Supply chain risk: Addressing a multitude of single points o

By John Loucaides
 
It's well understood that the technology supply chain introduces risk, but until recently, the focus has been on people and processes, leaving the technology itself as a major visibility gap. To effectively manage supply chain risk, government organizations must understand and address the full scope of the supply chain. As recent attacks have demonstrated, that extends to the software and update process as well.
When considering supply chain risk, an attack during product transport can cause irreparable harm. However, physically tampering with hardware is not scalable. Manipulating the software inside hardware (firmware), on the other hand, very much is. In the Sunburst campaign, attackers delivered a malicious backdoor to over 18,000 SolarWinds customers by compromising the authorized software update infrastructure. This is similar to the previous ShadowHammer attack, where compromised ASUS update servers were used to push malware to hundreds of thousands of customers. In both cases, the updates were properly signed and appeared valid.

Related Keywords

United States , John Loucaides , Baseboard Management Controller , Vice President , Fcw , Ederal Computer Week , Government Technology , Cw , Cw Com , Ederal Computer Weekly , Ed 100 , Ederal 100 , Rising Star Awards , Overnment Employment News , Ohio , Chief Information Officer , Chief Technology Officer , To , Iso , Chief Data Officer , Data Science , Government Executive , Federal Executive , Visma , Adm , Edramp , Mmc , Sa , God , Dhs , Lliant , Cyber Command , Elman , Cw Insider , Cloud , Irtualization , Lisa , Gen , Ewp , ஒன்றுபட்டது மாநிலங்களில் , பேஸ்போர்டு மேலாண்மை கட்டுப்படுத்தி , துணை ப்ரெஸிடெஂட் , ப்குவ் , ஐயொ , க்கு , ஐசோ , இஸ்மா , ட்ம் , ம்ம்க் , ச , ஓட் , ஹ்ஸ் , உரத்த , ஐசா , கேன் ,