Exclusive: The cyber security supply chain
FYI, this story is more than a year old
"When we generally think of security, we talk about CIA – confidentiality, integrity and availability," says Vincent Weafer, the vice president of the Intel Security McAfee Labs group.
In particular, he says we've been focussed on confidentiality, in the wake of a number of major data breaches. But he says people are starting to shift their attention towards integrity and availability.
"The integrity is the supply chain conversation. How do I know that the services or goods I'm bringing in to my office are not the weak link in the chain or deliberately compromised?" he asks.
Our sensitivity to this will differ depending on the industry we work in. For example, law enforcement will be very particular about where security cameras are sourced. When you look at recent attacks such as the wave of ransomware attacks against healthcare providers or the breaches against the SWIFT payments system, attackers look for the weak link in the chain and focus their efforts there.
"I don't go after you directly; I go after one of your suppliers".
Weafer says we need to start thinking about certifying the quality of the vendors we let into our companies. In particular, Weafer believes this is something sorely lacking when it comes to the Internet of Things (IoT).
And while the newly rebranded McAfee has a long pedigree in delivering end-point security solutions, there's a need to go further by employing better controls in the network to ensure devices only communicate with approved services.
"All you should be doing is getting updates for your system, going back to the mothership. There's no reason to be going anywhere else or downloading any other software. Let's just lock it down with a whitelisting-type approach," says Weafer.
This is why some companies, such as HP with their secure printing services, have printers have an embedded IDS and self-healing BIOS, or devices are being deployed with the ability, via embedded silicon, to resist tampering.
Consumers have a much harder time with this says Weafer. This is why consumer IoT devices are so attractive to hackers. The recent Mirai botnet attacks on Dyn and Liberia take advantage of this "IoT cannon". The data volumes that can be generated in attacks like this, using the Mirai botnet, are well beyond what we've seen from previous botnets.
Weafer says this drives some important questions.
"Do they have an ability to be updated? If there's a password, can I change it?".
The Dyn attack specifically attacked products that either could not have their password changed or were still using default passwords.
In addition, he says consumers should explore whether some sort of gateway system can be used to control the IoT devices collectively rather than needing to be managed individually.
And while consumers find this challenging, Weafer says enterprises are struggling under the diversity of different devices and the volume.
The good news, says Weafer, is that some industries are starting to recognise the importance of securing the supply chain. He knows of industry groups that are looking to add security alongside other industry certification. That kind of attestation asserts that a minimum level of security, that is agreed to be adequate, is in place to ensure the collective is safeguarded against the actions of a small number of members.
In time, such as standard could be used as a product benefit rather than a cost – in much the same way as the automotive industry railed against airbags because of the increased cost until they saw it as a benefit.
Once the industry reaches this level of maturity, we could get to the point where we can deploy systems with an expectation of a minimal level of acceptable assurance that devices work safely