sb-as logo
Story image

Exclusive: The cyber security supply chain

"When we generally think of security, we talk about CIA – confidentiality, integrity and availability," says Vincent Weafer, the vice president of the Intel Security McAfee Labs group. 

In particular, he says we've been focussed on confidentiality, in the wake of a number of major data breaches. But he says people are starting to shift their attention towards integrity and availability. 

"The integrity is the supply chain conversation. How do I know that the services or goods I'm bringing in to my office are not the weak link in the chain or deliberately compromised?" he asks.

Our sensitivity to this will differ depending on the industry we work in. For example, law enforcement will be very particular about where security cameras are sourced. When you look at recent attacks such as the wave of ransomware attacks against healthcare providers or the breaches against the SWIFT payments system, attackers look for the weak link in the chain and focus their efforts there.

"I don't go after you directly; I go after one of your suppliers".

Weafer says we need to start thinking about certifying the quality of the vendors we let into our companies. In particular, Weafer believes this is something sorely lacking when it comes to the Internet of Things (IoT).

And while the newly rebranded McAfee has a long pedigree in delivering end-point security solutions, there's a need to go further by employing better controls in the network to ensure devices only communicate with approved services.

"All you should be doing is getting updates for your system, going back to the mothership. There's no reason to be going anywhere else or downloading any other software. Let's just lock it down with a whitelisting-type approach," says Weafer.

This is why some companies, such as HP with their secure printing services, have printers have an embedded IDS and self-healing BIOS, or devices are being deployed with the ability, via embedded silicon, to resist tampering.

Consumers have a much harder time with this says Weafer. This is why consumer IoT devices are so attractive to hackers. The recent Mirai botnet attacks on Dyn and Liberia take advantage of this "IoT cannon". The data volumes that can be generated in attacks like this, using the Mirai botnet, are well beyond what we've seen from previous botnets.

Weafer says this drives some important questions.

"Do they have an ability to be updated? If there's a password, can I change it?".

The Dyn attack specifically attacked products that either could not have their password changed or were still using default passwords.

In addition, he says consumers should explore whether some sort of gateway system can be used to control the IoT devices collectively rather than needing to be managed individually.

And while consumers find this challenging, Weafer says enterprises are struggling under the diversity of different devices and the volume.

The good news, says Weafer, is that some industries are starting to recognise the importance of securing the supply chain. He knows of industry groups that are looking to add security alongside other industry certification. That kind of attestation asserts that a minimum level of security, that is agreed to be adequate, is in place to ensure the collective is safeguarded against the actions of a small number of members.

In time, such as standard could be used as a product benefit rather than a cost – in much the same way as the automotive industry railed against airbags because of the increased cost until they saw it as a benefit.

Once the industry reaches this level of maturity, we could get to the point where we can deploy systems with an expectation of a minimal level of acceptable assurance that devices work safely

Story image
How to address cyber-threats as a strategic risk
Becoming a cyber-secure organisation in the face of an evolving threat landscape requires a strategic, business-focused approach to security as opposed to a tactical approach in which security is addressed simply by implementing new tools.More
Story image
Microsoft is most imitated brand for phishing attacks in Q3
Popular phishing tactics using the Microsoft brand used email campaigns to steal credentials of Microsoft accounts, luring victims to click on malicious links which redirect them to a fraudulent Microsoft login page. More
Story image
Acronis expands global data centre network, including new facilities in NZ
The expansion ensures that the full range of Acronis Cyber Protection Solutions will be available to partners and organisations around the world.More
Story image
Zoom to begin rolling out end-to-end encryption
Available starting from next week, it represents the first phase out of four of the company’s greater E2EE offering, which was announced in May following backlash that the company was lax on its security and privacy.More
Link image
How to head off a rise in DDoS attacks
Many businesses invest in costly DDoS mitigation and protection solutions, but few test them. NCC Group tests all environments and is one of only two AWS DDoS Test Partners. Claim 10% off your next DDoS service today.More
Story image
Interview: How cyber hygiene supports security culture - ThreatQuotient
We spoke with ThreatQuotient’s APJC regional director Anthony Stitt to dig deeper into cyber hygiene, security culture, threat intelligence, and the tools that support them.More