Supply Chain (In)Security

Transcription

1 Supply Chain (In)Security

2 IEEE Cybersecurity Speaker Chris Webb Partner, Security Practice Orange County, California 20+ years of experience developing, securing, and managing enterprise systems. Specializes in application and network security; software defined networking; and medical device cybersecurity. Fractional Chief Information Security Officer

3

4 Part 1 - Risk Examples Your supply chain is used to attack you Your own supply is attacked Part 2 - Frameworks to Reduce Risk BITS Shared Assessments Shared Assessments NIST FIPS , Supply Chain Risk Management Practices for Federal Information Systems and Organizations (April 2015)

5 Your questions are encouraged!

6 What do these companies have in common? Foolad Technic Beh Pajooh Neda Industrial Group Control Gostar Jahed

7 Iranian nuclear site: Natanz Uranium Enrichment Facility Stuxnet

8 Who is this company?

9 Remember this breach? November - December million credit & debit cards compromised

10 RSA tokens Lockheed Martin In March 2011, RSA, the Security Division of EMC (who?), was hacked In May 2011, Lockheed Martin was attacked through its use of (surprise!) RSA SecurID tokens Data Breach at Security Firm Linked to Attack on Lockheed in The New York Times

11 Your own supply chain is attacked In 1982 (yes, 35 years ago), six adults and one 12-year-old girl died of cyanide poisoning in Chicago after taking capsules of Extra Strength Tylenol

12 Pharma has a huge problem

13 Semi-conductor companies have a significant problem Recycled chips in Shenzhen, China

14 A specific example: DoD s MDA Senate Armed Services Committee (Dec 2010 to Nov 2011, electronic parts only) Sens. Levin and McCain staff Investigation Contacted Findings (11/8/11) Hearing) Largest DoD Contractors and Test Labs (last two years data on suspect counterfeit) 1,800 suspect counterfeit part issues. Over 1 million affected parts. At least 70% were from China! Government Accountability Office (16 obsolete or non-existent parts numbers) Installed in three aircraft. Targeting Display Ice Detection Sold by US companies, originally from China! 7 obsolete (valid) 5 obsolete (invalid) 4 non-existent All found, all counterfeit Fastest, cheapest all came from China! 14

15 Software - rampant piracy Legacy / shrinkwrap: activation keys DVDs: holograms Downloads: obfuscation (e.g., Arxan), DRM Mobile apps: API keys

16 High-end consumer products

17

18 What about compromised items?

19 Your questions about the risks?

20 Part 1 - Risk Examples (Tim) Your supply chain is used to attack you Your own supply is attacked Part 2 - Frameworks to Reduce Risk (Chris) BITS Shared Assessments Shared Assessments NIST FIPS , Supply Chain Risk Management Practices for Federal Information Systems and Organizations (April 2015)

21 Multiple Standards for Program Risks BITS Open Assessment Self Assessment NIST Cyber Security Regulations, Policies, Guidance DFARS sub part and EO part 11 Supply Chain Risk Management Practices for Federal Information Systems and Organizations

22 BITS BITS is the technology policy division of the Financial Services Roundtable (FSR) Strengthen cybersecurity and reduce fraud Navigate the regulatory and risk environment Impact current and emerging policy issues Improve efficiency and effectiveness of technology programs Leverage emerging technologies

23 NIST SP Provides guidance to federal agencies on selecting and implementing mitigating processes and controls at all levels in their organizations to help manage risks to or through ICT supply chains for systems categorized as HIGH according to Federal Information Processing Standard (FIPS) 199, Standards for Security 367 Categorization of Federal Information and Information Systems Applies the multi-tiered risk management approach of NIST SP , 355 Managing Information Security Risk: Organization, Mission, and Information System View Refines and expands NIST SP Rev4 controls, adds new controls that specifically address ICT SCRM, and offers SCRM-specific supplemental guidance where appropriate

24 NIST Security Control Families Access Control Awareness & Training Audit & Accountability Configuration Management Identification & Authentication Incident Response Maintenance (Patching) Media Protection Personnel Security

25 NIST Controls (cont d) Physical Protection Risk Assessment Security Assessment System and Information Integrity

26 Executive Orders and (DFARS Initiative #11) Develop a multi-pronged approach for global supply chain risk management. Globalization of the commercial information and communications technology Risks stemming from both the domestic and globalized supply chain must be managed in a strategic and comprehensive way over the entire lifecycle of products, systems and services. Managing this risk will require a greater awareness of the threats, vulnerabilities, and consequences associated with acquisition Robust toolset to better manage and mitigate supply chain risk at levels commensurate with the criticality of, and risks to, their systems and networks.

27 NIST and Supply Chain Hardening Tiered Risk Management Engage the supplier Make your suppliers demand the same of their suppliers Secure the enterprise Identity and human behavior monitoring are a must to combat today s threats Protect the customer People, processes and technology

28 Secure the Enterprise Limit Vendor Access Try to avoid direct access to your enterprise Perform deep (content) application inspection on trusted connections inverse Digital Loss Protection (DLP) Do not directly share critical information - read only and encrypt Contain delivered goods and services Zone software, products and services Appliances should not have access to the internet unless for updates Monitor installed products, endpoints and connections

29 Engage the Supplier Create Contractual Obligations Require breach notification with a timeline and parameters Establish data handling requirements Require product integrity Ensure language mandates communication back to the supplier are only for updates (not data collection) Security Assessments Source code and binary validation (quality, vulnerability, and FOSS) Evaluation of technology and capabilities

30 Supply Chain Partnership Partnership with your traditional supply chain (how you make goods/services) Work in partnership with security vendors to harden our security Advanced analytics and behavior modeling

31 Going Deeper: ISO/IEC Application Security Application security life cycle Incorporating security activities and controls Covering applications developed through internal development, external acquisition, outsourcing/offshoring PART 1 Overview and concepts PART 2 Organization normative framework PART 3 Application security management process PART 4 Application security validation PART 5 Protocols and application security control data structure PART 6 Security guidance for specific applications PART 7 - Application Security Control Predictability

32 Going Deeper: Essential Security and Foundational Practices Management Systems: ISO Quality, ISO Information Security, ISO IT Service Management, ISO Supply Chain Resiliency Security Controls: ISO/IEC 27002, NIST Lifecycle Processes: ISO/IEEE Systems, ISO/IEEE Software Risk Management: ISO overall, ISO/IEC security, and ISO/IEC systems Industry Best Practices: CMMI, Assurance Process Reference Model, Resiliency Management Model (RMM), COBIT, ITIL, PMBOK

33 Going Deeper: ISO/IEC ISMS controls Information security in project management Secure development policy Secure system engineering principles Secure development environment System security testing Information security policy for supplier relationships Addressing security within supplier agreements Information and communication technology supply chain Assessment of and decision on information security events Response to information security incidents Planning information security continuity Implementing information security continuity

34 Your questions?