Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • IT Management
    • Networking

    Why Supply Chain Security a Serious Enterprise Problem

    By
    WAYNE RASH
    -
    October 13, 2018
    Share
    Facebook
    Twitter
    Linkedin
      Microcircuit.phone

      In their 2015 novel “Ghost Fleet: A Novel of the Next World War,” authors P.W. Singer and August Cole postulate a future conflict between the U.S. and China that’s enabled by supply chain hacking. But rather than suggesting that Chinese agents somehow inserted a secret chip into a few servers, they take the far more likely route of altering many specific components in the supply chain of electronics manufacturers so that they could be turned on to do China’s bidding.

      When the war in Ghost Fleet breaks out, the bidding by the Chinese military is to simply disable those components. The result is chaos, because most of those components, and the equipment in which they’re installed, simply stop working. What saves the U.S. in that novel are the hundreds of ships and aircraft that have been mothballed and which were built using older technology.

      Chances are, we won’t see the future as its laid out in Ghost Fleet, but the threat described by the authors is very real indeed. The fact is that the supply chain that enables the constant stream of technology-based products, ranging from iPhones to interceptors, is vulnerable, and fixing it is either extremely difficult or impossible, depending on whom you ask.

      DHS Primarily Responsible for Federal Action

      At this point, officials with the U.S. agencies responsible for supply chain security, which is primarily the Department of Homeland Security for civilian agencies, have said that they’ve found nothing to indicate that the reports last week by Bloomberg BusinessWeek are accurate, which is also what we reported in eWEEK. However, the risk is sufficiently serious that DHS has issued a Request for Information on Cyber Supply Chain Risk Management.

      A key addition to the DHS RFI is a new question and answer section, added on Oct. 11, 2018, that discusses the goals of the RFI and which asks the industry to assist the government in finding ways the secure the supply chain. It’s important to know that in this case the RFI is aimed at the supply chain for products that will be procured for government use, but the principles will be useful to anyone.

      What’s equally important is that DHS has said that they plan to make the process as public as possible. This means that the department will depend on unclassified sources where possible and will make its findings as public as possible.

      “The intent is not to hoard information but to use it as the basis to engage in productive dialogue with companies,” the DHS document explains. “This year, DHS is initiating some related work with some of its partner agencies. If this process unearths actionable information, DHS will share it.” The full RFI is available here, and is worth a look to get an idea of how DHS is looking at supply chain security.

      How Do You Protect Yourself and Your Company?

      Eventually, DHS will turn its RFI into a Request for Proposal, and from that it will develop a procedure for security the supply chain for critical items for the federal government. Because DHS says it will share its findings, those same procedures should be available to enterprises for use in their own procurements.

      However, the DHS effort is only at its earliest stages. And even when it’s complete, the process is likely to be sufficiently difficult and expensive that it will be used only for the most critical items. This means that you might use what DHS develops for your cloud operations, but you won’t use them for your office PCs.

      So what do you do to protect yourself? The only rational approach is to assume that your digital infrastructure is already compromised and act accordingly. Because compromised components must have communications with the outside world if they’re to fulfill their covert master’s orders, you must deny them that access. And because their masters will try to reach them, and the components also will try to reach out, you must also monitor the network traffic that moves outside of your company for command and control messages.

      There are basically three types of actions that such compromised hardware may take, and each of those will have a somewhat different type of traffic. Here’s what to look for:

      • Coded instructions coming from the outside. This is what would happen if components are designed to simply stop working on command.
      • Brief incoming instructions, followed by continuing outgoing data. This is what happens if the goal is to have compromised hardware redirect traffic or stored data.
      • Constant dialog between a device and an outside location. This is probably what Bloomberg BusinessWeek envisioned, and it’s what happens with the Russian LoJax UEFI malware we reported on in September. Such malware can also be inserted in the supply chain by simply infecting all chips of a certain type, such as non-volatile RAM.

      The one key factor to all of these types of attacks is access to incoming traffic from outside. Isolating your network hardware so that it can’t receive such traffic will keep those command and control messages from working. But you also need to monitor outgoing traffic on your network, and you need to block outgoing traffic where possible.

      This means that traffic monitoring is essential for your network where you may be vulnerable. It also means that you will need to pay attention to how your routers and firewalls are configured to reduce the likelihood of success of such an attack.

      But remember, just because this discussion and the Bloomberg discussion involve China, you can’t assume that the bad guys who want to attack your enterprise are from China. They can be from anywhere and everywhere. That’s why it’s critical to take precautions.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×