Biblio
Another risk posed by the limited number of available vendors is the threat of supply chain attacks. According to researchers at CrowdStrike on June 27, 2017 the destructive malware known as NotPetya was deployed using a legitimate software package employed by organizations operating in Ukraine. The attack used an update mechanism built into the software to provide updates and distribute them to the vendor’s customers. This same mechanism had been used a month earlier to deploy other ransomware attacks. Supply chain attacks exploit a trust relationship between software or hardware vendors and their customers. These attacks can be widespread targeting the entire trusted vendor’s customer base and are growing in frequency as well as sophistication.
STONESOUP develops and demonstrates comprehensive, automated techniques that allow end users to securely execute software without basing risk mitigations on characteristics of provenance that have a dubious relationship to security. Existing techniques to find and remove software vulnerabilities are costly, labor-intensive, and time-consuming. Many risk management decisions are therefore based on qualitative and subjective assessments of the software suppliers' trustworthiness. STONESOUP develops software analysis, confinement, and diversification techniques so that non-experts can transform questionable software into more secure versions without changing the behavior of the programs.
CISA is tracking a significant cyber incident impacting enterprise networks across federal, state, and local governments, as well as critical infrastructure entities and other private sector organizations. An advanced persistent threat (APT) actor is responsible for compromising the SolarWinds Orion software supply chain, as well as widespread abuse of commonly used authentication mechanisms. This threat actor has the resources, patience, and expertise to gain access to and privileges over highly sensitive information if left unchecked. CISA urges organizations to prioritize measures to identify and address this threat.
Our economy is increasingly global, complex, and interconnected. It is characterized by rapid advances in information technology. IT products and services need to provide sufficient levels of cybersecurity and resilience. The timely availability of international cybersecurity standards and guidance is a dynamic and critical component for the cybersecurity and resilience of all information and communications systems and supporting infrastructures.
Before contracting with a supplier, vendor, manufacturer, or any other third-party organization, it is essential to review their security practices. The third-party must have a supply chain risk management program as well as a robust risk-based approach to cybersecurity and supply chain security.
Foreign adversaries are increasingly creating and exploiting vulnerabilities in information and communications technology and services, which store and communicate vast amounts of sensitive information, facilitate the digital economy, and support critical infrastructure and vital emergency services, in order to commit malicious cyber-enabled actions, including eco- nomic and industrial espionage against the United States and its people.
Information Technology has increasingly been incorporated into every segment of the economy. In manufacturing, the basic technology of Direct Digital Manufacturing (DDM) been around for dozens of years. This involves the creation of a physical object from a digital design using computer-controlled processes with little to no human intervention. With the popularization and advancement of Additive Manufacturing (AM) and 3D printing, it is becoming much more common. These technologies have the potential to significantly change traditional manufacturing and supply chain industries, including information and communications technologies (ICT). During the symposium, speakers and attendees discussed DDM cybersecurity risks, challenges, solutions, and implications for ICT supply chain risk management.
This paper introduces Microsoft’s perspective on supply chain risk and the relationship of such risk to global trade in ICT products. It reviews the considerations that lead governments to express concerns about supply chain security and discusses the implications of some approaches to “solving the problem.” It points out the importance of having national approaches to supply chain risk management that are risk-based, transparent, flexible and reciprocal or standards-based.
Enhancing Software Supply Chain Security. (a) The security of soft- ware used by the Federal Government is vital to the Federal Government’s ability to perform its critical functions. The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors. There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended. The security and integrity of ‘‘critical software’’—software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources)—is a particular concern. Accordingly, the Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.
The Executive Order (14028) on Improving the Nation’s Cybersecurity directs the Department of Commerce, in coordination with the National Telecommunications and Information Administration (NTIA), to publish the “minimum elements” for a Software Bill of Materials (SBOM). An SBOM is a formal record containing the details and supply chain relationships of various components used in building software. In addition to establishing these minimum elements, this report defines the scope of how to think about minimum elements, describes SBOM use cases for greater transparency in the software supply chain, and lays out options for future evolution. An SBOM provides those who produce, purchase, and operate software with information that enhances their understanding of the supply chain, which enables multiple benefits, most notably the potential to track known and newly emerged vulnerabilities and risks. SBOM will not solve all software security problems, but will form a foundational data layer on which further security tools, practices, and assurances can be built. The minimum elements as defined in this document are the essential pieces that support basic SBOM functionality and will serve as the foundation for an evolving approach to software transparency. These minimum elements comprise three broad, interrelated areas.
In his Executive Order (EO) on Improving the Nation’s Cybersecurity, President Biden identified the prevention, detection, assessment and remediation of cyber incidents as a top priority of his Administration. The Commerce Department and NTIA were directed by the EO to publish the minimum elements for a Software Bill of Materials (SBOM), a key tool to help create a more transparent and secure software supply chain. As the President notes, “the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is.”
It is appropriate to elaborate upon measures to address the national emergency with respect to the information and communications technology and services supply chain that was declared in Executive Order 13873 of May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain). Specifically, the increased use in the United States of certain connected software applications designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary, which the Secretary of Commerce acting pursuant to Executive Order 13873 has defined to include the People’s Republic of China, among others, continues to threaten the national security, foreign policy, and economy of the United States. The Federal Government should evaluate these threats through rigorous, evidence-based analysis and should address any unacceptable or undue risks consistent with overall national security, foreign policy, and economic objectives, including the preservation and demonstration of America’s core values and fundamental freedoms.”
Cyber security is generally thought of as various types of security devices like firewalls, Web Application Firewall (WAF), IDS/IPS, SIEM, DLP etc. to safeguard network, applications and data. But what if, for example, the deployed security solutions have a bug inside? The latest example of this is exposing of a vulnerability in Lenovo notebooks. Lenovo notebooks are shipped with a program named “Superfish-Visual Discovery”, and recently a vulnerability known as Man-in-the-Middle (MITM) has been discovered in this software, so all the security controls installed in the notebooks like antivirus etc. cannot catch it, because it is the default shipped in the software. This is an example as to how important is to take not only networks but also each component of a supply chain into consideration.
Cyber security in the supply chain is a subset of supply chain security and is focused on the management of cyber security requirements for information technology systems, software and networks, which are driven by threats such as cyber-terrorism, malware, data theft and the Advanced Persistent Threat (APT). Typical supply chain cyber security activities for minimizing risks include buying only from trusted vendors, disconnecting critical machines from outside networks, and educating users on the threats and protective measures they can take.
On May 11, 2017, the President of the United States issued the Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. In part, the order states that it is the policy of the United States “to support the growth and sustainment of a workforce that is skilled in cybersecurity and related fields as the foundation for achieving our objectives in cyberspace.” Consequently, the Secretary of Commerce and Secretary of Homeland Security are directed to:
1) “assess the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future, including cybersecurity-related education curricula, training, and apprenticeship programs, from primary through higher education”; and,
2) “provide a report to the President with findings and recommendations regarding how to support the growth and sustainment of the Nation's cybersecurity workforce in both the public and private sectors.”
With the active involvement of more than a dozen federal departments agencies, and with public input, the Commerce and Homeland Security Secretaries submitted a report to the President, Supporting the Growth and Sustainment of the Nation's Cybersecurity Workforce. A full list of federal contributors and details about private sector input is included in the report.
Key findings and recommendations from that report are available here.
Cyber Resiliency Engineering can be applied to systems, missions, business functions, organizations or a cross-organizational mission. In this paper, cyber resiliency is applied to the problem of mitigating supply chain attacks. The adversary’s goals for attacking a supply chain are described using the cyber-attack lifecycle framework and the Department of Defense (DoD) Acquisition lifecycle. Resiliency techniques are recommended considering adversary goals and best options to defend against the attacks. The analysis in this document found that the most effective point to apply cyber resiliency mitigations is the Production and Deployment phase because this reduces the number of attacks overall. The best place to gain information about adversary targets and activities are both the Engineering and Manufacturing Development phase and the Production and Deployment phase. An example of how to apply these resiliency techniques is provided based on the Commercial Solutions for Classified capability package for a Wireless Local Area Network (WLAN).
CISA, in coordination with the National Security Agency, and the Office of the Director of National Intelligence, as part of the Enduring Security Framework (ESF)—a cross-sector, public-private working group—released a Potential Threat Vectors to 5G Infrastructure paper. This paper identifies and assesses risks and vulnerabilities introduced by 5G.
The ESF 5G Threat Model Working Panel, a subgroup within the ESF, examined three major threat vectors in 5G—standards, the supply chain, and threats to systems architecture—to develop a summary and technical review of types of threats posed by 5G adoption in the United States and sample scenarios of 5G risks.
Please note, this paper represents the beginning of the ESF’s research and not the culmination of it. It is not an exhaustive risk summary or technical review of attack methodologies and includes public and private research and analysis.
Exploitation of supply chains by foreign adversaries is a growing threat to America.
The National Counterintelligence and Security Center (NCSC) today released a new tri-fold document, Supply Chain Risk Management: Reducing Threats to Key U.S. Supply Chains, to help private sector and U.S. Government stakeholders mitigate risks to America’s critical supply chains. As part of Cybersecurity Awareness Month, NCSC is working to raise awareness of supply chain attacks, including those that are cyber-enabled.
The tri-fold highlights supply chain risks, introduces a process for supply chain risk management, and establishes three focus areas to reduce threats to key U.S. supply chains. The document also outlines key tools and technologies to protect each stage of the supply chain lifecycle, from design to retirement.
Video presentation from Carnegie Melon University "Implementing Cyber Security in DoD Supply Chains," 2020.
Video presentation "Cyber Security in Supply Chains, CAPS Research", 2018.
The purpose of this workshop is to review with participants, sponsors, and key interested parties the findings and lessons learned from a two-year long NIST and GSA-sponsored Cyber Risk Analytics project. A team composed of professionals from the University of Maryland (UMD), Zurich Insurance, and Beecher Carlson completed the following activities:
- Developed and field tested, with collaboration of NIST, a secure, online self-assessment tool, based on the Cybersecurity Framework;
- Created a breach database for survey participants by integrating the breach datasets from Advisen, RBS , the Identity Theft Resource Center, and the Center for Business and Ethics at the University of Maryland;
- Conducted a rigorous statistical analysis to search for significant relationships between performance results in different areas of the self-assessment tool and frequency of breaches (disaggregated by breach type). The objective was to determine specific actions initiated by the survey participants were directly associated with a reduced frequency of breach occurrence during the study period.
Deception technology is an outside-the-box cybersecurity approach that aims to turn the current paradigm on its head – from reactionary to proactive defense.Traditional, signature-based security measures continue to fall prey to sophisticated zero-day attacks and advanced persistent threats, despite the fact that companies are spending upwards of $3 million per year on information security. It’s time for organizations to get proactive, and use deception technology to enhance the way they architect a comprehensive security strategy. The article presents 4 Things Every CISO Must Know About Deception Cybersecurity.
Deception is a tactic that could be used in cybersecurity to attack adversaries. Deception technology goes beyond the honeypot concept in that it can be used to actively lure and bait attackers to an environment in which deception is applied. Organizations can use deception technology to reduce false positives, trigger early threat hunting operations, and more.
The United States has no peer competitors in conventional military power. But its adversaries are increasingly turning to asymmetric methods for engaging in conflict. Much has been written about cyber warfare as a domain that offers many adversaries ways to counter the U.S. conventional military advantages, but for the most part, U.S. capabilities for prosecuting cyber warfare are as potent as those of any other nation. This paper advances the idea of cyber-enabled information warfare and influence operations (IWIO) as a form of conflict or confrontation to which the United States (and liberal democracies more generally) are particularly vulnerable and are not particularly potent compared to the adversaries who specialize in this form of conflict. IWIO is the deliberate use of information against an adversary to confuse, mislead, and perhaps to influence the choices and decisions that the adversary makes. IWIO is a hostile activity, or at least an activity that is conducted between two parties whose interests are not well-aligned, but it does not constitute warfare in the sense that international law or domestic institutions construe it. Cyber-enabled IWIO exploits modern communications technologies to obtain benefits afforded by high connectivity, low latency, high degrees of anonymity, insensitivity to distance and national borders, democratized access to publishing capabilities, and inexpensive production and consumption of information content. Some approaches to counter IWIO show some promise of having some modest but valuable defensive effect. But on the whole, there are no good solutions for large-scale countering of IWIO in free and democratic societies. Development of new tactics and responses is therefore needed.