Supply Chain Attack: Why Organizations Need Data Sanitization at All Stages of the Data Lifecycle

IT teams need to guard their infrastructure from outside attack, but they must also look at software and hardware that come from third-party suppliers and vendor partners—even trusted ones. This is particularly true for portable storage devices such as USBs and external or removable drives. Here’s how secure data erasure can help.

Vivian Cullipher Vivian is a career writer and editor, having covered technology-related topics for government and B2B organizations since before LinkedIn and the iPhone. As Blancco’s communications and content manager, she supports the development of thought-leadership-based copy for web, social media, and other Blancco communication channels.

While many cyber security threats seem to focus on network vulnerabilities, the reality is that your entire supply chain is vulnerable to attack.

Hardware, software, human error and third-party vendors are all prime targets for cyber criminals attempting to access your valuable data. Trouble arises when manufacturing processes are interrupted by the insertion of rogue hardware or software meant to gain access to buyers’ networks. These supply chain attacks can go undetected by manufacturers and resellers, leaving enterprise purchasers at risk of procuring compromised materials—and sellers at risk of broken trust.

COVID-19 response has not only disrupted normal manufacturing processes, but also increased cyber vulnerabilities within the manufacturing industry. However, that is merely building on a rising number of supply chain compromises: according to a 2019 report by Symantec, supply chain software attacks increased 78 percent in 2018 alone.

The Importance of Supply Chain Security in Hardware Procurement

To combat having malicious IT assets installed within enterprise networks, contractors must be held to stringent security practices when integrating hardware into an organization’s system. But all procured assets require careful review.

In a 2019 blog, “Guarding against supply chain attacks—Part 1: The big picture,” Microsoft authors list hardware component attacks as among the most logical place in a supply chain to insert vulnerabilities. For an enterprise, outside suppliers and service providers present a unique challenge to supply chain security due to the lack of control an organization has over a third party’s internal procedures. In addition, reports of vulnerable firmware installations on computer hardware can result in added risk for both trusted vendors and end users.Related Article:  Remote Device Data Erasure for an Increasingly At-Home Workforce

Beyond Scanning: NIST Recommends Sanitization as Defense Measure

When purchasing hardware, whether servers, portable storage devices or removable media, “trust but verify” should always be the norm. This means asking manufacturers about their security protocols and vendor relationships, as well as identifying the enterprise systems and components that would cause the greatest harm if compromised.

Even then, hardware compromises can be hard to detect.

While many companies practice data sanitization at asset end-of-life (protecting data from compromise as storage media is destroyed or recommissioned), non-destructive asset sanitization can play an important role in minimizing your vulnerability to a supply chain attack via new assets.

When finalized, the latest version of NIST Special Publication 800-53, “Security and Privacy Controls for Information Systems and Organizations,” from the U.S. National Institute of Technology, will be available for use by all organizations, not just U.S. federal governments. The latest draft of Revision 5 (March 2020) continues to recommend that organizations sanitize data storage devices throughout the active lifecycle, starting at purchase, to protect against vulnerabilities in the supply chain (emphasis mine):

Portable storage devices can be obtained from untrustworthy sources and can contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices.

NIST Special Publication 800-53, Rev 5

Likewise, data sanitization and security procedures should be applied wherever practical for new IT devices, as malware can be introduced on a wide range of hardware. For instance, the U.S. Federal Bureau of Investigation issued an alert in April 2020 of Kwampis malware actors targeting healthcare hardware and software during the COVID-19 pandemic. In 2019, low-budget mobile phones came with pre-installed malware.

Organizations must be mindful of the origin of any device. IT security policies should address the possibility of a supply chain attack as an entry point to your business network and encourage device sanitization before installation where it makes sense.

Data Sanitization: A Key Component in Supply Chain Security

There’s no sure-fire way to completely protect your organizational infrastructure from all cyber threats. However, sanitizing new devices from the beginning of the asset lifecycle is a best practice for protecting your network and its confidential data from a supply chain attack.

Secure data erasure is a software-based sanitization process that removes all data from a device while leaving the device intact and usable. It also provides verification and a tamper-proof certificate attesting that data sanitization has occurred.

Fortify IT Assets Against Supply Chain Vulnerabilities—See How with a Free Trial

To combat the trend of increasing attacks to the technology supply chain, fully sanitize all data storage devices before they come into contact with your systems. We recommend that you use our Data Erasure Solution Picker to find what non-destructive sanitization solution is best for your organization and set of devices, then contact us for a free data erasure trial within your environment.