CircleCityCon: Protecting the supply chain

On Saturday, during an early morning session at CircleCityCon in Indianapolis, Akamai’s Dave Lewis addressed the topic of supply chain security with the conference’s early risers.

Over the last year, the topic of supply chain security has grown into a point of discussion in organizations both large and small.

Lewis’ interest in this particular area of security originated with his grandfathers, both of whom served in the Canadian Navy during WWII. While serving, they were charged with protecting supply chains and the stories they shared as Lewis grew up led to this area of focus for him years later in IT.

Back then, it was physical asset protection – these days that’s not the case. Today, supply chain security isn’t just a special focus on physical assets; it’s a mix of digital and physical.

During his talk, Lewis shared the story of a time when he worked for a toy company that definitely wasn’t Toys ‘Я’ Us. Years ago, around the Christmas holidays, thieves had stolen a truck full of product, but were later caught thanks to installed GPS in the cab.

The point being that while thieves were after trucks years ago, these days they’re after intellectual property and other assets. Sure they’ll steal a truck, but if a company is only focused on physical supply chain security – they’re missing half the attack surface.

There have been many examples of supply chain issues over the years, including the Insignia digital picture frames that were infected with malware during the manufacturing process. Samsung has also shipped similar photo frames that were pre-infected.

In 2007, Seagate shipped 500GB drives that were infected with a Trojan during assembly. While this is bad enough, there’s also external connections to the network to consider.

“I worked at one organization where we had roughly 300 connections from partners into our organization, of that 300, only 67 were properly documented,” Lewis noted during his talk – one of several examples he gave where the supply chain exposed the organization to risk.

Another story shared focuses on a penetration test where the attackers were able to gain access to the enterprise within twelve minutes. They were able to target an external partner’s connection to the enterprise using default credentials.

In this case, they attackers targeted something the organization could control, but in other cases they’ll target things outside of the organization’s control, and that’s creates a perfect storm that many security teams struggle to deal with.

So how do organizations deal with this issue?

Compliance-based security measures are just the bare minimum and do little to help cover the supply lines.

Organizations need to do their diligence and then some, requiring that the partner adhere their security requirements; keeping in mind that the lowest bid might also mean the lowest level of security.

It isn’t easy, but if the organization has business partners that are able to access resources and assets, or provide key aspects of the core business, they need to be protected and monitored.

If not, then there’s a good chance that lack of diligence will lead to a an incident similar to the ones at Home Depot, Target, and Goodwill.

Video of the talk is below, courtesy of Irongeek