<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1977396509252409&amp;ev=PageView&amp;noscript=1">

SUITE OF SERVICES services menu

Hamburger-menu.png
MobileSearchIcon.png
Brightline-BlogBanner.jpg

THE SCHELLMAN ADVANTAGE BLOG

< BACK TO BLOG HOME

Supply and Demand (for security)

Supply and Demand (for security)

Written by JACOB ANSARI on Feb 13, 2019

2018 was the year that raised the alarm in earnest about potential vulnerabilities in the supply chain for enterprise computing systems.

But with such diverse networks and widespread dependence on third parties, how can organizations expect to plug all potential leaks? Karen Epper Hoffman reports.

It sounds like the stuff of a modern-day John LeCarre novel: The Chinese government asserting influence into the operations of hardware developer Super Micro Computer Inc. to spy on the enterprises to which Supermicro supplies computer chips.

First detailed in an early October Bloomberg Businessweek article, this story was quickly denied and recanted by several high-profile industry experts, including some of the 17 sources cited in the initial piece. However, this tale of seeming cyberspy intrigue along with similar stories in recent years have shown a spotlight on the vulnerabilities of the enterprise supply chain.

“This story is an extreme use case, but it justifies the need for governments [and companies] to do extensive and thorough assessments of their vendors and hardware,” says Itay Kozuch, director of threat research for IntSights Cyber Intelligence. “While it may seem inefficient, the one time in a million assessments that you catch something is worth the cost.”

A potential problem at Supermicro raised alarms because the company manufactures computer hardware used by business giants like Amazon and Apple, as well as the U.S. government, including the Department of Defense and the Central Intelligence Agency.

...the typical supply chain is “bigger than manufactured components in factories and older than the Supermicro event or non-event, depending on how you regard that [story].”

Jacob Ansari, senior manager for Schellman & Company LLC, points out the typical supply chain is “bigger than manufactured components in factories and older than the Supermicro event or non-event, depending on how you regard that [story].”

The supposed Supermicro compromise is not an isolated event, he adds, since there have long been well-documented supply chain attacks in point-of-sale software, where the attackers had compromised a third-party component, thus backdooring the POS before it even shipped to the merchant.

Matt Wilson, chief information security advisor at BTB Security, believes the Supermicro story highlights a supply chain risk which is “well-known in government circles, but relatively unknown to most [private-sector] organizations.” On the heels of this and similar cyberspying stories, Wilson and his team have seen “a slight uptick in interest from some of our enterprise customers, as well as smaller organizations that have more mature information security programs.”

Read full article at SC Magazine >

JACOB ANSARI

MEET THE WRITER

JACOB ANSARI

Jacob Ansari is a Manager at Schellman. Jacob performs and manages PCI DSS assessments. Additionally, Jacob oversees other Payment Card Industry assessment services, namely PA-DSS and P2PE. Jacob’s career spans fifteen years of information security consulting and assessment services, including network and application security assessments, penetration testing, forensic examinations, security code review, and information security expertise in support of legal matters. Jacob has performed payment card security compliance assessments since the payment card brands operated their own standards prior to the advent of PCI DSS. Jacob speaks regularly to a variety of audiences on matters of information security, incident response, and payment card compliance strategy.

COMMENTS