d i g i ta l s u p p ly c h a i n s e c u r i t y
play

D I G I TA L S U P P LY C H A I N S E C U R I T Y BSides Vienna - PowerPoint PPT Presentation

Mar 12, 2024 •210 likes •1.04k views

D E F E N D I N G T H E E X P O S E D F L A N K D I G I TA L S U P P LY C H A I N S E C U R I T Y BSides Vienna 2015 Hi Im Dave Lewis I was a defender for almost two decades CV: ca.linkedin.com/in/gattaca/ I have the scars to prove

  1. D E F E N D I N G T H E E X P O S E D F L A N K D I G I TA L S U P P LY C H A I N S E C U R I T Y BSides Vienna 2015

  2. Hi

  3. I’m Dave Lewis

  4. I was a defender for almost two decades

  5. CV: ca.linkedin.com/in/gattaca/

  6. I have the scars to prove it

  8. W H AT H AV E I D O N E L AT E LY ? • Contributor at Forbes • Writer for CSO Online • Advisory board for Sector Security Conference • Co-Founder of OpenCERT Canada • Founder of liquidmatrix.org • Board of Directors for (ISC)2

  9. Now, I work for

  10. S A F E T O S A Y … I ’ M P R E T T Y H A P P Y A B O U T T H AT

  11. This isn’t a vendor pitch

  14. I’m here to talk about the exposed flank

  15. Digital Supply Chain Security

  16. L E V E L S E T T I N G • I have merely lived it for the last 20 years or so. • I’m here to share my perspectives and lessons learned. • A collection of my experiences that I hope may provide you with value and actionable items.

  17. A C T 1 M E A N I N G

  18. W H Y I ’ M I N T E R E S T E D • When I was young I would hear tales of my grandfathers crossing the Atlantic during WWII. • One grandfather was delivering goods in the merchant marine. • One grandfather was defending the convoys in the Canadian Navy. • I learned the perspectives of the attackers and the defenders and the associated cost. • Thus my fascination with supply chain security began.

  19. P H Y S I C A L S U P P LY C H A I N

  20. D I G I TA L S U P P LY C H A I N

  21. O N E & A H A L F Y E A R S L AT E R …

  22. W H AT D O I M E A N ? • Supply chain in this perspective is the managing of the internal components of an organization. • The security to ensure the integrity of the information technology systems. • Addressing security at all points in the workflow so that attackers may not openly compromise systems. • Attackers might have been focused on stealing trucks historically, now they’re after your code.

  23. W H O E L S E I S TA L K I N G A B O U T T H I S ?

  24. E X A M P L E O F A D I G I TA L P I C T U R E F R A M E O R U S B D R I V E H O W D I D M Y W I D G E T G E T H E R E ?

  25. M A LWA R E I N T H E P I P E L I N E . . . • Supply chain issues with regard to Information Technology began to show themselves early on.

  27. T H E G R O U N D F L O O R • The focus in supply chain security has historically been towards enhancing the physical security of the supply chain logistics. • Lack of concentration on the information technology/ security • Greater move to decentralized information technology solutions with global scale • Information technology and the supply chain

  28. W H O C A R E S ? • Who is taking the time to work on the problem? • Organization that on supply chain include: • World Customs Organization (WCO), Customs Trade Partnership against Terrorism (C-TPAT), Container Security Initiative(CSI) from the US Customs and Border Protection and the Global Security Initiative from DHS. • ISO/PAS 28000 “Specification for security management systems for the supply chain”

  30. I S O 2 8 0 0 0 : 2 0 0 7 • ISO 28000:2007 specifies the requirements for a security management system, including those aspects critical to security assurance of the supply chain. • Security management is linked to many other aspects of business management. Aspects include all activities controlled or influenced by organizations that impact on supply chain security. • These other aspects should be considered directly, where and when they have an impact on security management, including transporting these goods along the supply chain.

  31. I S O 2 8 0 0 0 H I G H L I G H T S • Establish, implement, maintain and improve a security management system • Assure conformance with stated security management policy • Demonstrate such conformance to others • Seek certification/registration of its security management system by an Accredited third party Certification Body; or • Make a self-determination and self-declaration of conformance with ISO 28000:2007

  32. O U R F L A N K ? W H A T F L A N K ? T H E M A G I N O T L I N E

  33. M A G I N O T L I N E • There is a concerted e fg ort to secure physical side of logistics. • IT solutions as they relate to supply chain have typically lacked the same focus. • So why should this be of concern? • Well...

  34. C A S E I N P O I N T. . .

  35. W H AT C O U L D G O W R O N G ?

  36. … O R T H I S ?

  37. WA R S T O R I E S A N D S U C H A C T I I

  38. WA R S T O RY • External Penetration Test • Partner connections to $MyDayJob were all tested. • Testers were able to gain access to $MyDayJob network • username: $vendor, password: <blank>

  39. W H AT W E N T W R O N G • Default configurations in place • No verification of the security controls in place • No active testing of partner connections • No contractual language pertaining to third party connections

  40. G L O B A L , L E G A L , C O M P L E X I T Y, H U M A N . . . C H A L L E N G E S & C O M P L I C AT I O N S

  41. C H A L L E N G E S • As we have more an more products delivered to us faster and cheaper the scale of operations has gone to go global scale. • What are some impacts of this move? • Outsourced help desk • O fg shore development centres • Partner networks

  42. G E O P O L I T I C A L

  43. L E G A L I S S U E S • Legal issues are now global ones as supply chain expands across the globe. • How do laws a fg ect the production supply chain? • Is there a lack of enforcement of said laws? • Are you even legally able to be operating in the country? • Ignorance of the law is no defense.

  44. I D O N ’ T WA N T T O P O I N T F I N G E R S B U T…

  45. B L U E C O AT & S Y R I A • “U.S. Firm Acknowledges Syria Uses Its Gear to Block Web” Wall Street Journal (http://online.wsj.com/news/articles/ SB10001424052970203687504577001911398596328) • “Update On Blue Coat Devices In Syria” Bluecoat (http:// www.bluecoat.com/company/news/update-blue-coat- devices-syria) • “Blue Coat Partner Fined $2.8m Over Syria Surveillance Sales” TechWeek EU (http://www.techweekeurope.co.uk/ news/blue-coat-partner-fined-surveillance-syria-114548) • Exposed by hacktivists. Admitted failure. Fines applied.

  46. AT M , FAV O R I T E O F N E ’ E R D O W E L L S

  47. A N O T H E R L E G A L I S S U E E X A M P L E , AT M F R A U D

  48. I T WA S Q U I C K

  49. T H E F L O W

  50. W H AT W E N T W R O N G ? • Vulnerable financial institutions • Credit card processor was breached on two occasions • Withdrawal limits removed on prepaid debit cards • Cashing teams: 36,000 transactions and withdrew about $40 million from machines in the various countries in about 10 hours

  51. I N T E L L E C T U A L P R O P E R T Y • We have all read about the APT problems. • Concerted e fg orts to purloin Intellectual Property. (Source Code, Process, Secret Sauce) • Using tools like Perforce and Git (as examples) partners often want access to source code. • Too often they get this access as a “business decision” which is your organization’s secret sauce.

  52. S N I P S I N T H E W I R E

  53. S O U R C E C O D E I S S U E S

  54. … A N D S O O N

  55. PA R T N E R N E T W O R K S • Many manufacturing companies build and maintain interconnected networks • The “I have a firewall so I’m OK” mentality should be shelved. • Do you check your third party connections? • Trust But (Test and) Verify

  56. WA R S T O RY • Magical Support Elves on outsourced software development contract • Remote access via VPN and RSA tokens for authentication • Faster than a speeding developer...

  57. T H E L O G I N S Chennai - 6:43 pm Hyderabad - 6:52 pm Mumbai - 7:09 pm Goa - 7:22 pm Pune - 7:41 pm Bangalore - 7:55 pm

  58. S PA C E & T I M E Chennai - Hyderabad = 633 km journey of 9 hours 36 min, in 9 min Hyderabad - Mumbai = 708 km journey of 11 hrs 12 min, in 11 min Mumbai - Goa = 604 km journey of 9 hrs and 28 min, in 13 min Goa - Pune = 457 km journey of 7 hrs and 33 min, in 18 min Pune - Bangalore = 836 km journey of 11 hrs and 20 min...in 14 minutes.

  60. T H E C AT C H • What was the common theme between these contractors? • They all used the SAME login

  61. W H AT W E N T W R O N G • Contractors were not clearly trained regarding security awareness • Contractors shared the same login credentials • Active monitoring was not in place • The company did not see fit to penalize the contractor as it would have negatively a fg ected renewal negotiations.

  62. We weren’t tackling the basics well.

  63. We Failed

  64. H A R D WA R E T R O J A N S

  65. M O R E R E C E N T LY…

  66. B AT T L E F I E L D R O B O T S

  67. O H . . . R I G H T

  68. Y I P E S !

  69. M O R E R E C E N T LY H O M E D E P O T, TA R G E T, G O O D W I L L

  71. W H E R E T O F R O M H E R E ? A C T I I I

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Unless you expect the unexpected you will never find truth, for it is hard to discover and

Unless you expect the unexpected you will never find truth, for it is hard to discover and

COPPERS ROLE IN THE MONEY GAME BY SIMON HUNT CEO SIMON HUNT STRATEGIC SERVICES AT THE CLSA ASIA CONFERENCE SAN FRANCISCO 2 ND MARCH, 2010 S Good morning Ladies and Gentlemen. First, I would like to thank CLSA for inviting me to

410 views • 26 slides
DC Privacy Troubadour Action Chalmers University, Gteborg ! Part of Disappearing Computer

DC Privacy Troubadour Action Chalmers University, Gteborg ! Part of Disappearing Computer

DC Privacy Troubadour Action Chalmers University, Gteborg ! Part of Disappearing Computer Initiative Troubadour: visiting researcher investigating issues across multiple projects ! Privacy Action (TR06) Goals Learn about DC projects

873 views • 56 slides
LEADERSHIP LESSONS FROM THE AGILE MANIFESTO @ANJUAN A hero ventures forth from the world of

LEADERSHIP LESSONS FROM THE AGILE MANIFESTO @ANJUAN A hero ventures forth from the world of

LEADERSHIP LESSONS FROM THE AGILE MANIFESTO @ANJUAN A hero ventures forth from the world of common day into a region of supernatural wonder: fabulous forces are there encountered and a decisive victory is won: the hero comes back from

969 views • 37 slides
The Exodus Story in an African-American Poem In The Talking Book: African Americans and the Bible,

The Exodus Story in an African-American Poem In The Talking Book: African Americans and the Bible,

Neo-Coptic Icon by Isaac Fanous (1919-2007) The Exodus Story in an African-American Poem In The Talking Book: African Americans and the Bible, Allen Dwight Callahan writes that African-Americans heard, read, and retold the story of the Exodus

668 views • 34 slides
The Parable of the Sower The Parable of the Sower (Luke 8: 1-15) (Luke 8: 1-15) Preached by

The Parable of the Sower The Parable of the Sower (Luke 8: 1-15) (Luke 8: 1-15) Preached by

SIGN II Pointing People to Jesus as a STORYTELLER The Parable of the Sower The Parable of the Sower (Luke 8: 1-15) (Luke 8: 1-15) Preached by Dave Benson 14 th March 2010 Kenmore Baptist Church Kenmore Baptist Church 1 Kenmore Baptist

383 views • 24 slides
Overview of the Sacred Scriptures Bible Timeline Dr. Jeff Cavins Bible Timeline Canonization

Overview of the Sacred Scriptures Bible Timeline Dr. Jeff Cavins Bible Timeline Canonization

Overview of the Sacred Scriptures Bible Timeline Dr. Jeff Cavins Bible Timeline Canonization Old T estament Pentateuch Genesis, Exodus, Leviticus, Numbers, Deuteronomy Historical books Joshua, Judges, Ruth, 1 Samuel, 2 Samuel, 1

1.9k views • 135 slides
Matthew Series Lesson #060 December 7, 2014 Dean Bible Ministries www.deanbibleministries.org

Matthew Series Lesson #060 December 7, 2014 Dean Bible Ministries www.deanbibleministries.org

Matthew Series Lesson #060 December 7, 2014 Dean Bible Ministries www.deanbibleministries.org Dr. Robert L. Dean, Jr. Fear Not! Matthew 10:2631 Matt. 10:24, A disciple is not above his teacher, nor a servant above his master.

308 views • 19 slides
hopecc.com/slides &amp; hopecc.com/notes This weeks message: Psalm 27: The Path to Overcoming

hopecc.com/slides &amp; hopecc.com/notes This weeks message: Psalm 27: The Path to Overcoming

For this weeks, go to hopecc.com/slides &amp; hopecc.com/notes This weeks message: Psalm 27: The Path to Overcoming Fear &amp; Rejection hopecc.com/slides &amp; hopecc.com/notes Psalm 27: 1 The Lord is my light and my salvation

490 views • 36 slides
Who or What are Angels? Created, spiritual beings Possess intellect &amp; will Immortal

Who or What are Angels? Created, spiritual beings Possess intellect &amp; will Immortal

Who or What are Angels? Created, spiritual beings Possess intellect &amp; will Immortal Persons, individual &amp; unique Angel = Messenger Angels &amp; the Creed I believe in one God, the Father almighty, maker of

823 views • 43 slides
Nothing And I am convinced that nothing can ever separate us from Gods love. Romans 8:38

Nothing And I am convinced that nothing can ever separate us from Gods love. Romans 8:38

Nothing And I am convinced that nothing can ever separate us from Gods love. Romans 8:38 Nothing Can anything ever separate us from Christs love? Romans 8:35 Nothing And I am convinced that nothing can ever separate us from

585 views • 11 slides
Faith &amp; Works James 2:14-26 Opening Question: What good is it, my brothers and

Faith &amp; Works James 2:14-26 Opening Question: What good is it, my brothers and

Faith &amp; Works James 2:14-26 Opening Question: What good is it, my brothers and sisters, if someone claims to have faith but has no deeds? Can such faith save them? (v. 14) Answer: 4 Illustrations unkempt &amp; hungry brother

556 views • 17 slides
James 1:2-4 Dear brothers and sisters, when troubles of any kind c ome your way, consider it an

James 1:2-4 Dear brothers and sisters, when troubles of any kind c ome your way, consider it an

James 1:2-4 Dear brothers and sisters, when troubles of any kind c ome your way, consider it an opportunity for great BU BUY joy. For you know that when your faith is tested, your 2 FOR $20 endurance has a chance to grow. So let it grow, for

316 views • 21 slides
Transformed to Transform Mark 5:1-20 Mark 5:1-13 They came to the other side of the sea, to the

Transformed to Transform Mark 5:1-20 Mark 5:1-13 They came to the other side of the sea, to the

8/23/2016 Transformed to Transform Mark 5:1-20 Mark 5:1-13 They came to the other side of the sea, to the country of the Gerasenes. 2 And when Jesus had stepped out of the boat, immediately there met him out of the tombs a man with an unclean

420 views • 6 slides
Romans 8:35-39 NIV 35 Who shall separate us from the love of Christ? Shall trouble or hardship or

Romans 8:35-39 NIV 35 Who shall separate us from the love of Christ? Shall trouble or hardship or

Romans 8:35-39 NIV 35 Who shall separate us from the love of Christ? Shall trouble or hardship or persecution or famine or nakedness or danger or sword? 36 As it is written: For your sake we face death all day long; we are considered as

558 views • 18 slides
Stand Firm to Implement Your Vision Jeffrey Copeland, BS, ThM, PharmD 1 Disclaimer I do not

Stand Firm to Implement Your Vision Jeffrey Copeland, BS, ThM, PharmD 1 Disclaimer I do not

Stand Firm to Implement Your Vision Jeffrey Copeland, BS, ThM, PharmD 1 Disclaimer I do not have a vested interest in or affiliation with any corporate organization offering financial support or grant monies for this continuing education

589 views • 48 slides
6. God is sovereign; we are secure @simongharris @burlington_ips #whodoyouthinkyouare?

6. God is sovereign; we are secure @simongharris @burlington_ips #whodoyouthinkyouare?

6. God is sovereign; we are secure @simongharris @burlington_ips #whodoyouthinkyouare? Overwhelmed by events is panic &amp; fear our only option? Isaiah 43:1 But now, this is what the Lord says-- he who created you, O Jacob, he who formed

809 views • 21 slides
Mark 5:18-20 The Servant Desires Faith Mark 5:21-43 Setting The Scene Jesus returns to the

Mark 5:18-20 The Servant Desires Faith Mark 5:21-43 Setting The Scene Jesus returns to the

Mark 5:18-20 The Servant Desires Faith Mark 5:21-43 Setting The Scene Jesus returns to the western shore of Galilee where He is met with a much more welcoming crowd and a leader of the synagogue who has a daughter on her deathbed. In the

516 views • 5 slides
Shepherd Mark 6:30-44 Mark 6:30-44 30 The apostles returned to Jesus and told him all that

Shepherd Mark 6:30-44 Mark 6:30-44 30 The apostles returned to Jesus and told him all that

Jesus, the Compassionate Shepherd Mark 6:30-44 Mark 6:30-44 30 The apostles returned to Jesus and told him all that they had done and taught. 31 And he said to them, Come away by yourselves to a desolate place and rest a while . For

393 views • 36 slides
MATTHEWS INFANCY NARRATIVE 1 Infancy Narratives Mark did not have one; he starts the

MATTHEWS INFANCY NARRATIVE 1 Infancy Narratives Mark did not have one; he starts the

Graduate Program in Pastoral Ministries PMIN 206 The Synoptic Gospels Dr. Catherine Murphy MATTHEWS INFANCY NARRATIVE 1 Infancy Narratives Mark did not have one; he starts the story at Jesus baptism Matthew is the first to

258 views • 21 slides
A Tale of Two Kingdoms Wednesday September 26, 2018 St. George Utah What is a Kingdom? American

A Tale of Two Kingdoms Wednesday September 26, 2018 St. George Utah What is a Kingdom? American

A Tale of Two Kingdoms Wednesday September 26, 2018 St. George Utah What is a Kingdom? American Dictionary of the English Language Noah Webster 1828 Kingdom n. [king and dom, jurisdiction.] Kingdom n. [king and dom, jurisdiction.] 1. The

803 views • 58 slides
Revelation 12:10 And I heard a loud voice in heaven, saying, Now the salvation and the power

Revelation 12:10 And I heard a loud voice in heaven, saying, Now the salvation and the power

Revelation 12:10 And I heard a loud voice in heaven, saying, Now the salvation and the power and the kingdom of our God and the authority of his Christ have come, for the accuser of our brothers has been thrown down, who accuses them day

453 views • 24 slides
From Quarks to Haystacks Plan: Start Here End Here (Elementary Particles) (Jets &amp; more)

From Quarks to Haystacks Plan: Start Here End Here (Elementary Particles) (Jets &amp; more)

From Quarks to Haystacks Plan: Start Here End Here (Elementary Particles) (Jets &amp; more) Dr. Peter Skands School of Physics and Astronomy - Monash University &amp; ARC Centre of Excellence for Particle Physics at the Terascale Why do

464 views • 28 slides
How Heavens War Became Ours Dee Casper paconference.org/CORE The goal for tonight and what we

How Heavens War Became Ours Dee Casper paconference.org/CORE The goal for tonight and what we

How Heavens War Became Ours Dee Casper paconference.org/CORE The goal for tonight and what we won't be doing Resources can be provided to give a more exhaustive explanation on how to identity the antichrist. See Dan 7, 8, Rev 13, 17, 2

1.23k views • 94 slides
OPENING PRAYER Rev 11:17-18 We give thanks ks to you, Lord God almighty hty who are and who

OPENING PRAYER Rev 11:17-18 We give thanks ks to you, Lord God almighty hty who are and who

5/20/2014 saraph serpents TUESDAYS WITH THE BIBLE The Book of Revelation lation (to John) The Apocalyp alypse se Class s 3 May May 20 20,2014 014 OPENING PRAYER Rev 11:17-18 We give thanks ks to you, Lord God almighty hty who

545 views • 13 slides

More recommend