Story image

Exclusive: The cyber security supply chain

08 Nov 2016

"When we generally think of security, we talk about CIA – confidentiality, integrity and availability," says Vincent Weafer, the vice president of the Intel Security McAfee Labs group. 

In particular, he says we've been focussed on confidentiality, in the wake of a number of major data breaches. But he says people are starting to shift their attention towards integrity and availability. 

"The integrity is the supply chain conversation. How do I know that the services or goods I'm bringing in to my office are not the weak link in the chain or deliberately compromised?" he asks.

Our sensitivity to this will differ depending on the industry we work in. For example, law enforcement will be very particular about where security cameras are sourced. When you look at recent attacks such as the wave of ransomware attacks against healthcare providers or the breaches against the SWIFT payments system, attackers look for the weak link in the chain and focus their efforts there.

"I don't go after you directly; I go after one of your suppliers".

Weafer says we need to start thinking about certifying the quality of the vendors we let into our companies. In particular, Weafer believes this is something sorely lacking when it comes to the Internet of Things (IoT).

And while the newly rebranded McAfee has a long pedigree in delivering end-point security solutions, there's a need to go further by employing better controls in the network to ensure devices only communicate with approved services.

"All you should be doing is getting updates for your system, going back to the mothership. There's no reason to be going anywhere else or downloading any other software. Let's just lock it down with a whitelisting-type approach," says Weafer.

This is why some companies, such as HP with their secure printing services, have printers have an embedded IDS and self-healing BIOS, or devices are being deployed with the ability, via embedded silicon, to resist tampering.

Consumers have a much harder time with this says Weafer. This is why consumer IoT devices are so attractive to hackers. The recent Mirai botnet attacks on Dyn and Liberia take advantage of this "IoT cannon". The data volumes that can be generated in attacks like this, using the Mirai botnet, are well beyond what we've seen from previous botnets.

Weafer says this drives some important questions.

"Do they have an ability to be updated? If there's a password, can I change it?".

The Dyn attack specifically attacked products that either could not have their password changed or were still using default passwords.

In addition, he says consumers should explore whether some sort of gateway system can be used to control the IoT devices collectively rather than needing to be managed individually.

And while consumers find this challenging, Weafer says enterprises are struggling under the diversity of different devices and the volume.

The good news, says Weafer, is that some industries are starting to recognise the importance of securing the supply chain. He knows of industry groups that are looking to add security alongside other industry certification. That kind of attestation asserts that a minimum level of security, that is agreed to be adequate, is in place to ensure the collective is safeguarded against the actions of a small number of members.

In time, such as standard could be used as a product benefit rather than a cost – in much the same way as the automotive industry railed against airbags because of the increased cost until they saw it as a benefit.

Once the industry reaches this level of maturity, we could get to the point where we can deploy systems with an expectation of a minimal level of acceptable assurance that devices work safely

Dynatrace takes pole position in APM Magic Quadrant
It placed highest on Ability to Execute and furthest on Completeness of Vision in the 2019 Quadrant for Application Performance Monitoring (APM).
HCL and Xerox expand strategic partnership
Under the terms of the agreement, HCL will manage portions of Xerox’s shared services, including global administrative and support functions.
Avaya expands integration with Google Cloud AI
This includes embedding Google’s machine learning within conversation services for the contact centre, enabling integration of AI capabilities.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Poly appoints new A/NZ managing director, Andy Hurt
“We’re excited to be bringing together two established pioneers in audio and video technology to be moving forward and one business – Poly."
Gartner: Local server revenue up by a quarter, shipments down
In Australia, server revenue increased 24.7% in 4Q18, while shipments declined 5.3%.
HPE launches 'right mix' hybrid cloud assessment tool
HPE has launched an ‘industry-first assessment software’ to help businesses work out the right mix of hybrid cloud for their needs.
IDC: Innovative wearable use cases drive double-digit growth
Wristbands are set to lose their dominance as hearables and industrial applications keep the wearables market moving forward.