Few industries can exist nowadays without an extensive supply chain via multiple vendors or suppliers. Disruption to that supply chain can have dire consequences: Just look at the effect on Toyota from the Tōhoku earthquake and tsunami. In the IT industry, trustworthiness within the supply chain is key to strong security -- but can that security ever be assured?
Still, a paper from Chinese sources presented at the recent EWI Cybersecurity Summit in London tackles the subject in an innovative and practical way and proposes a solution.
The authors, Xiaofeng Qiu of Beijing University and Liang Zhao of NSFocus, say existing standards for supply chain soundness fail to properly include vulnerability testing. A weakness at any point of the supply chain could result in the injection of malicious code in hardware or software before components reach their destination. Supply chain integrity is, therefore, essential for IT security.
In this study, the researchers focus in particular on the failure of vulnerability testing to properly detect covert channels, places in a supply chain where information is transferred between processes where that should not be allowed to happen.
As it stands, ISO/IEC 15408 outlines the requirements for ICT security evaluation and best-practices. In those specs, “Evaluation Assurance Levels” (EALs) are measured from 1 to 7. Where security is not considered a risk (EAL1), basic conformance testing is sufficient to guarantee security. At EAL7 (security for high-risk situations), far more concepts need to be tested for.
Somewhat unbelievably, penetration testing for covert channels only starts at EAL5, “where developers or users require a high level of independently assured security in a planned environment.”
It follows, then, that EAL1 to EAL4 systems are open to all manner of vulnerabilities -- bugs, Trojan horses, etc. -- from intruders at any point in the supply chain who could possibly be engaged in industrial espionage, blackmail, or advanced persistent threats (APTs). Also, the researchers say, testing for covert channels in recognized EAL5 to EAL7 systems is not widely implemented throughout the industry.
Other best-practices attempt to lessen the impact of supply chain vulnerabilities through the use of tamper-resistant packaging, remote tracking and monitoring, and third-party product validation and certification. But for many, the cost of replacing existing network elements may be out of the question. To help users validate that IT suppliers are operating securely in their supply chains, Qui and Zhao propose "Architectural Solution Integration" (ASI), a four-layered approach to mitigate risks in the ICT supply chain. Each of the four layers (as per the figure below) reflects a different assurance level in the supply chain:
A layered approach to mitigating risks in the ICT supply chain. Source: "Architectural Solution Integration to Contain ICT Supply Chain Threats," Xiaofeng QIU, Beijing University of Posts and Telecommunications, & Liang ZHAO, NSFOCUS.
Layer 1 (the base) represents existing supplier quality processes, i.e. ISO standards.
Layer 2 represents existing third-party functionality testing and certification, i.e. EALs.
Layer 3 is the ASI. It relies on data in a “Supplier Database” (SDB) containing information shared among public and private sectors on trustworthiness, location, suppliers, technologies, and so on. As part of the ASI, a formula is used to compute trustworthiness based on information fed from the SDB. Results identify major threats and critical information assets that need protection as well as assisting in the analysis of data flow or critical paths, thus exposing vulnerabilities.
The final Layer 4 reflects the strictest integrity requirements, including tests for distributed denial of service (DDoS), electromagneticpulse (EMP), and extreme service/application-level starving.
As part of a package of assurance measures, this four-layered approach could well be a major improvement to security and integrity within the ICT supply chain. By identifying the weak points in the link, the risks can be mitigated. In the light of recent hacks, though, it remains clear that there is a need for tougher intrusion testing.
— Jart Armin, Editor of RBNexploit.com, a watch blog on the infamous RBN (Russian Business Network), and HostExploit.com.
Nigg also pointed out that the attackers haven't managed to compromise the authority's private encryption key because it is stored on a computer that isn't connected to the Internet.
The system must be networked. It's just not public facing.
It must be noted that systems that are not public facing (behind firewall, privately addressed, etc.) are not always protected from the Internet.
In a three-tiered system, the Web server talks to the application server, which pulls from the database server. The database server may be behind two separate firewalls (costs usually dictate only a two-tiered environment), but the Web server provides indirect access to the data. A SQL Injection goes all the way through to the backend.
@cvargas, yeah I agree with you. I would say, producing a secure software platform is an evolving science. These also can be considered when;
Sourcing, including vendor contractual integrity controls and technical integrity controls for suppliers. Development and testing, including technical controls and security testing controls. Delivery and sustainment, including publishing and dissemination controls, authenticity controls and product deployment and sustainment controls.
Nigg also pointed out that the attackers haven't managed to compromise the authority's private encryption key because it is stored on a computer that isn't connected to the Internet.
[emphasis added]
if you have malware in your computer then you have no way to know what your computer is actually doing. it may be
running a keyboard logger so it can steal passwords before your computer encrypts them
running a remote access trojan (RAT) so that data, such as your private keyring can be "exfiltratrated" from your computer to ?
Keeping malware out of the endpoints is critical. StartSSL simply used an air-gap.
good thinking*
and that is the only sure method until we get our S/Audit tool so that we can verify that computer security defenses actually work.
MSRT needs to be upgraded into a complete S/Audit.
~~
* but: it also tells you: a network connected computer cannot safely be used to process confidential data. this is the "tipping point". either this gets fixed or we go back to Sneaker Net.
I'm betting on SneakerNet (now that autorun is dead)
="This is great when you can measure availability, but what is the equivalent for security? You could define some key security metrics and ask the supplier to be certified to a recognised standard, such as ISO 27001. But does this really give you the level of security you require?"
I would suggest the following:
Objective: To implement a specific Best Practice
Audit: Inspect Corporate Network for Compliance with the Best Practice
as a part of the audit you will need to verify not only that a required tool such as AppLocker is installed -- but that it is properly installed and has not been subjected to un-authorized modification.
PATHWAYS
in examinining security you must look for pathways: can i find a path by which i can move a little bit of malware and get it into a spot where it will execute in such fashion as to exfiltrate some data
one of the troubles with Windows is that while it is feature-rich it also has many pathways
in today's situation the S/Audit will help as many attacks are based on dropping malware
but that's not all
users move data from program to program and from system to system so the potential for carrying attack-code is there. a spreadsheet with a flash-virus, or an e/mail with java code... these things can be moved from system to system,-- changing their privilege level along the way... the whole concept of embedding executable code in data -- such as a flash-virus -- must be re-thought.
Google has already addressed this thought: see http://news.cnet.com/8301-30685_3-20072846-264/chromes-security-overhaul-begins-with-pdf-plug-in/
you will find this: Using an idea called static analysis, NaCl software modules are examined in advance to make sure they don't use a particular subset of restricted operations such as writing data to a hard drive.
one should ask why there are any instructions in a flash file to begin with: the flash player is supposed to be installed in your client; the flash file should only contain data to be displayed by the flash player. exactly the same way that a .txt file works with notepad
there will be some who will laugh at me now for being obsolete. but i think LulzSec is getting the last laugh
I think the S/Audit tool is a good idea, but it is after the fact.
I think application white listing is the same concept in a proactive setup. If it is not on the approved list, it doesn't run.
Another option, or even one to co-exist with whitelisting, is to get us back to using thin clients.
Used in conjunction with application white listing, we minimize the threats to the systems that contain the true operating system and scale down the footprint of systems that can be compromised.
You bring up some very good points. However the question is not necessarily what standards (such as ISO) that should be followed, but rather the cost associated with meeting a security requirement. Many third world country companies do not simply have the money available to implement these protocols (nor would they have the skills to). So I would see it more of a question as to what type of security controls should be implemented within the software platforms themselves?
This would be more indicative towards securing the supply chain itself. Far too often the other aspects that can be implemented towards security are more easily obtained than actually securing the MRP/ERP systems themselves. The use of VPN tunnels, encryption, and even protocol management are easily combined to create an effective strategy, but the actual software itself is most typically the biggest vulnerability.
Yes I agree with you, cvargas. This can be applied to any technological company or service standards. Just as the nations of the world were able to make historic progress on enhancing international aviation security in 2010, so too can we make global ICT supply chain security stronger, smarter and more resilient this year?
Many service provider contracts are now based on service levels – “the network will be available 99.999% between the hours of 8.00am and 7.00pm Monday to Friday”. This is great when you can measure availability, but what is the equivalent for security? You could define some key security metrics and ask the supplier to be certified to a recognised standard, such as ISO 27001. But does this really give you the level of security you require? Could it be too little security, or more than your organisation requires? And are you paying for platinum security, when in reality you are being provided with silver plate?
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Distributed denial-of-service (DDoS) came into the public eye over 12 years ago, with attacks on Websites such as Amazon, CNN, E*Trade, Yahoo, and eBay, for financial gain. DDoS is still in regular use for many more reasons, including hacktivism, revenge, extortion, and ideology.
Within cybersecurity circles, talk of smartphone or mobile malware certainly produces a heated debate. To add gasoline to this fire, we can now add the examples of the first “pocket botnet,” a botnet solely or partly made up of smartphones, which could infect PCs.
The likelihood that critical infrastructures are woefully vulnerable has been predicted for many years by a few in security circles. Sadly, the reality hit home again last week with the disclosure of ongoing hacks on utilities at national and international levels.
A recent exposé by the hacker group Anonymous shone a light on the “Darknet,” the name given to an alternative network that operates beneath the backbone of the Internet. For those who know and use it, the Darknet has long been a place for clandestine operations, legitimate or otherwise.
Europe's largest “white hat” hacker group, the Chaos Computer Club (CCC), recently reverse engineered and analyzed an anonymously submitted malware program. Nothing out of the ordinary for security researchers. However, to its surprise, the group discovered this particular malware was commissioned by German police and used to spy on German citizens.
From Possible to Proven: Driving Business Value through Smarter Analytics IBM's Smarter Analytics approach enables organizations to align their processes around valuable information, both inside and outside of their networks, and to use that information to anticipate, predict, and shape business outcomes. Let's take a closer look at how organizations can start anywhere, based on their business needs, and become transformed outperformers by applying Smarter Analytics. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Healthcare IT faces an array of challenges and changes in the next three to five years, says the CIO of The Ottawa Hospital. Mobility will play a role in healthcare in a big way.
The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
Videoconferencing systems now are quite static. Users set up a camera, and it stays focused on the target regardless of whether or not the user moves during the presentation. NTT is developing a system that moves with the speaker, providing a feel similar to a face-to-face conversation.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
In the interest of providing true 24/7 processing in a global economy, more enterprises are toggling production among datacenters, sharing databases, and placing key IT subject matter experts in remote areas.
With 24/7 processing and business continuation paramount, more organizations are considering having three datacenters, where primary and secondary datacenters are in their immediate region and a third is in a remote geography. Why? To avoid repercussions of a major disaster that could hit every IT resource in a specific region.
Companies are still getting their feet wet with social networking and what employees should and shouldn't broadcast. But they don't always involve HR and PR. Here's why they should, and what they risk when they don't.
Less than a year ago, we were debating whether private or public cloud would prevail. Private cloud now appears to be a clear favorite. The reason? Organizations of all sizes are getting comfortable with cloud, and vendors are providing solutions that make the adoption of private cloud straightforward and less risky.
Like "cloud," the phrase "security intelligence" is used so often that it's difficult to know what it really means. At the IBM Pulse Conference, security expert Jack Danahy explains his vision for security intelligence and how to understand it.
Huawei has become a key supplier of networking equipment to telcos. The company is now gunning for enterprises and may represent the most significant threat to Cisco since its inception. Huawei has set a goal of $15 billion in enterprise equipment sales by 2015.
Self-driving cars are being tested in Nevada, but can this technology work optimally without Internet integration, and can we offer integration without improving security considerably? In fact, all M2M is a potential risk until security is tightened.
Email This
