Businesses should carefully consider who they trust to get their software or hardware from, but, at the same time, shouldn't limit themselves to just the big brands, according to Stratsec chief technology officer Nick Ellsmore.
(Distribution centre image by
Nick Saltmarsh, CC2.0)
Speaking at Informa's inaugural Cybercrime Symposium in Sydney, Ellsmore said that security folk often looked exclusively at software and hardware security issues once the product was inside the company.
"We still generally take quite a system-centric approach to security — trying to protect the system, whether that's an end point, whether it's a server, whether it's a website," he said.
But according to Ellsmore, this level of scrutiny doesn't go far back enough. He believes that businesses should be asking themselves how much they can trust their distributors and other companies further up the supply chain.
"The issue around supply chain risk management is essentially that all of these different organisations and, in fact, even individuals within these organisations, if compromised, could actually impact on your organisation's security," he said.
For example, a shrink-wrapped hard drive could still contain malware inserted from when it was tested at the manufacturer, or when surreptitiously opened, tampered with and resealed at the warehouse. Or the information sent to the company's banks could be read by a company's middleman accountant, or telecommunications provider.
To make matters worse, Ellsmore pointed out that even if businesses weren't the main target of a breach themselves, an attack on one of its upstream suppliers could have negative repercussions.
He pointed to the example of the Epsilon data breach, which saw its customers' data exposed — one such high-profile customer being Dell Australia.
"If you talk to many people in Australia about who actually knows who Epsilon is, very few people would actually know that. If you looked at a lot of the media [reports] that came out, it was very much about Dell customer details being stolen in data breaches," he said.
"[The headline] wasn't 'Epsilon compromised, their client data stolen', it was very much about Dell. People know who Dell is. A breach of a supplier is not necessarily going to tarnish the supplier, but the breach of a supplier may very well punish your organisation."
To avoid supplier issues, Ellsmore advocated becoming more information-centric than system-centric.
"What that actually means is you're not trying to protect your organisation any more, you're trying to protect your information wherever that is. Whether you hold it, whether your lawyers hold it, whether the consultants hold it, whether the investment bank holds it, whether your outsourcer holds it. Because from the criminal's perspective, they don't really care where they get it from, they just want the information."
Ellsmore said that the only real programs available to businesses for ensuring the integrity of products were systems like the Common Criteria, or the Defence Signals Directorate's (DSD's) Evaluated Products List.
One such example is Apple's mobile operating system, iOS, which DSD has been in the process of evaluating for over a year. The Australian Government Information Management Office first assistant secretary, John Sheridan, informed a Senate estimates committee in February 2011 that it was working with Apple to certify iOS. In July that year, DSD only released a guide for iOS 4.3.3, and Sheridan stated in a tweet that the official evaluation was set to be completed in September.
In October, after the target date had passed and following ZDNet Australia's queries at the time of the release of iOS 5, it was revealed that DSD had scrapped plans to evaluate earlier versions of iOS and moved to evaluate iOS 5 only. This evaluation is still not available despite the fact that Apple updated iOS to version 5.1 last Thursday.
Ellsmore said these programs that checked products' integrity weren't sufficient for most organisations' needs.
"There are a few hundred products globally that have been evaluated and they're evaluated at specific versions, and it costs quite a lot to go through that process and takes a long time," he said.
"What it effectively means is that if you really are restricted to only buying those products, you actually start to not have the ability to have a diverse technology environment because you're tied to the big vendors and the big products that actually have the ability to get accredited."