In October 2018, Bloomberg Businessweek published an extensive investigative article into the compromise of some of the U.S.’s largest organizations. The article details a mammoth hardware hack originating in China, wherein rogue hardware was fitted into motherboards at the beginning of the supply chain and later used to facilitate complete, unrestricted access to the systems at the other end.
This kind of hack unearths a concerning vulnerability in the technology supply chain. With companies such as Apple, Amazon Web Services and even the U.S. Government’s security services allegedly falling victim to the attack, how can any organization hope to protect against a similar breach?
There’s no sure-fire way to completely protect your organizational infrastructure from attack, but reducing your attack surface and taking essential steps to prevent access throughout the data lifecycle are best practices for protecting confidential data.
In this particular hack, the minute hardware inserted into motherboards was loaded with code to override any security controls on the system with which it connected This effectively created a back door into the system, allowing the originators of the attack complete, unrestricted access.
So, how do you combat such an attack? While many companies practice data sanitization at asset end-of-life, protecting the data from compromise as storage media is destroyed or recommissioned, this practice does not account for devices entering the system. A more comprehensive data sanitization process is needed throughout the entire data lifecycle.
The latest draft of NIST Special Publication 800-53 (Revision 5) makes explicit reference to the need for organizations to sanitize removable media throughout its active data lifecycle:
“Portable storage devices can be the source of malicious code insertions into organizational systems. Many of these devices are obtained from untrustworthy sources and may contain malicious code that can be readily transferred to systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when these devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices.”
For your organization to meet NIST’s guidelines, proper data sanitization must be executed throughout the data lifecycle—from during life to end-of-life. You must be mindful of the origin of any storage devices and ensure your data protection policies account for the sanitization of any devices that encounter your systems. Any organization not achieving full data sanitization on assets as they enter and leave a facility is at major risk of a hack as devastating and as far-reaching as the supply chain hack of the Bloomsberg Businessweek article.
Don’t get caught without the proper data sanitization processes in place. Fully sanitize all removable media prior to any contact with your systems with Blancco Removable Media Eraser. Get your free enterprise trial today.