Do you know what’s going on in your IT environment? Chinese spies might.

You’ve reached an archived blog post that may be out of date. Please visit the blog homepage for the most current posts.

Do you know what’s going on in your IT environment? Chinese spies might. The China Hack shows us how desperately we need better visibility into our IT asset inventory.

Since the bombshell Bloomberg report on China’s hardware supply chain attack, it’s still not clear to what extent data breaches have actually occurred at Apple, Amazon and many other American companies.  One thing that that we do know, however, is that the tiny chip in Supermicro’s equipment created a way to penetrate network security without being detected until now. And the worst thing is that even if you don’t think Chinese spies will want to hack your organization’s network, this vulnerability could be discovered and exploited by others to gain access to your critical infrastructure in the future.

Let the Chaos Begin

When big hacks like this hit the headlines, everyone jumps into action to answer a flurry of burning questions that all boil down to one thing: are you exposed?  Company executives want to know, the press wants to know and your customers want to know.  But, it can be very difficult to get that answer unless you have all the information you need about every IT asset that’s in-use across your enterprise.  You may have multiple facilities dispersed across the country or even the world, multiple departments and divisions, and different people who manage inventories.  In situations like this, the only way through the chaos is getting a picture of what you have, and then making decisions about what actions to take.  Moving as quickly as possible through the process will help mitigate the damage.

Key Information in a Hardware Supply Chain Hack Crisis

  1. Exposure: The first question is, “which of our assets are vulnerable to the hack?” To get at that, you’ve got to have a reliable inventory that is frequently refreshed with automated hardware discovery agents.  Then the data has to be normalized and housed in a central data warehouse to make it usable for analysis.  It has to contain model numbers, model specifics and lineage data so you can accurately identify compromised equipment and assess your exposure.
  2. Response: After the chaos and questions about exposure, all the attention quickly turns to remediation. So, when planning to replace exposed hardware, how do you know that the new hardware doesn’t have the same problem? How do you know that it is compatible with your existing systems? One risk in rapid fixes is that they break other things in the process. It’s important to consider more than just computing specs.  Power consumption, heat dissipation, dimensions and operating temperature requirements can cause problems if not considered.  Having access to rich information about hardware assets in the market can speed this stage up significantly.
  3. Getting ahead of next time: How do you make sure you’re ready to quickly respond to the next new hardware supply chain attack? You’re going to need more detailed information about all the hardware in your asset database and a way to keep it up-to-date.  For that to happen, you may need to require that your suppliers make that information available either directly to you, or in a data library that you can quickly pull from when needed.  A response plan and staff trained to quickly pull and use the information are also a key part of being prepared.

The Real Problem? Transparency.

Data breaches can be financially devastating. The average cost of a data breach in 2017 was $3.86 million (IBM) and large breaches can range into the hundreds of millions. The number of data breaches has also risen sharply in recent years.  It’s almost 4x as high as it was just 5 years ago (Statista). With that looming risk in mind, how can you prepare yourself to respond to supply chain hacks?  There’s a parallel here to the food industry where health problems with ingredients can have catastrophic impacts on a business.  That’s why in the food industry there is a lot of transparency around ingredients, date-codes and use-by dates.  What if businesses required hardware suppliers to provide details on commoditized code-containing parts that were used in their products? What if you had more model and version specific information that allowed you to contain hardware problems quickly?  Setting a new standard of expectations around this type and level of supplier ingredient data is what can protect businesses in the future, and help to minimize the risk.

Committing to an Industry Solution

We at Flexera are firmly committed to developing a platform that gives IT departments the asset transparency and intelligence needed to get ahead of both security and cost challenges.  We’re already well on the way with Technopedia and applications that enrich and normalize asset data.  As more suppliers add to the data our research teams are already collecting, and as more businesses demand and leverage that data, IT departments across all industries will be far better armed to respond to and even prevent the consequences of security breaches coming from hardware, software, SaaS or cloud IT assets.