A central point for collection of information that relates to computer security. Including, but not limited to, security advisories from the major vendors, major data breaches, "phishing" alerts, commentary regarding staffing levels. etc. etc.
Supply Chain Security
December 8, 2012 at 12:51 pm #174259
Press Release from DARPA:
New DARPA Program Seeks to Reveal Backdoors and Other Hidden Malicious Functionality in Commercial IT Devices
DARPA starts the Vetting Commodity IT Software and Firmware program and announces upcoming Proposers’ Day.
The scenario is one that information security experts dread: widespread dissemination of commercial technology that is secretly wired to function in unintended ways or even spy on its users. From this vantage point, mobile phones, network routers, computer work stations and any other device hooked up to a network can provide a point of entry for an adversary.
For the Department of Defense this issue is even more of a concern now than ever before as DoD personnel rely on equipment bought in large quantities and built with components manufactured all over the world. DoD’s growing dependence on the global supply chain makes device, software and firmware security an imperative. Backdoors, malicious software and other vulnerabilities unknown to the user could enable an adversary to use a device to accomplish a variety of harmful objectives, including the exfiltration of sensitive data and the sabotage of critical operations. Determining the security of every device DoD uses in a timely fashion is beyond current capabilities.
December 8, 2012 at 12:52 pm #174269
More information and Commentary from Veracode blog:
Supply chain integrity has always been the “madwoman in the attic” of IT security programs – a problem so complicated and devilish and nasty, that nobody wanted to deal with it. Best to stuff it away and try to forget, right?
But when the U.S. Congress starts holding hearings about supply chain security and calling the executives of global technology firms to testify, just pretending that it isn’t a problem you need to worry about won’t fly with your boss – or your board. And, of course, that’s exactly what happened this year, as executives from Chinese network equipment makers Huawei and ZTE appeared before the House Intelligence Committee to answer questions about the security of the routers and switches they sell to U.S. companies and the companies ties to the Chinese military.
The executives’ answers (or lack thereof) didn’t inspire confidence, with the Committee issuing a report that declared both companies evasive and, therefore, a risk to the security of their customers’ networks, data and intellectual property. But where does that report leave organizations that are trying to figure out how to verify the integrity of the software and hardware they purchase? Really no better off than before. The truth is that the technology supply chain is global – whether the U.S. House of Representatives likes it or not. Simply saying “don’t buy Huawei” or -even more bedeviling – “don’t buy Chinese” doesn’t really answer the question about where threats lie in the supply chain and how to identify them.
December 8, 2012 at 12:55 pm #174266
NIST on Supply Chain Risk Management
Title: National Supply Chain Risk Management Practices for Federal Information Systems
Federal agency information systems1 are increasingly at risk of both intentional and unintentional supply chain compromise due to the growing sophistication of information and communications technologies (ICT) and the growing speed and scale of a complex, distributed global supply chain. Federal departments and agencies currently have neither a consistent nor comprehensive way of understanding the often opaque processes and practices used to create and deliver hardware and software products and services that are contracted out, especially beyond the prime contractor. This lack of understanding, visibility, and control increases the risk of exploitation through a variety of means including counterfeit materials, malicious software, or untrustworthy products, and makes it increasingly difficult for federal departments and agencies to understand their exposure and manage the associated supply chain risks. Currently, federal departments and agencies and private sector integrators and suppliers use varied and nonstandard practices.
The ICT supply chain is a globally distributed, interconnected set of organizations, people, processes, services, products, and other elements. It extends across the full system development life cycle including research and development (R&D), design/development, acquisition of custom or commercial off-the-shelf (COTS) products, delivery, integration, operations, and disposal/retirement.
A multi-pronged approach is the best way to build assurance into the systems and components that the federal government procures and manages. Such an approach may include: Federal Acquisition Regulations (FAR) that require supply chain practices; widely adopted or international standards on supply chain practices for integrators and suppliers; a means to share supplier-related threat information; current and new technologies and tools incorporated into supply chain practices; and increased ability of federal departments and agencies to manage supply chain risks once an information system is in place. This document seeks to equip federal departments and agencies with a notional set of repeatable and commercially reasonable supply chain assurance methods and practices that offer a means to obtain an understanding of, and visibility throughout, the supply chain. This understanding and visibility will give federal departments and agencies the ability to strategically manage the associated Information and Communication Technology (ICT) supply chain risks over the entire life cycle of products, systems, and services.
Many of the supply chain risk management (SCRM) activities described in this document build on existing business practices to specifically help manage supply chain risks in the evolving threat environment. They originate from within organizations that already address a variety of business or engineering processes of many disciplines including logistics, reliability, security, and safety. Since ICT SCRM is an enterprise process, leveraging existing knowledge collected for other disciplines enables the development of a commercially reasonable set of activities required to achieve supply chain assurance.
Organizations should select and tailor the practices in this document based on the suitability for a specific application or acquisition and combined impact on the performance, cost, and schedule.
December 8, 2012 at 12:56 pm #174263
Microsoft's Commentary on the Issue
Title: Supply Chain Security
Governments, businesses, and consumers today rely upon information and communications technology systems to perform an increasingly important role in commerce and daily life. Some of the more important systems have become attractive targets for malicious actors who mount increasingly sophisticated attacks that have the potential to cause widespread damage or disruption, or give them unauthorized access to data.
A key area of interest is the supply chain of technology products, which the National Institute for Standards and Technology defines as “the set of organizations, people, activities, information, and resources for creating and moving a product or service (including its sub-elements) from suppliers through to an organization’s customers.”
The supply chain responsible for delivering information and communications technologies is globally distributed. The products themselves can be complex, made of many parts in many different companies all over the world. This raises concerns for some governments about the potential for hostile actors to introduce malicious or unwanted functions or counterfeit elements along the way. If products were compromised, they could potentially be used to conduct surveillance or to disrupt or otherwise degrade the trustworthiness of the information and communications technology systems of which the hardware or software will be a part.
Securing such a diverse and global supply chain presents a challenge for governments and businesses. Both need to recognize supply chain security as a shared problem and seek solutions that are built upon best practices, mitigate risks, and draw on international cooperation.
December 8, 2012 at 2:44 pm #174261
- more information and commentary from Layer 8 blog on Networkworld
DARPA program aims to find, shut backdoor malware holes in commercial IT devices
DARPA program looks to determine, validate security of every networked device.
It is likely every security IT person's nightmare: the new mobile phone, network router or computer they just tied into the network actually has a secret backdoor that lets the malicious users or governments have unfettered access to the company's assets.
That sort of fear is behind a new program researchers at the Defense Advanced Research Projects Agency (DARPA) will discuss on December 12th known as the Vetting Commodity IT Software and Firmware (VET). VET will look to develop systems that can verify the security of commercial IT devices. IT's growing dependence on the global supply chain makes device, software and firmware security an imperative, DARPA stated.
"Backdoors, malicious software and other vulnerabilities unknown to the user could enable an adversary to use a device to accomplish a variety of harmful objectives, including the exfiltration of sensitive data and the sabotage of critical operations. Determining the security of every device the Department of Defense uses in a timely fashion is beyond current capabilities," DARPA stated.
You must be logged in to reply to this topic.