Sunday, January 9, 2011

How secure are your service providers?

To follow up on the previous post on how service providers can get a company into trouble, I just read Richard Bejtlich's blog article regarding plausible links between information leaks at suppliers' information system to the development of the new J-20 Stealth fighter from China. While I am not saying that this is what happened, it certainly brings up a scenario that we should be aware of.

Let's take a look at how this might happen...

In working with our large and small business partners, information has to be passed back and forth. With advanced persistent threat (APT) implanted at these partners' information systems, it is possible to gather a company's intellectual property without ever breaching the security of the original company.

Internal emails or documents can be copied from these partners and deposited into bigdata systems like Hadoop. Hadoop is an open source Apache project and can be obtained by simple web download. Companies like Google and Yahoo provided the initial research so that they can have an efficient web search on hundreds of millions of web articles.
With these technologies in hand, an attacker can gather relevant and non-relevant messages from multitude of sources large and small into bigdata systems and sieve for the good information that they are interested in.

So taking the attacker's viewpoint, it does not matter whether the stolen information comes from large or small partners. It is usually easier to attack smaller companies because they are not as dedicated to the protection of their information. The value of getting information from tens of sources versus from only one gives the same ultimate result. Because an email has a sender and one or more receivers, when any party gets compromised, this email is compromised.

What can we do?

The credit card industry imposed PCI-DSS security compliance on any company dealing with credit card transactions. The medical industry imposed HIPAA security compliance on doctors and its service providers. It is high time industries like engineering and manufacturing start issuing security guidelines to its tiered suppliers and make sure they are understood and adhered to.

No comments:

Post a Comment