While many cyber security threats seem to focus on network vulnerabilities, the reality is that your entire supply chain is vulnerable to attack.
Hardware, software, human error and third-party vendors are all prime targets for cyber criminals attempting to access your valuable data. Trouble arises when manufacturing processes are interrupted by the insertion of rogue hardware or software meant to gain access to buyers’ networks. These supply chain attacks can go undetected by manufacturers and resellers, leaving enterprise purchasers at risk of procuring compromised materials—and sellers at risk of broken trust.
COVID-19 response has not only disrupted normal manufacturing processes, but also increased cyber vulnerabilities within the manufacturing industry. However, that is merely building on a rising number of supply chain compromises: according to a 2019 report by Symantec, supply chain software attacks increased 78 percent in 2018 alone.
The Importance of Supply Chain Security in Hardware Procurement
To combat having malicious IT assets installed within enterprise networks, contractors must be held to stringent security practices when integrating hardware into an organization’s system. But all procured assets require careful review.
In a 2019 blog, “Guarding against supply chain attacks—Part 1: The big picture,” Microsoft authors list hardware component attacks as among the most logical place in a supply chain to insert vulnerabilities. For an enterprise, outside suppliers and service providers present a unique challenge to supply chain security due to the lack of control an organization has over a third party’s internal procedures. In addition, reports of vulnerable firmware installations on computer hardware can result in added risk for both trusted vendors and end users.
Beyond Scanning: NIST Recommends Asset Sanitization to Combat Supply Chain Attacks
When purchasing hardware, whether servers, portable storage devices or removable media, “trust but verify” should always be the norm. This means asking manufacturers about their security protocols and vendor relationships, as well as identifying the enterprise systems and components that would cause the greatest harm if compromised.
Even then, hardware compromises can be hard to detect.
While many companies practice data sanitization at asset end-of-life (protecting data from compromise as storage media is destroyed or recommissioned), non-destructive asset sanitization can play an important role for new assets.
When finalized, the latest version of NIST Special Publication 800-53, “Security and Privacy Controls for Information Systems and Organizations,” from the U.S. National Institute of Technology, will be available for use by all organizations, not just U.S. federal governments. The latest draft of Revision 5 (March 2020) continues to recommend that organizations sanitize data storage devices throughout the active lifecycle, starting at purchase, to protect against vulnerabilities in the supply chain (emphasis mine):
Portable storage devices include external or removable hard disk drives (solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash memory cards and other external or removable disks. Portable storage devices can be obtained from untrustworthy sources and can contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices.
Likewise, data sanitization and security procedures should be applied wherever practical for new IT devices, as malware can be introduced on a wide range of hardware. For instance, the U.S. Federal Bureau of Investigation issued an alert in April 2020 of Kwampis malware actors targeting healthcare hardware and software during the COVID-19 pandemic. In 2019, low-budget mobile phones came with pre-installed malware.
Organizations must be mindful of the origin of any device. Data protection policies should also encourage device sanitization before installation where it makes sense.
Data Sanitization: A Key Component in Supply Chain Security
There’s no sure-fire way to completely protect your organizational infrastructure from all cyber threats. However, sanitizing new devices from the beginning of the asset lifecycle is a best practice for protecting your network and its confidential data from a supply chain attack.
Secure data erasure is a software-based sanitization process that removes all data from a device while leaving the device intact and usable. It also provides verification and a tamper-proof certificate attesting that data sanitization has occurred.
What You Can Do
To combat the trend of increasing attacks to the technology supply chain, fully sanitize all data storage devices before they come into contact with your systems. We recommend that you use our Data Erasure Solution Picker to find what non-destructive sanitization solution is best for your organization and set of devices, then contact us for a free data erasure trial within your environment.