IT security starts with the supply chain

A secure supply chain is key to risk management and a must for hardware manufacturers and their customers.

If the WannaCry ransomware attacks did nothing else, they motivated businesses to upgrade client operating systems and reiterate end-user security policies. But protecting users and data remains an elusive goal. Far too many enterprises remain vulnerable to attacks, ranging from sophisticated social engineering such as spear phishing to outright denial of service.

Detecting intrusions often relies on human eyes and immature tool sets. The average environmental intrusion—where an unauthorized user has access to a corporate network—remains undiscovered for more than 180 days. That’s six months of at least basic access to an environment where an intruder can negatively impact a business by compromising secure data, stealing customer information, and creating other types of havoc.

It’s rarely a single avenue of attack when a company is targeted. Attack surfaces are everywhere, and locking down everything is rarely possible in a world where business relationships often include interconnected IT services. The best a company can do is ensure the security model is as flexible and reliable as possible, and build security into the environment from the bottom up.

Get the latest on HPE's strategy - HPE Locks Down Server Security

Secure your supply chain

Building from the bottom up means starting with the supply chain. There is a tendency to consider hardware as a non-entity in regard to security until it has been deployed. But if you consider that firmware in the average server or client can involve a million lines of code and be compromised by anyone with physical access, you begin to understand that a secure computing environment requires a secure supply chain.

Consider the vulnerability in an Apple design lab that was reported earlier this year. Apple engineers found infected firmware in server boards acquired from server vendor Supermicro. Apple did not acknowledge the incident, but Supermicro did. Reports indicate that Apple developers downloaded the infected firmware directly from the Supermicro support site, though they did not provide additional information to their hardware vendor, other than a version number that the vendor identified as incorrect.

What actually happened is still unknown, but it's clear the firmware was compromised at some point between manufacture and when engineers attempted the upgrade. No other customer reported problems. The issue was limited to some of the servers delivered to Apple, which could indicate a carefully targeted attack that Apple was fortunate to discover quickly.  

The incident makes you wonder how many servers with infected firmware are out there, perhaps in environments that lack the technical expertise to detect the problem or where simply no one has considered checking. In most cases, an update requires manually touching each machine to update firmware like a BIOS. That partly explains why server hardware tends to go its entire life without being updated. 

Smarter servers are secure servers

Potentially lethal attack surfaces are motivating hardware vendors to look at ways to protect their supply chains. Simply limiting access to the hardware is not enough. Hardware must have the tools to protect itself: built-in capabilities to address potential firmware-level attacks and the ability to repair damage or changes made without requiring hands-on intervention. But IT staff experiences will define the capabilities deployed in the next generations of server hardware. These tools will allow the servers to perform periodic self-checks on firmware, and if the current version does not match the known good version of the firmware, they will automatically refresh the firmware, reverting it to the known good and approved version of the code.

Adding a level of security that can guarantee a malware-free device and shut down the potential attack vector will go a long way in allowing users to meet the statutory and regulatory requirements in place for many commonly mandated security models, ranging from NIST to HIPAA to PCI-DSS. And removing the potential avenue of infection results in faster deployment times and more cost-effective solution deliveries, as one less security issue must be addressed in every system.

Server security: Lessons for leaders

  • Firmware is vulnerable to hackers from manufacture right through the supply chain.
  • The average time an unauthorized user has access to a corporate network before discovery is more than 180 days.
  • Your next server should be able to address potential firmware-level attacks and repair damage without manual intervention.

Related reading: Enhance infrastructure security for the entire IT lifecycle

This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.