Story image

Exclusive: The cyber security supply chain

08 Nov 2016

"When we generally think of security, we talk about CIA – confidentiality, integrity and availability," says Vincent Weafer, the vice president of the Intel Security McAfee Labs group. 

In particular, he says we've been focussed on confidentiality, in the wake of a number of major data breaches. But he says people are starting to shift their attention towards integrity and availability. 

"The integrity is the supply chain conversation. How do I know that the services or goods I'm bringing in to my office are not the weak link in the chain or deliberately compromised?" he asks.

Our sensitivity to this will differ depending on the industry we work in. For example, law enforcement will be very particular about where security cameras are sourced. When you look at recent attacks such as the wave of ransomware attacks against healthcare providers or the breaches against the SWIFT payments system, attackers look for the weak link in the chain and focus their efforts there.

"I don't go after you directly; I go after one of your suppliers".

Weafer says we need to start thinking about certifying the quality of the vendors we let into our companies. In particular, Weafer believes this is something sorely lacking when it comes to the Internet of Things (IoT).

And while the newly rebranded McAfee has a long pedigree in delivering end-point security solutions, there's a need to go further by employing better controls in the network to ensure devices only communicate with approved services.

"All you should be doing is getting updates for your system, going back to the mothership. There's no reason to be going anywhere else or downloading any other software. Let's just lock it down with a whitelisting-type approach," says Weafer.

This is why some companies, such as HP with their secure printing services, have printers have an embedded IDS and self-healing BIOS, or devices are being deployed with the ability, via embedded silicon, to resist tampering.

Consumers have a much harder time with this says Weafer. This is why consumer IoT devices are so attractive to hackers. The recent Mirai botnet attacks on Dyn and Liberia take advantage of this "IoT cannon". The data volumes that can be generated in attacks like this, using the Mirai botnet, are well beyond what we've seen from previous botnets.

Weafer says this drives some important questions.

"Do they have an ability to be updated? If there's a password, can I change it?".

The Dyn attack specifically attacked products that either could not have their password changed or were still using default passwords.

In addition, he says consumers should explore whether some sort of gateway system can be used to control the IoT devices collectively rather than needing to be managed individually.

And while consumers find this challenging, Weafer says enterprises are struggling under the diversity of different devices and the volume.

The good news, says Weafer, is that some industries are starting to recognise the importance of securing the supply chain. He knows of industry groups that are looking to add security alongside other industry certification. That kind of attestation asserts that a minimum level of security, that is agreed to be adequate, is in place to ensure the collective is safeguarded against the actions of a small number of members.

In time, such as standard could be used as a product benefit rather than a cost – in much the same way as the automotive industry railed against airbags because of the increased cost until they saw it as a benefit.

Once the industry reaches this level of maturity, we could get to the point where we can deploy systems with an expectation of a minimal level of acceptable assurance that devices work safely

Better data management: Whose job is it?
An Experian executive’s practical advice on how to structure data-management roles within a modern business environment.
Platform9 and Intersect partner to bring unified cloud to A/NZ
“For Intersect, Platform9 represents the single most strategic solution to a set of challenges we see expanding across the board."
Meet the future of women in IT
Emily Sopers has just won Kordia’s first ever Women in Technology Scholarship, which was established to address gender imbalance in the information and communications technology (ICT) sector.
Web design programmers do an about face – again!
Google is aggressively pushing speed in the mobile environment as a critical ranking factor, and many eb design teams struggling to reach 80%+ speed scores on Google speed tests with gorgeous – but heavy - WordPress templates and themes.
Digital spending to hit US$1.2 trillion by 2022
A recent study by Zinnov shows that IoT spend reached US$201 billion in 2018 while outsourcing service providers generated $40 billion in revenue.
'Iwi Algorithm' can grow Aotearoa's mana
Ngāti Whātua Ōrākei innovation officer Te Aroha Grace says AI can help to combine the values from different cultures to help grow Aotearoa’s mana and brand – and AI is not just for commercial gain.
Dropbox brings in-country document hosting to A/NZ & Japan
Dropbox Business users in New Zealand, Australia, and Japan will be able to store their Dropbox files in-country, beginning in the second half of 2019.
Why 'right to repair' legislation could be a new lease on life for broken devices
“These companies are profiting at the expense of our environment and our pocketbooks as we become a throw-away society that discards over 6 million tonnes of electronics every year.”