Bloomberg News cited unidentified US officials as saying malicious chips were inserted into equipment supplied by Super Micro Computer Inc. to American companies and government agencies. They asserted that the motherboards included a tiny microchip with code that caused the products to accept changes to their software and to connect to outside computers. And since these servers could be found in DoD data centers, the CIA’s drone operations and the onboard networks of Navy warships, as well as many other companies (like Apple Inc.), it’s got the security community’s attention.
But on the flipside, other industry leaders aren’t so quick to agree. According to The Register, the Bloomberg article has been strongly denied by the three main companies involved: Apple, Amazon and Super Micro. (Read their full responses to the Bloomberg article here.)
So, if there’s no agreement on whether or not this infiltration really happened, what is an organization to do to ensure that they remain safe when security can be so ambiguous?
As a general good practice when dealing with supply chains, SANS Institute recommends companies need to continue to advance their security practices with the following recommendations:
- Abandon the password for all but trivial applications.Steve Jobs and the ubiquitous mobile computer have lowered the cost and improved the convenience of strong authentication enough to overcome all arguments against it.
- Abandon the flat network.Secure and trusted communication now trump ease of any-to-any communication.
- Move traffic monitoring from encouraged to essential.
- Establish and maintain end-to-end encryption for all applications.Think TLS, VPNs, VLANs and physically segmented networks. Software Defined Networks put this within the budget of most enterprises.
- Abandon the convenient but dangerously permissive default access control rule of “read/write/execute” in favor of restrictive “read/execute-only” or even better, “Least privilege.”Least privilege is expensive to administer but it is effective. Our current strategy of “ship low-quality early/patch late” is proving to be ineffective and more expensive in maintenance and breaches than we could ever have imagined.
As for OneNeck’s response to this potential issue, we continue to validate, assess and advance our security and risk program:
- Identity and Access Management: We invest millions of dollars in our data centers, and access to infrastructure and services requiring multi-factor authentication, inclusive of biometrics.
- Diligent Monitoring: We also continue to increase our network traffic and systems monitoring as we need to and adjust to ensure we’re current as new threats emerge. Our monitoring is inclusive of monitoring Out of Band (OOB) traffic that is typically associated with BMC connectivity as discussed in the Bloomberg article.
- Communication with Vendors: We’ve been in contact with our hardware vendors, and they are not reporting concerns on their end. However, we continue to regularly communicate with them, should any new concerns arise.
- Regular Assessments: For our own systems, we regularly do assessments against them to ensure that no matter what threat, we’re protected. For this situation, we are assessing if we have any hardware manufactured by Supermicro, however no actions will be taken unless there is additional confirmation of the Bloomberg report.
Situations like this potential hack only reinforces the need to remain diligent and keep up with your security. As these threats become more sophisticated, so does the need to constantly assess your gaps and evolve your security.