In a recent blog by Nitzan Daube, CTO of NanoLock¸ he provides an explanation regarding the importance of security focus on both IT hardware, physical security and cyber security consequences. Wapack Labs agrees whole heartedly, and is providing solutions.
Wapack Labs participated in a recent lecture at the October 2018 ASIS Conference, held in Las Vegas NV. Our joint lecture specifically addressed hardware compromise, adherence to physical security and the psychology of insider threats. Recent reports on the malicious infiltration into US companies, by the addition of a small chip on a motherboard (a government Chinese manufacturer), exposes how some hackers are bypassing software security and focusing on hardware compromise to gain access and manipulate code within operating systems. While these claims have been vehemently denied by China, it does not change the fact that hardware manipulation and physical hacking is an impending threat.
Hardware - This hardware chip addition demonstrates the vulnerabilities on the hardware production line within the international IT supply chain. This raises security concerns regarding the supply chain attack route, which demonstrates a new and emerging physical and cyber security combination threat. After an extensive investigation of the Chinese based hardware, US investigators concluded that the intricate hardware manipulation scheme was the work of China’s, People’s Liberation Army unit specializing in hardware attacks. The unit is believed to have focused on high-priority targets, including advanced commercial technology and the computers of China’s military adversaries. The attack by these Chinese spies reached almost 30 US companies, including Amazon and Apple, by compromising America’s technology supply chain. This was not good.
Software - In 2016, the US Federal Bureau of Investigation released information to the public regarding Russian agents applying malware onto government computers to hack related technology and equipment in an effort to interfere with the US electoral process. Russia continues to target the US as evidence was exposed with Russian probing of electric grids and nuclear power plants for vulnerabilities and opportunities to gain control over these operating systems. This Russian threat remains active to this day and Wapack Labs has reported on numerous Russian attacks.
One of our physical security colleagues at the ASIS conference panel discussion shared a story of a recent security assessment he conducted inside a company within the US critical infrastructure energy sector. His initial assessment of their security policies and procedures indicated this company had a solid physical security posture. As he was walking the plant with a security guard, he asked the guard if he had ever seen anything that troubled him with the security of the plant. The guard indicated that he thought their procedures were quite good, but mentioned that he saw something that bothered him. A few weeks prior, the plant had invited several foreign nationals into the plant to share technology. The foreign “scientists” pass through the normal plant security procedures, yet the guard observed these “scientists” taking screen shots of the plant’s computers with their personal cell phones (which had not been segregated). So, the “scientists” were prohibited from using their personal laptops, could not take notes out of the plant, and has to adhere to other physical security procedures, yet the security gap in their procedures, permitted the use of “personal” cell phones inside the plant. Again, not good.
Another security professional on this panel, provided a brief which exposed the continued used of malicious electronic hardware placed in office and computer room settings that were used to provide visual and electronic intrusion into corporate offices and through the server rooms, defeat network operations. Some of this was older surveillance technology, yet are still in continued use for state sponsored and, or economic espionage.
Many companies have organizational structures which often do not include the Human Resource (HR) departments within either cyber and physical security operations. These organizational structures promote stovepipe information flow to the C-Suite level decision making and often deters crucial collaboration to proactively identify potential insider threats. Proactivity identifying insider threats focuses on trying to stop either negligence IT operations, or actual catch signs of nefarious financial or subversive cyber motivations.
With hardware production vulnerabilities a reality and IT professionals developing a pro-active network security strategy, corporations need to realize and focus on suspected insider threat employees, with physical, network and device access, as critical intrusion points. In hardware production, suspected employees may have access to devices on the production line, or at multiple touchpoints in the supply chain. Physical and cybers security must start from production line and continue protecting the product through and after a device’s delivery. IT supply chain organization needs to be aware that a product or device itself can be breached in transit or in storage even before it is delivered to its designated customer installation. For any company, protecting and monitoring software is not enough, and recent attacks dictate hardware protection is additionally crucial. Protecting and monitoring that end device is critical. CPU security applications are not always enough or an all-inclusive protection on the firmware of the end device, which can prevent a malicious chip attack, similar to the ones implemented by the Chinese hackers. The Chinese implanting of a suspect chip, that allowed it to effectively manipulate the stored code by injecting its own code which changed the order of the CPU instructions, demonstrates hardware vulnerabilities. This implanted chip enabled the hacker’s access to sensitive data stored in that device. Enhancing both current hardware and end device protection will prevent attacks that alter the operating system and steal code. Adding hardware that bypasses all security circles exposes a very real threat at the production level. To surmount savvy hackers who have evolved to manipulating the operating system, using hardware to gain access, a solution to protect devices from manipulating code or gaining control of the board must be implemented to solve the root of the problem and ease the market’s biggest fear, attacks from the inside.
Insider threats plague even the most sophisticated corporate offices, including the US Government, and nearly every corporation in the world. One unhappy employee can ruin your day, your reputation, and cost millions of dollars in losses. Wapack Labs has designed and built a new offering, the virtual Chief Trust Officer (vCTO) Program. Trust is the key to corporate success. The vCTO can perform government designed background checks, interview your employees, perform a variety of sensitive internal cyber investigations and help set a proactive preventative insider threat program. The program is designed to protect your company, employees and families from insider threats.
- Conduct incident response operations
- Perform government level standard background checks on all or vulnerable employees supporting fraud, ethics, human resources or legal activities
- Conduct Social Media and Deep / Dark web collection and analysis.
- Develop a proactive insider threat program.
For questions, comments or assistance regarding this report, please contact Wapack Labs at 844-492-7225, or firstname.lastname@example.org