Last week, a bombshell Bloomberg report alleged that Chinese spies had secretly inserted microchips on servers at Apple, Amazon, the US Department of Defense, and nearly 30 other US companies, collecting data and compromising the supply chain—an act that, if true, has a number of implications for businesses.
The bad news is that it's essentially impossible to secure supply chains from attacks like this, according to a post from Krebs on Security. Even if you identify technology vendors that have been associated with supply-chain hacks, he wrote, it's hard to remove them from the procurement chain, because it can be difficult to tell from the brand name of a given device who actually makes the different components in it.
For example, many Internet of Things (IoT) devices are insecure by default, due to the costs and time needed to build in strong cybersecurity measures. For every company that produces them, there are dozens of other "white label" firms that market or sell the core electronics components as their own, according to the post.
SEE: Intrusion detection policy (Tech Pro Research)
"While security researchers might identify a set of security holes in IoT products made by one company whose products are white labeled by others, actually informing consumers about which third-party products include those vulnerabilities can be extremely challenging," the post stated. "In some cases, a technology vendor responsible for some part of this mess may simply go out of business or close its doors and re-emerge under different names and managers."
It's also difficult to secure the technology supply chain because it is time consuming and expensive to detect when products may have been intentionally compromised during manufacturing, the post said. For example, a typical motherboard may contain hundreds of chips, but it only takes one to destroy the device's security. Additionally, most of the US government's methods for monitoring the supply chain are focused on preventing counterfeits, not sussing out what parts could have been added for spying purposes, the post noted.
Despite the difficulties, there are certain things that businesses can do to mitigate the threat of supply chain hacks. The post included the following tips from the SANS Institute:
1. Abandon the password for all but trivial applications. Steve Jobs and the ubiquitous mobile computer have lowered the cost and improved the convenience of strong authentication enough to overcome all arguments against it.
2. Abandon the flat network. Secure and trusted communication now trump ease of any-to-any communication.
3. Move traffic monitoring from encouraged to essential.
4. Establish and maintain end-to-end encryption for all applications. Think TLS, VPNs, VLANs and physically segmented networks. Software Defined Networks put this within the budget of most enterprises.
5. Abandon the convenient but dangerously permissive default access control rule of "read/write/execute" in favor of restrictive "read/execute-only" or even better, "Least privilege." Least privilege is expensive to administer but it is effective. Our current strategy of "ship low-quality early/patch late" is proving to be ineffective and more expensive in maintenance and breaches than we could ever have imagined.
The big takeaways for tech leaders:
- It's nearly impossible to secure technology supply chains from attacks in which hardware is added in for spying purposes, according to a post from Krebs on Security.
- To mitigate the threat of supply chain hacks, organizations can abandon the flat network, require traffic monitoring, and establish and maintain end-to-end encryption for all applications.