There is probably no company in the world that can design and manufacture all of the components included in its...
IT infrastructure. There are business reasons not to try this, such as because focusing on core competencies will likely yield the highest return on investment. This means that managing the supply chain and monitoring third parties in an IT environment are critical components of many information security programs.
The issue of compromised hardware in the supply chain resurfaced recently when Bloomberg Businessweek published a report on a hardware vendor that, the outlet alleged, had shipped products with compromised chips in their systems.
In this tip, we'll take a look at the issue of potentially compromised hardware and enterprise protections.
Potentially compromised hardware
The physical security of hardware is the root of trust for most systems. This is why many web-scale companies, such as Google, have invested significant resources in hardware and physical security. It can be difficult to detect and remediate a server if there is malware in the hardware, such as in the hard drive firmware. The largest companies can potentially handle these risks, like Google did with its improved hardware security, but few enterprises have the resources to do so.
The hardware supply chain is incredibly complex, and most enterprises buy their servers from established vendors. Hardware vendors may design and assemble the overall system and include information about the software, components and chips in a server. However, the vendor may also work with many different suppliers as part of their supply chain -- suppliers that likely have their own supply chains to manage -- to take advantage of lower prices or the necessary expertise.
An attacker or insider at the vendor's company -- or any of its suppliers -- could insert a malicious design, such as an entire chip or specific circuitry, into the hardware design to compromise it. The malware or malicious hardware could do almost anything, from weakening cryptographic operations to stealing sensitive data.
Enterprise protections from potentially compromised hardware
An enterprise's tolerance for risk and the resources available will drive its plans for managing this risk; you have a spectrum of options to help you manage the risk of potentially compromised hardware in your environment.
Research projects have been conducted that compare manufactured silicon with the original designs; this type of approach can be used in high-security environments on all new hardware or when choosing new components to include in systems your enterprise designs or manufactures.
Your enterprise could also add clauses to vendor contracts that state that their products must be free of malicious defects, but it's unlikely a vendor will agree to this. This type of threat may also be part of a state-level attack. With this type of attack, your enterprise must accept the risk, as there is little that can be done to stop it.
For a more measured response, your enterprise may want to monitor servers for unexplained network traffic. Any network connection, such as for backups, management, monitoring and internal-only network connections, should be monitored for unexplained network traffic. This could include monitoring the data flow for unexplained network connections rather than using deep-packet inspection on internet connections.
Once anomalous connections are identified, they can be investigated in depth. This won't identify hardware that uses non-IP, cellular, Bluetooth or satellite connections to extract data from your enterprise, but if that is a concern, you can use data center racks or even design the data center to stop radio frequencies from escaping the facility.
For enterprises using cloud IaaS systems or other hosted systems, their providers should take steps to ensure the systems are physically secure and that the appropriate hardware security is in place. The provider can monitor its own infrastructure to identify suspicious network connections, as you may not have access to network connections that could be used as side channels.
Your enterprise may even want to include in the vendor's contract that it's the provider's responsibility to ensure that this is done. Providers may not agree to do this, but some may, and putting it into a contract can help clarify if it is an expectation of the provider. Taking it to the next level requires the provider to ensure that the hardware is free from outside tampering and that, if tampering is found, it will remediate the issues at its own expense.
While it's impossible to mitigate all vulnerabilities and stop all attacks before they compromise the security of your systems, understanding the potential for vulnerabilities in your systems, in your supply chain or with third-party service providers is critical to effectively managing the risk. Part of this can include assessing the potential risk, implementing a compensating control to minimize the impact of a vulnerability or simply accepting the risk.