuse of power).

Todd
Lyngiten
50%
50%
Lyngiten,
User Rank: Apprentice
7/16/2019 | 8:09:49 AM
attack
Only 18 percent of companies says they knew if those vendors were, in turn, sharing that information with other suppliers. That's a problem, because customers don't care if it was the company's supplier that lost the data, not the company itself.
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/30/2019 | 6:27:35 PM
Re: interesting but there is something we are missing.
We need to implement a "BlockChain" methodology when it pertains to the supply chain (only allow approved vendors), at least we would be able to see who purchased what and how the solution was implemented; that way we can determine if components were added a later time; this gives all interested parties the ability to cross-reference the material purchased (SuperMicro micro-chip was hard to detect but at least we have a way of matching the serial numbers to the device). If there was some tampering, we would know it.

Think about this, if every device emits an RF reading or electrical signature, then we could look for electrical signatures not part of the device (remove the obvious and what remains is the answer). Some sort of inexpensive Xray device that pinpoints RF energy readings.

T
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2019 | 8:28:51 AM
Re: interesting but there is something we are missing.
"(they denied it of course)" Deny, deny, deny. Same nonsense is currently going on the wake of the Chernobyl mini-series. Russia, not being a fan of the telling, has decided they would like to create their own where the meltdown was the cause of espionage performed by the Americans.

It's astounding when even Nation-States don't want to have accountability.
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/29/2019 | 6:54:24 PM
interesting but there is something we are missing.
Do you remember the China hack that occurred with SuperMicro - https://bloom.bg/2OCRfgO. This was an elaborate attempt to place a microchip on the system board where the chip could control and monitor the system from anywhere. This was an elaborate setup by the government of China (they denied it of course) but this chip was state-of-the-art.
Quote - Elemental's servers could be found in Department of Defense data centers, the CIA's drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.

 Also, remember, we are doing the same thing (go back and review Edward Snowden's remarks - https://bit.ly/2o3lvE5. So in order for us to validate the process, the nation-states need to agree to work together and stop this surreptious undercover spy game or it will only continue (I don't see it happening anytime soon), they will find a way.

T


Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19719
PUBLISHED: 2019-12-11
Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page.
CVE-2019-19720
PUBLISHED: 2019-12-11
Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() function in flex.c via a crafted BASIC source file.
CVE-2019-19707
PUBLISHED: 2019-12-11
On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices (with firmware through 6.0), denial of service can occur via PROFINET DCE-RPC endpoint discovery packets.
CVE-2019-19708
PUBLISHED: 2019-12-11
The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute.
CVE-2019-19709
PUBLISHED: 2019-12-11
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.