Difference between revisions of "Supply Chain"
From MgmtWiki
m (→Other Material=) |
(→References) |
||
| Line 17: | Line 17: | ||
" [https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies"] shows how easy that act can be exploited. The vulnerability has always been their, but as other exploits are blocked, this one becomes more attractive. | " [https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies"] shows how easy that act can be exploited. The vulnerability has always been their, but as other exploits are blocked, this one becomes more attractive. | ||
| + | |||
| + | ==Solutions== | ||
| + | With the issuance of the Executive Order on Cyber Security, NIST was tasked with a definition of [[Critical Software]]. | ||
==References== | ==References== | ||
Revision as of 10:58, 25 June 2021
Contents
Full Title or Meme
For Identity Management in a digital world the important parts of the supply change are the user hardware and software and the entire cloud ecosystem.
Context
- Typically the only parts of the Supply Chain that a user or a developer sees are the immediate hardware or software decision that they make. The full scale of all the parts that are drawn into the local system by those decisions are seldom investigated, even when a Threat Model is created.
- The US NCCoE has established a Supply Chain Assurance effort focused on the hardware.
Problems
- The most common problem Supply Chain corruption is indifference. Typically when included in a Threat Model the response will be "you must be in real trouble if you don't know where your computers are coming from." It is still likely that most threat analysis will omit any concern with supply chain corruption.
- Even though it may be incredibly difficult to get management to consider supply chain issues, it is not useful to address any security issues if you cannot even be sure that the computers and the software delivered are free of deliberate or accidental vulnerabilities.
- Portable hardware devices have proven to be an easy attack target. In the simplest case a USB file key is left lying around where someone might use it and thus infect the computer. In more sophisticated attacks the hardware will be altered in the supply chain before it reaches the intended target user. For example Criminals are mailing altered Ledger devices to steal cryptocurrency [1]
- The exploits have started to surface with (2020) Solar Winds infections that continue to be discovered. There the problem was a dll that was replaced in the development chain that was never validated.
- Developer tools make it very easy to inject dependence's on external packages with just a click of the mouse. the article on "Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies" shows how easy that act can be exploited. The vulnerability has always been their, but as other exploits are blocked, this one becomes more attractive.
Dependancy Injections
This is about a broad meaning of dependency injections that apply whenever a download application takes a dependency on code from any source outside of the current development project.
" Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies" shows how easy that act can be exploited. The vulnerability has always been their, but as other exploits are blocked, this one becomes more attractive.
Solutions
With the issuance of the Executive Order on Cyber Security, NIST was tasked with a definition of Critical Software.
References
- ↑ Lawrence Abrams, Criminals are mailing altered Ledger devices to steal cryptocurrency Bleeping Computer (2021-06-16) https://www.bleepingcomputer.com/news/cryptocurrency/criminals-are-mailing-altered-ledger-devices-to-steal-cryptocurrency/
Other Material
- See the wiki pages Trusted Computing and Wallet for more examples of supply chain problems.
