We Spend Lavishly on Systems and Software-Centric Security but Nothing on Hardware – Why?

I covered the Supermicro story extensively and throughout, the focus was on China and its corruption of the hardware manufacturing supply chain. The real story however is on the much less-localized vulnerabilities that can be found in every server, interface, switch and network from every vendor in the world. These include Dell EMC, Apple, Cisco, Avaya, Alcatel, Juniper, HPE, IBM, etc.

We tend to think of the supply chain as a very narrow bridge between the manufacturer and the equipment customer when, in fact, the impact of the supply chain never ends. We have factory workers, technicians, testers, integrators, shippers, receivers, warehousing and we have very little visibility into what actually goes on at each step. The opportunities for modifying and/or switching core components are myriad and scattered across a broad landscape. Even hardware roots of trust and HSMs can be swapped out with look-alikes that pronounce validation where none exists.

The bottom line is that it is likely that your servers and network components have been compromised and you will never know it. We spend $100 billion every year on software-related cyberattacks yet virtually nothing to detect hardware vulnerabilities.

If indeed China is behind most of these rogue components idling on our motherboards waiting for the “go-call” from HQ, it is almost an Uncle Remus-like ploy that diverts our energy and attention to a continuing chorus of random malware attacks through a variety of vectors while quietly setting up the cyber sting of all time on all of our hardware devices.

And with the impending onslaught of a gazillion IoT devices and their constant and unfettered access to our now WFH Shadow IT network environments, we don’t just double down on the reality distortion field with which we have surrounded ourselves, we go all in.

This is why I am fanatically bullish about a solution from Sepio Systems that actually scans your entire computing environment and inventories all of the hardware vulnerabilities it discovers, including invisible network elements, USB peripherals, Blue-Tooth, Wi-Fi and cell phones. Then it detects and blocks all intrusion attempts while providing continual monitoring, visibility, analytics and policy enforcement.

It doesn’t overlap with any other product on the market. It is priced to be amazingly affordable and uses virtually invisible agents so there is no measurable performance degradation. It prevents a mountain of insider threats, socially engineered device modifications, and inadvertent third-party and supply chain compromises. 

I can’t think of a single reason why every organization would not include it as part of its overall threat defense strategy. In fact, not doing so in an era where a real, measurable threat exists and there has been no way up until now to detect and prevent against it, seems to me to be the height of irresponsibility. In addition, you probably already spend a fortune on regulatory compliance (Gartner predicts the spend to approach $1 trillion by 2023), while at the same time ignoring all of your hardware vulnerabilities.

What if you were like one Fortune 20 company that continued to experience data leaks in spite of spending tens of millions on cybersecurity technology and suddenly realized they had no visibility or control over their connected devices? After installing this product, they found a connected Garmin watch, a SanDisk Cruzer thumb drive, 51 iPhones, a Wi-Fi dongle, a Google Nexus phone that had been connected for 10 hours and a Raspberry Pi 3 single board computer. They immediately found the source of the data leak and stopped it.

Fortunately, they were able to avoid fines and penalties but only because they weren’t caught. This all occurred after the board had authorized their annual cybersecurity budget in the eight-digit millions. What do you think the board said to their CISO? What do you think their CISO had to say to the board?

What would you have said?

Previous Post
Your Perspective is Dictated by Your Mental Models
Next Post
Two Great Security Professionals Reflect on One Human Factor in Cybersecurity