How to Effectively Combat Emerging Supply Chain Vulnerabilities

How to Effectively Combat Emerging Supply Chain Vulnerabilities

by Michael F D Anaya

The supply chain is almost impossible to adequately defend, but there is a strategic way forward.

What should be keeping you up at night? Your supply chain, duh…and great Netflix content, but the latter keeps all of us up. So what exactly about your supply chain is the issue? Simply put, since your supply chain is largely outside of your control, it’s a huge blind spot and almost impossible to adequately defend. My advice — mitigate global risk factors, gain as much control over your supply chain (as is viable), and ensure you have safeguards in place when your supply chain fails. Easier said than done, right? Don’t worry, we will break it down together. Let’s start by taking a closer look at a possible threat case.

The Chat Bot Scenario

Imagine you vet a third-party chat bot vendor and after rigorous testing and multiple levels of approval, they are now authorized to be a point of presence on your website. You did it! Now you can check the box and call it a day, right? Well, not quite. Let’s assume that vendor gets breached, and the hackers use the trusted relationship the vendor has cultivated with you to their advantage (remember, the vendor passed all the rigorous testing). So what if the hackers change the chat bot to now prompt your customers to enter personally identifiable information (PII) to “verify” identity? Would you even know this is happening? The chat bot is a not technically running on your web server, it’s running on the client’s machine. There is a high probability your marketing team is in charge of your website or it’s largely outsourced (either way it’s not your security team). Would they know anything is wrong? How much PII will be lost before someone says something? And then let’s not forget GDPR (or CCPA). Are you liable? This type of compromise happened to British Airways; they are now slated to pay a record $230 million GDPR fine.

So needless to say, this would be a bad day (more likely bad weeks/months) for you and your company. Now let’s focus on three areas of concern: globalization, the cloud and edge computing.

Three Areas of Concern

1. Globalization

Globalization is a modern reality that brings many benefits with it along with many costs. Should we hinder globalization? No, nor should we try, but we should be aware of risks we take in the global arena. When you are vetting vendors their county of origin needs to be considered. Why? Well the laws that govern said county, will also impact how information is shared with nation state governments. China, Russia, Iran and North Korea have laws that are quite invasive and draconian, but what about other countries? Should you be concerned with India? What if an Indian vendor were to use a cloud storage provider in China? How does that affect you or your customers? Would you even think to ask? Since I mentioned the cloud, let’s shift our focus there.

2. The Cloud

Bottom line — you save money, but lose control — more importantly many people also feel that shifting to the cloud, also shifts the risk to the cloud vendor, but does it? Ask yourself these questions: If your cloud storage provider suffered a data breach, would they notify you? How long would it take them to learn about the breach? But what if you knew of a data breach, do you have a way to get all logs from the cloud provider needed to conduct an internal assessment of the breach? Who do you call? What if the cloud provider is outside your country? What are the reporting requirements put forth by said country’s regulatory authority? Are you subjected to their regulatory authority? Those are just some of the questions that should be considered. The next area for concern is this notion of edge computing.

3. Edge Computing

This is a relatively new concept that some define differently, so first let me explain what I mean by edge computing. I will use the definition given by the Verge:

The word edge in this context means literal geographic distribution. Edge computing is computing that’s done at or near the source of the data, instead of relying on the cloud at one of a dozen data centers to do all the work. It doesn’t mean the cloud will disappear. It means the cloud is coming to you.

So in other words, it’s computing that occurs on the client’s device (computer or otherwise). So where is this seen? Remember that chat bot example I referenced above? A chat bot is running on your customer’s device, but they likely don’t think about it. More often than not, they assume it’s running on your web server. Therein lies the problem — your customer assumes your site is hosting the service; thus, the customer trusts it, but what if the chat bot is compromised? Would the customer know? Would your team know, since the chat bot is running on the edge (generally outside their purview)? And what does this mean for your brand? No one thinks of the “Delta breach” in 2018 as the “[24] breach” (the company that was actually breached), for it doesn’t generate the same buzz.

A Way Forward

So what can we do about all of this, besides not use the Internet (which is clearly out, since we love binge watching Netflix)? Well, in theory, it’s somewhat simple — mitigate global risk factors (be thoughtful of where a vendor is located), gain as much control over your supply chain, as is viable (be mindful that the cloud is not the panacea for all things security), and ensure you have safeguards in place when your supply chain fails (take control of applications running on the edge). The hard part is actually enacting everything, but that’s when you turn to the people around you — your team, your partners, and others that can lend a hand. It’s a team effort, you don’t have to do it alone.

About the Author

Michael F. D. Anaya is the Head of Global Cyber Investigations and Government Relations for DEVCON DETECT, Inc. (DEVCON). Prior to joining DEVCON, he spent approximately 14 years with the Federal Bureau of Investigation (FBI). He began his career as a Special Agent in the FBI’s Los Angeles field office addressing complex cyber matters for eight years, during which time he led numerous, expansive investigations including one that resulted in the first federal conviction of a US person for the use of a peer-to-peer (P2P) botnet. He then was named a Supervisory Special Agent (SSA) for the Leadership Development Program, charged with bringing together disparate divisions of the FBI focused on a workforce development initiative. This resulted in a more balanced and inclusive program. After implementation of the program, SSA Anaya went on to lead a cyber squad in the FBI’s Atlanta field office. There, he led a diverse group of Agents, Intel Analysts, and Computer Scientists in neutralizing nation state and criminal threats. He secured one of the highest performance standards given by the FBI for the entire Atlanta cyber program, and he helped the program achieve a top five ranking amongst the 56 FBI field offices.

The article has been originally posted at:

July 31, 2019

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Notify of

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013