Rising supply chain attacks mean organizations must tread carefully when buying IT—even from trusted suppliers. Data erasure can help.
While many cyber security threats seem to focus on network vulnerabilities, the reality is that your entire supply chain is vulnerable to attack.
Hardware, software, human error and third-party vendors are all targets for cyber criminals attempting to access your data. Trouble arises when manufacturing is interrupted by the insertion of rogue hardware or software meant to gain access to buyers’ networks. These supply chain attacks can go undetected, leaving enterprise purchasers at risk of procuring compromised materials—and sellers at risk of broken trust.
Deloitte recently reported that COVID-19 response has not only disrupted normal manufacturing processes, but also increased cyber vulnerabilities within the manufacturing industry. However, that is merely building on a rising number of supply chain compromises: according to a 2019 report by Symantec, supply chain software attacks increased 78 percent in 2018 alone.
The Importance of Supply Chain Security in Hardware Procurement
To combat having malicious IT assets installed within enterprise networks, contractors must be held to stringent security practices. But the assets themselves also require careful review.
In a 2019 blog, “Guarding against supply chain attacks—Part 1: The big picture,” Microsoft authors list hardware component attacks as among the most logical places in a supply chain to insert vulnerabilities. For an enterprise, outside suppliers and service providers present a challenge to supply chain security due to the lack of control an organization has over a third party’s internal procedures. In addition, reports of vulnerable firmware installations on computer hardware can result in added risk for both trusted vendors and end users.
NIST Recommends Asset Sanitization to Combat Supply Chain Attacks
When purchasing hardware, whether servers, portable storage devices or removable media, “trust but verify” should always be the norm. This means asking manufacturers about their security protocols and vendor relationships, as well as identifying the enterprise systems and components that would cause the greatest harm if compromised. Even then, hardware compromises can be hard to detect.
While many companies practice data sanitization at asset end-of-life (when hardware is destroyed or recommissioned), non-destructive asset sanitization, or data erasure, can play an important role for new assets.
NIST Special Publication 800-53, “Security and Privacy Controls for Information Systems and Organizations,” will soon be available for use by all organizations, not just U.S. federal governments. Revision 5 (March 2020) continues to recommend that organizations sanitize data storage devices throughout the active lifecycle, starting at purchase, to protect against vulnerabilities in the supply chain (emphasis mine):
Portable storage devices include external or removable hard disk drives (solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash memory cards and other external or removable disks. Portable storage devices can be obtained from untrustworthy sources and can contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices.
Likewise, data sanitization should be applied wherever practical, as malware can be introduced on a wide range of hardware. For instance, the FBI issued an alert in April 2020 about Kwampis malware actors targeting healthcare hardware and software during the COVID-19 pandemic. In 2019, low-budget mobile phones came with pre-installed malware.
Data Sanitization: A Key Component in Supply Chain Security
There’s no sure-fire way to completely protect your infrastructure from all cyber threats. However, sanitizing new devices from the beginning of the asset lifecycle is a best practice for protecting your network and its confidential data from a supply chain attack.
Secure data erasure is a software-based sanitization process that removes all data from a device while leaving the device intact and usable. It also provides verification and a tamper-proof certificate attesting that data sanitization has occurred.