Today we have a guest blogger –  Chris Fagan, Senior Director, Trustworthy Computing, Microsoft. Chris discusses IT supply chain risk assessment.

The assessment of supply chain risks in information technology systems is an area of increasing interest. NIST has recently released an internal report for public comment, IR7622 “Piloting Supply Chain Risk Management for Federal Information Systems.” This report takes an expansive view of IT supply chain risks and this presents cyber security professionals with challenges. One challenge is to identify the potential vulnerabilities that need to be threat modeled and integrated into current risk assessment practices. To identify potential vulnerabilities, a broad-brush approach is required.

An IT system harbors vulnerabilities originating from different sources. These sources range from the practices used to operate the system, the “path” IT elements take before being incorporated into the system, the IT elements themselves that comprise the system, and finally changes that occur during the system’s lifetime.

The plethora of potential vulnerabilities associated with the practices used to operate an IT system and its elements can be organized into a number of buckets based on their source:

  1. End User Practices: Poor end-user practices, e.g. no or weak passwords; trawling the web; opening suspect emails.
  2. IT System Operating Practices: Poor system operating practices, e.g. not updating patches; the broad use of system accounts.
  3. IT System Configuration: Miss-configuration of otherwise sound IT elements, e.g. open ports; insufficient security between elements.
  4. Counterfeit Elements: Counterfeit hardware or a counterfeit component within an element, e.g. purchased through a grey market; switched somewhere between supplier and integrator.
  5. Element Weaknesses: An unintentional weakness in the fabric of the material of a genuine IT element or component, e.g. hardware errors, coding errors, fatigued code (code which met best practices when developed, but has since become vulnerable as attack techniques improve).
  6. Tampering: A genuine IT element is intentionally altered during development, transport, maintenance or during operation, e.g. malware inserted, Hardware and Software Integrity.

These buckets assist risk professionals in three ways. First, they provide a checklist to ensure that common sources of vulnerabilities have been considered.Second, risk reduction activities can be focused on each bucket. And third, the improved measurement enabled by these buckets helps when calculating the return on investments made to mitigate risks.

These buckets are populated with potential vulnerabilities that originate during a system’s lifetime. This lifetime is punctuated by two milestone events – system commissioning and system retirement. These milestones segment a system’s lifetime into three phases – integration, operation and disposal. Potential vulnerabilities can be identified in each phase. Say for example, the threat being considered is that a counterfeit hardware component contains a potential vulnerability. One can ask in which phase a component is incorporated into the IT system, for instance, is it incorporated prior to the system being commissioned or is it introduced as a replacement part 10 years into the system’s life? Controls against the different threats that could introduce a counterfeit component need to be applied in the appropriate phase.

One can also ask about the “path” by which a component or element arrives in a system. An IT system’s supply chain is the collection of supply chains for each of the system’s elements. Broadly interpreted, an IT element can be hardware, software, or even services since the operation and maintenance of an IT system is a service that may be outsourced. For example, if a control, designed to mitigate the threat posed by a counterfeit component, was to purchase an additional genuine component during the integration phase and store it until needed, then access to storage needs to be secured. Thus storage is one location in the component’s supply chain and potential vulnerabilities associated with that presumably secure storage need to be identified.

The buckets listed above provide a framework that assists security professionals in making informed supply chain risk assessments. The examples provide a flavor for how vulnerabilities are identified by considering where in an IT system vulnerabilities manifest themselves, the phases in an IT system’s lifetime, and the path components and elements take prior to arriving in the IT system.