Supply Chain

From MgmtWiki
Revision as of 09:55, 17 June 2021 by Tom (talk | contribs) (Other Material=)

Jump to: navigation, search

Full Title or Meme

For Identity Management in a digital world the important parts of the supply change are the user hardware and software and the entire cloud ecosystem.

Context

  • Typically the only parts of the Supply Chain that a user or a developer sees are the immediate hardware or software decision that they make. The full scale of all the parts that are drawn into the local system by those decisions are seldom investigated, even when a Threat Model is created.
  • The US NCCoE has established a Supply Chain Assurance effort focused on the hardware.

Problems

  • The most common problem Supply Chain corruption is indifference. Typically when included in a Threat Model the response will be "you must be in real trouble if you don't know where your computers are coming from." It is still likely that most threat analysis will omit any concern with supply chain corruption.
  • Even though it may be incredibly difficult to get management to consider supply chain issues, it is not useful to address any security issues if you cannot even be sure that the computers and the software delivered are free of deliberate or accidental vulnerabilities.
  • Portable hardware devices have proven to be an easy attack target. In the simplest case a USB file key is left lying around where someone might use it and thus infect the computer. In more sophisticated attacks the hardware will be altered in the supply chain before it reaches the intended target user. For example Criminals are mailing altered Ledger devices to steal cryptocurrency [1]
  • The exploits have started to surface with (2020) Solar Winds infections that continue to be discovered. There the problem was a dll that was replaced in the development chain that was never validated.
  • Developer tools make it very easy to inject dependence's on external packages with just a click of the mouse. the article on "Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies" shows how easy that act can be exploited. The vulnerability has always been their, but as other exploits are blocked, this one becomes more attractive.

Dependancy Injections

This is about a broad meaning of dependency injections that apply whenever a download application takes a dependency on code from any source outside of the current development project.

" Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies" shows how easy that act can be exploited. The vulnerability has always been their, but as other exploits are blocked, this one becomes more attractive.

References

  1. Lawrence Abrams, Criminals are mailing altered Ledger devices to steal cryptocurrency Bleeping Computer (2021-06-16) https://www.bleepingcomputer.com/news/cryptocurrency/criminals-are-mailing-altered-ledger-devices-to-steal-cryptocurrency/

Other Material