Story image

Exclusive: The cyber security supply chain

08 Nov 16

"When we generally think of security, we talk about CIA – confidentiality, integrity and availability," says Vincent Weafer, the vice president of the Intel Security McAfee Labs group. 

In particular, he says we've been focussed on confidentiality, in the wake of a number of major data breaches. But he says people are starting to shift their attention towards integrity and availability. 

"The integrity is the supply chain conversation. How do I know that the services or goods I'm bringing in to my office are not the weak link in the chain or deliberately compromised?" he asks.

Our sensitivity to this will differ depending on the industry we work in. For example, law enforcement will be very particular about where security cameras are sourced. When you look at recent attacks such as the wave of ransomware attacks against healthcare providers or the breaches against the SWIFT payments system, attackers look for the weak link in the chain and focus their efforts there.

"I don't go after you directly; I go after one of your suppliers".

Weafer says we need to start thinking about certifying the quality of the vendors we let into our companies. In particular, Weafer believes this is something sorely lacking when it comes to the Internet of Things (IoT).

And while the newly rebranded McAfee has a long pedigree in delivering end-point security solutions, there's a need to go further by employing better controls in the network to ensure devices only communicate with approved services.

"All you should be doing is getting updates for your system, going back to the mothership. There's no reason to be going anywhere else or downloading any other software. Let's just lock it down with a whitelisting-type approach," says Weafer.

This is why some companies, such as HP with their secure printing services, have printers have an embedded IDS and self-healing BIOS, or devices are being deployed with the ability, via embedded silicon, to resist tampering.

Consumers have a much harder time with this says Weafer. This is why consumer IoT devices are so attractive to hackers. The recent Mirai botnet attacks on Dyn and Liberia take advantage of this "IoT cannon". The data volumes that can be generated in attacks like this, using the Mirai botnet, are well beyond what we've seen from previous botnets.

Weafer says this drives some important questions.

"Do they have an ability to be updated? If there's a password, can I change it?".

The Dyn attack specifically attacked products that either could not have their password changed or were still using default passwords.

In addition, he says consumers should explore whether some sort of gateway system can be used to control the IoT devices collectively rather than needing to be managed individually.

And while consumers find this challenging, Weafer says enterprises are struggling under the diversity of different devices and the volume.

The good news, says Weafer, is that some industries are starting to recognise the importance of securing the supply chain. He knows of industry groups that are looking to add security alongside other industry certification. That kind of attestation asserts that a minimum level of security, that is agreed to be adequate, is in place to ensure the collective is safeguarded against the actions of a small number of members.

In time, such as standard could be used as a product benefit rather than a cost – in much the same way as the automotive industry railed against airbags because of the increased cost until they saw it as a benefit.

Once the industry reaches this level of maturity, we could get to the point where we can deploy systems with an expectation of a minimal level of acceptable assurance that devices work safely

Object-based storage over-looked by Aussies, survey shows
Hitachi Vantara has sponsored an IDC survey looking at the technology’s usage and adoption barriers across Asia Pacific.
One Identity a Visionary in Magic Quad for PAM
One Identity was recognised in the Gartner Magic Quadrant for Privileged Access Management for completeness of vision and ability to execute.
Accenture 'largest Oracle Cloud integrator in A/NZ'
Accenture has bought out Oracle Software-as-a-Service provider PrimeQ, which now makes Accenture the largest Oracle Cloud systems integrator in Australia and New Zealand.
How to keep network infrastructure secure and available
Two OVH executives have weighed in on how network infrastructure and the challenges in that space will be evolving in the coming year.
White box losing out to brands in 100 GE switching market
H3C, Cisco and Huawei have all gained share in the growing competition in the data centre switching market.
Gartner names newcomer Exabeam a leader in SIEM
The vendor landscape for SIEM is evolving, with recent entrants bringing technologies optimised for analytics use cases.
52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.
Genesys PureCloud generates triple-digit revenue growth year on year
In Australia and New Zealand, the company boosted PureCloud revenue by nearly 100%.