अभी अभी:

Oman’s Most Trusted Brands: Interview with Shaun Michael, CEO of Mercedes-Benz Oman

Gov. Tina Kotek laser focused on housing, homelessness in first 60 days

Crystal Palace vs Man City LIVE early team news, predictions and match updates in Premier League

  • NAS
  • 39
  • 12:02 PM Feb 17, 2023

Securing Supply Chains And Protecting Businesses From Critical Vulnerabilities

Securing Supply Chains And Protecting Businesses From Critical Vulnerabilities
Forbes Innovation Securing Supply Chains And Protecting Businesses From Critical Vulnerabilities Sanjoy Maity Forbes Councils Member Forbes Technology Council COUNCIL POST Expertise from Forbes Councils members, operated under license. Opinions expressed are those of the author. | Membership (fee-based) Feb 17, 2023, 07:00am EST | Share to Facebook Share to Twitter Share to Linkedin Sanjoy Maity, Chief Executive Officer, AMI .
getty The supply chain is a significant cybersecurity threat for mission-critical servers in modern data centers or enterprises. During transit, bad actors can replace original components within a server with malicious counterparts. Such components can be hardware, firmware or a combination.
As such, firmware supply chain security detection and recovery are extremely complex and difficult to manage. Firmware security is the foundation of a secure IT infrastructure. If your firmware is breached, all of the elaborate security measures you have won't matter.
Hackers can take control of a machine by gaining access through vulnerable firmware, use the machine as a gateway to bypass them and navigate through to access your enterprise data. As you invest massive capital in securing your organization's security tools, network, databases and applications, you must strongly consider that proper protection from cyber threats starts with secure firmware. What's the point of having a top-notch security system if your firmware remains the soft underbelly? Heed The Warnings In early 2022, the U.
S. Departments of Commerce and Homeland Security released a report detailing the results of a one-year assessment of the supply chains for critical IT infrastructure deployments. The report revealed that major vulnerabilities in firmware—the layer below the operating system (OS)—could result in single-point failures in devices.
MORE FOR YOU The Inside Story Of Papa John's Toxic Culture 3 Common Questions CEOs Have On Rebranding, Answered How Coal Mining's Challenges Are An Indicator Of US Manufacturing Woes In response to these findings, the U. S. Office of Management and Budget issued a memo in late September 2022 requiring all U.
S. federal government agencies to use software (including firmware) that follows the best practices for supply chain security, as outlined by the National Institute of Standards and Technology (NIST). How Supply Chains Get Verified Today Typically, the original equipment manufacturers (OEMs) of the server provide verification tools.
These out-of-band tools measure the server's component integrity from an independent processor known as a baseboard management controller (BMC), which runs sophisticated and complex firmware. This firmware works with an integrated hardware encryption vault within the server known as a trusted compute module (TPM) by cross-checking the encrypted known good keys stored at the manufacturing site. Why Securing Firmware In The Supply Chain Is So Challenging One of the major challenges in firmware security is if the BMC's firmware is compromised during transit, meaning all of the verification processes are compromised as well.
When you think about all of the steps that go into getting a device from the manufacturing site to your hands, it's clear that the supply chain is a complex process involving multiple parties and stages. However, did you know that a firmware attack can happen anywhere along the way? It's true—and with the open-source community contributing to firmware and software code, the risk of vulnerabilities increases unless the code is thoroughly tested. What can be done to proactively protect against supply chain vulnerabilities, detect when there's been a compromise and recover a trusted state of firmware or software? Securing Firmware In The Supply Chain From Manufacturing To The End User Before a device leaves the manufacturing site, it's crucial for the original design manufacturers (ODMs), OEMs and firmware suppliers to work together to ensure the firmware is attested.
How can we protect the firmware throughout the rest of the supply chain, from transit to the end user, and maintain the security of the customer's information? This is where a shift in overall security strategy, followed by new solutions that enhance firmware security from end to end in the supply chain, can create a safer cyber environment. The Keys To Securing And Maintaining Firmware Integrity In The Supply Chain An overarching theme within the supply chain is greater awareness of firmware security. Most devices receive firmware updates only once in their lifetime—and sometimes, that doesn't even happen.
This lack of attention and prioritization around firmware is a key reason why firmware is such a soft underbelly of cybersecurity today. As we strive for better education around firmware security within the supply chain, organizations should start cataloging their existing security practices and speak with their teams and vendors about the solutions that are needed for better protection. Every enterprise's zero-trust strategy should include firmware security and supply chain security.
Another important part of maintaining firmware integrity in the supply chain is using what's called a software bill of materials (SBOM). This machine-readable file contains information on all of the software components in a device, making it easier to identify potential vulnerabilities. Requiring an SBOM from suppliers can help ensure they follow best security practices and controls, particularly regarding firmware security.
Every party involved should be aware of the importance of the SBOM and understand the ways in which attackers can infiltrate firmware in transit. Lastly, the supply chain should be proactive in communicating firmware vulnerabilities. There is a need for increased transparency about firmware security risks from equipment manufacturers, vendors and others within the supply chain.
While some security incidents don't require public disclosure, there still should be coordinated communication among potentially affected parties so they can address and remediate any effects on their systems. If nothing was impacted, they at least have peace of mind going through the exercise and ensuring all fixes and workarounds are in place. Protect Your Business From Cyberattacks With Secure Firmware Security vulnerabilities in the supply chain through firmware are a real and significant security risk for every organization.
While there isn't just one magic bullet that will neutralize this risk, the keys to securing and maintaining the integrity of firmware in the supply chain require a combination of education and tools. With the fundamentals covered, organizations can move on to implementing technologies such as SBOM, attestation software and cloud-based HSM key management to serve as checkpoints throughout the supply chain. Enhancing firmware security and maintaining its integrity throughout the supply chain enhances cybersecurity.
If organizations start strengthening the foundational security in the IT stack, it can protect platform firmware in the organization. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify? Follow me on LinkedIn .
Check out my website . Sanjoy Maity Editorial Standards Print Reprints & Permissions.
Source:
forbes
URL:
https://www.forbes.com/sites/forbestechcouncil/2023/02/17/securing-supply-chains-and-protecting-businesses-from-critical-vulnerabilities/