Advertisement

Live Chat

Live Chat 11/12: Examining the Cyberthreat to Supply Chains

134 comments on “Live Chat 11/12: Examining the Cyberthreat to Supply Chains

  1. Daniel
    November 12, 2014

    Hi All

  2. Daniel
    November 12, 2014

    Early bird

  3. Daniel
    November 12, 2014

    Security is with the user. They have to maintain the system well with frequent security updates and new protecting methods. Security auditing is the best way to identify such loop holes and they have to conduct such audits once in 6 months to measure the vulnerability.

  4. Susan Fourtané
    November 12, 2014

    Indeed, Jacob, security and privacy always begin with the user. In the same way you lock your door for your home's security otherwise any stranger can come into your private space, you need to protect your devices from anyone entering into the system without authorization. Having the latenst possible equipment as well as the latest upgraded software and being extra careful where you download your applications from are of paramount importance.

  5. Susan Fourtané
    November 12, 2014

    And if having Apple products never, ever, download anything from third party stores. The only way to keep your devices safe is downloading your apps from the AppleStore.

  6. Hailey Lynne McKeefry
    November 12, 2014

    I'm glad to see the conversation has already begun! This is clealry a hot topic.

  7. Hailey Lynne McKeefry
    November 12, 2014

    We should be getting started at 2PM PST sharp, as soon as our guests arrive.  First, though, there are two housekeeping notes:

  8. Hailey Lynne McKeefry
    November 12, 2014

    First, please make a copy of your post before hitting the “post” button – just in case.  If the system “eats” one of your carefully crafted thoughts, please hit “Ctrl-Z” to recover it.

     

  9. Hailey Lynne McKeefry
    November 12, 2014

    This will be a fun, fast, and friendly conversation, so please do not hold back with your comments or questions.  There are no dumb questions and we value everyone's point of view.

  10. Hailey Lynne McKeefry
    November 12, 2014

    Second, if you have problems posting, we suggest trying a different browser.  IE9 is a popular choice, but sometimes find Firefox, Chrome, or Safari work better.

  11. Hailey Lynne McKeefry
    November 12, 2014

    Questions, theories, ideas, real world experiences and even friendly rants are welcome here.

  12. Hailey Lynne McKeefry
    November 12, 2014

    As you arrive, please introduce yourself so we can offer words of welcome, and offer you a seat as well as a bit of EBN's famous virtual guacamole and chips.

  13. kdawson
    November 12, 2014

    Mmm guacamole.

  14. trandallck
    November 12, 2014

    Good afternoon, Tim Randall from Cramer-Krasselt. Hoping for a great dialogue!

    I am interested in hearing the size of the problem and its reach.

  15. Hailey Lynne McKeefry
    November 12, 2014

    Hi KDawon. glad you could make it! Pull up a chair. Guacoamole and chips are on the table to your rihgt. (Red, white and blue in honor of the just-passed Veterans Day in the US)

  16. Hailey Lynne McKeefry
    November 12, 2014

    Hi Tim, so glad you could make it! Feel free to throw questions or thoughts out–or just enjoy the guacamole!

  17. Hailey Lynne McKeefry
    November 12, 2014

    We'll be starting in about five minutes

     

  18. Hailey Lynne McKeefry
    November 12, 2014

    @tim, PWC came out recently with an indepth report on this topic. you can find it here: http://www.pwc.com/en_US/us/increasing-it-effectiveness/publications/assets/2014-us-state-of-cybercrime.pdf

  19. Jamescon
    November 12, 2014

    Hi, Hailey

  20. Hailey Lynne McKeefry
    November 12, 2014

    Hi, Jim… thanks for stopping by. pull up a chair. Can I offer you refreshment. We've got guacamole and red/white/blue corn tortilla chips.

  21. drewsmith
    November 12, 2014

    Good afternoon.  This is Drew Smith, CEO and founder of InfoArmor.  I look forward to our discussion.  And thank you Hailey.  Data security is near and dear to my heart.

  22. trandallck
    November 12, 2014

    That is great, I will definitely look at it.

  23. Hailey Lynne McKeefry
    November 12, 2014

    Hi Drew. You are right on time! Thanks so much for stopping by to talk about this important topic. Let's get started with getting the lay of the land: Are these threats real? Do electronics companies have to be particularly concerned?

  24. drewsmith
    November 12, 2014

    Unfortunately, these threats are all too real.  And yes, all companies need to be concerned, especially when they are in the business of sharing data with their vendor ecosystem.

     

  25. trandallck
    November 12, 2014

    Drew, with the supply chain so diverse globally how can firms adequatley prepare for the differences in protocols across their partners?

  26. Hailey Lynne McKeefry
    November 12, 2014

    Are there particular data types that hackers are targetting? Is the profile of the hacker evolving?

  27. Jamescon
    November 12, 2014

    Drew, do companies in the middle of the supply not get the attention when it comes to breaches simply because they aren't “consumer-facing”?

  28. drewsmith
    November 12, 2014

    That's a great point and one of the larger problems facing companies with a broad, global reach.  The key is being proactive when it comes to data security and adapting to a security  framework that addresses both internal and external threats.

  29. kdawson
    November 12, 2014

    Well, there's the “Advanced Persistent Threat,” that one is pretty well known. And identified. And denied by China.

  30. Hailey Lynne McKeefry
    November 12, 2014

    In research released in 2013, the Information Security Forum (ISF) found that, “of all the supply chain risks, information risk is the least well managed,” and that, “forty percent of the data-security breaches experienced by organizations arise from attacks on their suppliers.”

  31. drewsmith
    November 12, 2014

    @hailey Bad actors (i.e. hackers) are interested in any data they can monetize…PII, healthcare, IP, pricing information, etc.

     

  32. Hailey Lynne McKeefry
    November 12, 2014

    @Drew, and once you have the framework in place, how do you manage the task of ensuring that partners are adhering to it and doing appropriate training?

  33. drewsmith
    November 12, 2014

    @jimc Absolutely.  Just because it isn't newsworthy, doesn't mean it's not happening.

  34. Hailey Lynne McKeefry
    November 12, 2014

    I know with risk management in general there has to be a triage process about which threats are most compelling. The same seems to be true with cybersecurity. Limited budgets and time and all that. How should organizations go about figuring out which suppliers and which systems to focus on?

  35. trandallck
    November 12, 2014

    JIMC, consumer facing is an excellent point. Production and transportation are not as news worthy like say a Home Depot

  36. Hailey Lynne McKeefry
    November 12, 2014

    Plus a lot of the threats are under the radar–with the newest malware, it is designed to go in, siphon off information for as long as possible, and with the really sophisticated programs to remove itself later or when it is detected. I've heard that problems can go on for months and years with the organization not even realizing it!

     

  37. drewsmith
    November 12, 2014

    @hailey  Setting up a framework is only the beginning of the marathon.  The key is ongoing, real time monitoring.  Depending upon annual audits and self-assessments is simply not enough.

  38. Jamescon
    November 12, 2014

    @Drew. Actually, after I posted my question I was on another window and say an ISACA press release saying that even with all the attention to consumer-side breaches, consumers aren't changing their shopping habits. Maybe they are just so beaten down by the break-ins tha they don't care any more. Could the same thing happen in the supply chain?

  39. trandallck
    November 12, 2014

    On the triage point, is there simply a dollar value that can be assigned?

  40. Hailey Lynne McKeefry
    November 12, 2014

    BTW: another great research resource is the Verizon Data Breach report: http://www.verizonenterprise.com/DBIR/2014/

  41. drewsmith
    November 12, 2014

    @hailiey  The focus should be on mission critical information.  That really depends upon the organization.  For some, it might be product plans, for others pricing or cost data.

  42. Hailey Lynne McKeefry
    November 12, 2014

    We talk a lot about the need for “layered protection”. What does that realisticaly mean today?

  43. drewsmith
    November 12, 2014

    @jimc   Data breaches are a reality.  It is no longer if, but when.  The stance a company takes regarding breaches within its supply chain is largely going to be dictated by how sensitive they deem the data impacted.  The risk to consumers is nothing (they are made whole)  relative to a business.

  44. Hailey Lynne McKeefry
    November 12, 2014

    @Tim, I talked to a guy the other day who argued vehemently against the dollar valuation approach. He had an example where the inavailability of $2 part cost the company millions. I wonder if there is a cyberthreat equivalent. Perhaps the biggest dollar suppliers aren't necessarily the ones that would give a bad actor a door into the organizatoin.

  45. Hailey Lynne McKeefry
    November 12, 2014

    One of our early bird users asked about audits–any specific advice on what should be included in a good audit or tips on how it should be done?

  46. trandallck
    November 12, 2014

    Do all supply chain breaches ultimately impac the individual? I.E. higher costs or stolen accounts emails?

  47. drewsmith
    November 12, 2014

    @hailey It is a lot like a 7 layer dip (keeping that virtual chips and salsa analogy going)…if the refried beans are breached, the guacamole often follows.  Multi-layer means technology, training, procedures, audits and monitoring support one another.  You are only as strong as your weakest link.

  48. drewsmith
    November 12, 2014

    @hailey Audits are a good place to start.  A good one includes risk and gap assessments followed by clear remediation efforts. Annual is the absolute minimum!

  49. Hailey Lynne McKeefry
    November 12, 2014

    on the technology side, too you have hardware, software, firmware all providing points of entry. Networks, mobile devices, etc. Are there technology areas that often get overlooked?

  50. trandallck
    November 12, 2014

    @Hailey, that is interesting on the $ perspective for identifying threats

  51. drewsmith
    November 12, 2014

    @hailey  Another good point.  BYOD (bring your own device), especially in the smart phone arena, can be challenging for a company to monitor.  One has to weigh cost and convenience against greater security risk.  The next frontier is cybercriminals focusing on our mobile devices.

  52. Jamescon
    November 12, 2014

    Are suppliers and their regular customer open enough with each other about sharing information on their security strategies? About actual breaches?

  53. Hailey Lynne McKeefry
    November 12, 2014

    @Drew and on the supply chain side, supply chain management, e-procurement and other apps, especially those in the warehouse and manufacturing floor often use mobile devices. that's only going to get more pervasive.

  54. trandallck
    November 12, 2014

    @ALL…is there any corellation between Enterprise System supply chain breaches and non Enterprise Systems?

  55. Hailey Lynne McKeefry
    November 12, 2014

    Do you think information security is currently part of the average vendor/supplier agreement? Would adding language around corporate data security and incident response policy to this kind of agreement? Would it raise awareness? Compliance? What do you think?

  56. drewsmith
    November 12, 2014

    @jimc  That's a million dollar question.  Many times a firm finds out about an incident far too late.  The key is putting SLAs into contracts from the beginning to make sure security concerns are shared as quickly as other issues.  We recommend incident management practices are developed before they are needed.

  57. kdawson
    November 12, 2014

    Got a question about training. People are often the biggest problem in cybersecurity. How do you get employees and supplier employees to really understand the threat to the point that they actually adhere to the systems in place, the procedures? Too often people try to get around them.

  58. Hailey Lynne McKeefry
    November 12, 2014

    @trandallck, it seems to me that SC systems are closly integrated into the general enterprise. If hackers get access to one area it can spread. The hackers just follow the money right?

  59. drewsmith
    November 12, 2014

    @hailey  If it is not already, it needs to be added.  That is…language to address data security.

  60. Hailey Lynne McKeefry
    November 12, 2014

    @Drew, i posted my question before i saw yours! Great minds eh?  you get to take home the virtual quacamole. 🙂

  61. Hailey Lynne McKeefry
    November 12, 2014

    @drew, i think too it ought to be language added to every job description and perhaps mentioned regularly at meetings–too often awareness just fades into the background. Which brings us to Kdawson's question about training.

  62. Alison Diana
    November 12, 2014

    Is this so complex a problem that companies need to get outside help? What should they be looking for? Pen testers? trainers? IT experts?

  63. drewsmith
    November 12, 2014

    @kdawson Data security training needs to be ongoing and compelling, yet not an impediment to daily operations.   It also needs to be easy to understand and practical.  Signing an annual policy statement after a one hour review is not good enough.  One walks a fine line, but its importance needs to come from the top.

  64. Hailey Lynne McKeefry
    November 12, 2014

    @Alison, welcome to the conversatinal fray! Glad you could make it.

     

  65. drewsmith
    November 12, 2014

    At InfoArmor, our data security team is the largest one in the company…as everyone is on it!

  66. Alison Diana
    November 12, 2014

    Thanks! I've been lurking!

  67. Hailey Lynne McKeefry
    November 12, 2014

    I've heard that some companies test their vendors and employees…sort of a war games approach. Do you think that's helpful? can the average organization manage it?

  68. trandallck
    November 12, 2014

    @ALL…with data so prevalent will there actually be a decline in it's utility and value for cyberthieves?

  69. Hailey Lynne McKeefry
    November 12, 2014

    That corner office suport really is critical.

  70. Hailey Lynne McKeefry
    November 12, 2014

    @trandalick, i think the focus will be on combining data streams to create something even more valuable. Those hackers are getting smarter every day. 🙂

  71. drewsmith
    November 12, 2014

    @alison You need complete company-wide buy-in to a security framework (for example ISO 27001).  You also need one person responsible…a CSO, CTO, CEO or data steward.  Whether or not you need external resources is dependent upon the type of exposure/risk you have and size/complexity of the organization.

  72. trandallck
    November 12, 2014

    @Hailey, so this eventually becomes a Big Data issue as opposed to individual accounts?

  73. Hailey Lynne McKeefry
    November 12, 2014

    @Drew, has your company ever been targetted that you know of? I know some cyberthieves think it's a feather in the cap to hit a security company

  74. Hailey Lynne McKeefry
    November 12, 2014

    @trandalick, exactly. small data being morphed into big data.

  75. drewsmith
    November 12, 2014

    @hailiey We've tried the war game approach and it can be an interesting part of ongoing training.  Unfortunately, it can be like standing with a carrot in one hand and a bat in the other.  We want people to be willing to admit concerns or possible incidents, not hide them.  If you are testing your vendors, you need a pre defined agreement to do so.  I would suggest the same with employees.

  76. Hailey Lynne McKeefry
    November 12, 2014

    Do you think there are threats at the back end of the manufacturing chain? It was suggested to me that malware, for example, might get loaded onto consumer electronics products during manufacturing by a hacker that got into the system. that would be a terrible black eye for an electronics company.

  77. drewsmith
    November 12, 2014

    @trandall This does not appear to be the case.  As more and more data is available, the opportunity is only growing…exponentially.

  78. Hailey Lynne McKeefry
    November 12, 2014

    @Drew, i talked to one pen tester who dropped a handful of USB drives in teh parking lot of the DOD (Department of Defense) and at least four people picked them up and plugged them in. I bet those people left feeling kind of bad… but it was a potent lesson. I do think that you want people to feel good about making a report though.

  79. drewsmith
    November 12, 2014

    @hailey All companies are targets every day.  We see targeted threats directed at InfoArmor just like any other organization that monitors it.  Good question.

  80. Hailey Lynne McKeefry
    November 12, 2014

    @Drew, i talked to one pen tester who dropped a handful of USB drives in teh parking lot of the DOD (Department of Defense) and at least four people picked them up and plugged them in. I bet those people left feeling kind of bad… but it was a potent lesson. I do think that you want people to feel good about making a report though.

  81. Hailey Lynne McKeefry
    November 12, 2014

    So we're hitting the 40 minute market. let's take a look at the future. What do you see on the horizon? How will the threat landsape evolve? How will organizatoins need to evolve to meet those changes? (I know these are huge questions! 🙂 )

  82. drewsmith
    November 12, 2014

    @hailey  Absolutely. We know for a fact that USB sticks have contained malware placed on them during manufacture.  It is not at all unimaginable to envision this impacting all types of consumer goods.

  83. drewsmith
    November 12, 2014

    @hailey The future…more and more devices available on the public Internet exponentially increase the attack surface. 

  84. trandallck
    November 12, 2014

    ALL…on the question of the future will large organizations be at the most risk?

  85. drewsmith
    November 12, 2014

    @hailey We really don't know yet what they means for organizations.  We just need to stay focused on emerging threats so we will hopefully be able to stay just ahead of the ever-increasing sophistication of global bad actors.

  86. drewsmith
    November 12, 2014

    @trandall Not necessarily.  It depends where the opportunity lies.  Target was breached due to one of their HVAC vendors.  Not a large company at all, yet it impacted millions of consumers.

  87. Hailey Lynne McKeefry
    November 12, 2014

    THank you for being our guest today…this has been a really useful conversation. A little daunting…but useful. 🙂 I hope you'll come again!

  88. drewsmith
    November 12, 2014

    Thank you.  I'm always happy to particpate.

  89. drewsmith
    November 12, 2014

    I hope the information was useful.

  90. Hailey Lynne McKeefry
    November 12, 2014

    @trandall, in the electronics world, i'd argue that small organizations often are the innovators and so would have valuable IP–and a lot less resources to protect them. Couple that with teh reality that there are simply more of them…i'd have to argue that small organizations are more at risk but large companies have a higher profile.

  91. Hailey Lynne McKeefry
    November 12, 2014

    @Thank you all, EBNers. I appreciate the great questions! I'm sure we'll continue to explore this in depth!

  92. trandallck
    November 12, 2014

    Great material!

  93. Hailey Lynne McKeefry
    November 12, 2014

    And in anyone wants to learn more about Drew and his organization, take a look here: http://infoarmor.com/about-us/

  94. madhu
    April 13, 2015

    nice information thank you

  95. sannjay
    May 23, 2015

    excellent post

  96. anvesh
    May 29, 2015

    really excellent post

  97. jitender123
    June 6, 2015

    nice information

  98. raijakson
    June 7, 2015

    we have to see 

  99. ramesh123
    June 8, 2015

    nice post thank you

  100. ravi123
    June 8, 2015

    I hope the information was useful.

  101. suriya reddy
    June 8, 2015

    I hope the information was useful.

  102. sachin99
    June 9, 2015

    nice information thank you

  103. Nithin Reddy
    June 9, 2015

     If you are testing your vendors, you need a pre defined agreement to do so.  I would suggest the same with employees.

  104. sreekar
    June 10, 2015

    The number of cyberattacks is on the rise and hackers are targeting the supply chain

  105. nolanmartin
    June 16, 2015

    hi ma name is nolanmartin i am studenta and free lancer i love to explore the good recent

    and use ful wrticles whicha are published in various websites

  106. ashvin
    June 23, 2015

    very nice information

  107. sandeep singh
    June 27, 2015

    really excellent post

  108. tejangupta
    June 30, 2015

    great post

  109. harman preet singh
    July 1, 2015

    I hope the information was useful.

  110. gautam nandy
    July 9, 2015

    excellent post

  111. mithu nair
    July 11, 2015

    The number of cyberattacks is on the rise and hackers are targeting the supply chain.

  112. tinkuroy
    July 16, 2015

    yeah great post

  113. rameshrao
    July 18, 2015

    thank u

  114. rampal
    July 18, 2015

    nice post

  115. rampal
    July 18, 2015

    nice post dis

  116. bhalladeva
    July 22, 2015

    electronics supply chain experts, these conversations see ideas shared, comments made, and questions asked and answered in real time. Listed below are upcoming and archived chats. Stay tuned and join in!

  117. anudeepsingh
    July 23, 2015

    i hope the information was useful

  118. ramprathap147
    July 25, 2015

    cool information was useful.

  119. revanthjoi
    July 27, 2015

    great one cool buddy

  120. sreenathchawan
    August 1, 2015

    very good post

  121. krishnasameer
    August 4, 2015

    good one

  122. krishnabharat09
    August 11, 2015

    nice one

  123. harsharam
    August 13, 2015

    kattapa bahubali ni yenduku senduruva

  124. maheshgupta
    August 14, 2015

    If you are testing your vendors, you need a pre defined agreement to do so.  I would suggest the same with employees.

  125. Marinaerakovic
    January 6, 2016

    it was grest information

  126. Tombaron
    January 21, 2016

    I hope the information was useful

  127. Kyedsteve
    January 25, 2016

    nice information thank you

  128. Antoinepual
    January 29, 2016

    GOOD INFORMATION

  129. Dustinpal
    February 4, 2016

    nice good one dis post

  130. kiranvalentine
    April 10, 2016

    good post

  131. sarrainodu
    April 18, 2016

    gfreat post buddy

  132. sarrainodu
    April 18, 2016

    graey blob buddy

  133. swaraj
    April 23, 2016

    nice post

  134. Stumacmillan
    July 15, 2016

    great post nice

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.