Saltar al contenido

Apple: It’s time to strengthen the security of the supply chain

Apple: It's time to strengthen the security of the supply chain

Apple has agreed to help secure the supply chain in the technology industry as part of a White House cyber security action. Maybe you should also protect your supply chain?

Supply chains are vulnerable to cyber attacks, and for the good of your business, it’s time to take action to secure them, according to Apple and the White House.

Apple to secure the supply chain with technology

This is news that will appear after a high-level cybersecurity meeting between US President Joseph Biden and major technology companies, including Apple, IBM, Microsoft, Google, Amazon and others. Most of the companies that attended the meeting announced plans to strengthen resilience and security awareness, with a focus on security training and awareness.

Apple’s contribution seems different.

«Apple has announced that it will establish a new program to continuously improve security throughout the technology supply chain. As part of this program, Apple will work with its suppliers, including more than 9,000 in the United States, to stimulate the mass adoption of multi-factor authentication, security training, vulnerability remediation, event logging, and incident response. «

What is the food to eat? Assuming the most obvious answer is probably the right answer, this is: Most companies should think about how to better protect not only their own systems, but also those of the entire supply chain.

This will mean partnerships, sometimes between competing companies, education, deep investment in training and maybe even investment in partners.

Interestingly, although Apple is considered secure, it is not considered a security company (although it is). You now take responsibility for the remedy and the answer. This is an indication of what the company is supposed to be doing internally. It seems that this also reflects the company’s growing place in business technology. It suggests that Face ID, Touch ID and the use of USB security keys such as those made by Yubico will become more prevalent when accessing business systems and software.

I hope this is reflected in MDM, which suggests improvements to Apple’s (and everyone else’s) offerings. It also sheds new light on Apple’s recent decision to introduce a password authenticator in iOS 15, helping to reduce the friction of using two-factor authentication while maintaining security.

Why hurry?

We know that cyber security incidents exploded during the pandemic. They also became more imaginative, blowing up everything from mobile phone towers to the electricity grid. Phishing scams abound and ransomware attacks proliferate. And there are not enough cybersecurity professionals to keep the line. That’s why many post-meeting announcements focus on security awareness and training.

When it comes to securing the supply chain, Apple seems to be close to leading Biden. The White House said the US National Institute of Standards and Technology (NIST) will now work with the technology industry and others to develop new security frameworks to protect supply chains. It seems certain that Apple will play a role in setting these standards, along with other technology companies.

Who is the weakest link?

The focus on supply chain security should be a message for any business. It means that the security of your business depends on the weakest link in your security chain.

This link can be an internal vulnerability, but it can also be an external vulnerability for any of its partners. In an increasingly connected world, less secure business partners can become vehicles to undermine your existing protection and vice versa.

Criminals are smart. The well-funded international growth of state-sponsored cybercrime has seemingly unlimited budgets. Evil actors are constantly investigating their weaknesses: phishing attacks on people are accompanied by similar attempts to reverse the systems. No one should forget how the target network was penetrated by hackers who used network credentials stolen from one of its partners in 2014.

Attackers track companies along supply chains to identify vulnerabilities like these. If you can’t access your main target’s computers, why not attack a vendor to find a way around the existing perimeter defense?

That is happening now?

Apple’s recent introduction of CSAM protection is a major red sign of privacy, but an element of that system’s action could become part of future security protection. I’m talking about monitoring activity on the device.

After all, if devices can scan the content of messages, they can also scan network activity (as many anti-fraud systems already do).

We know that there are typical patterns that reflect an active security incident, especially unexpected data streams sent to unrecognized servers. It is not a big imaginative leap to believe that Microsoft, Google, Apple and others could complement the existing security protection with a greater awareness of the situation on the device.

Basic information already exists and is already in use: applications such as Little Snitch or Activity Monitor show how this data is already exposed. Specialized security companies such as Orange Cyberdefense or Splunk already implement network monitoring systems for their customers.

The latest White House intervention suggests the need for increased security awareness throughout the supply chain, which stretches from core to edge. Apple’s involvement suggests future work to help secure this advantage. This may involve device information, but at what price? Will we see Big Tech get security assistance in the form of quantum computing?

What can your company do today?

Much of this is in the future. What can your companies do to protect themselves today?

Typical problems and solutions may include:

Employee awareness, training and support: all companies should invest in staff training in security and situation awareness. This also extends to remote workers: malware checks are important, as are well-secured Wi-Fi networks. Invest in security and borderline financial equipment. And make sure you use strong passwords.

Communication: Every company should take steps to reassure employees and partners of a flawless approach to security flaws. You don’t want to wait weeks to find out that an employee has opened an email loaded with malware and infected your internal system; You also don’t want to wait to find out that a business partner has suffered the same. A culture of guilt makes you less confident, because it makes people less likely to quickly reveal problems. Like anything else in the company’s digital transformation, these hierarchical selfish management models must be abandoned in favor of more open cultures.

Secure the perimeter and core: Make sure you use 2FA security on all your devices. Use MDM systems to manage hardware, software, and data. Take full advantage of all the safety features of your fleet and diversify your technology stack whenever possible. Many MDM systems now offer security protections based on geolocation; make sure you use them where you can. Use backup systems, redundant networks, firewalls, and make sure security updates are installed.

Work with partners (and competitors) – Try to be open with your partners and competitors. Establish common collective security policies and follow them. Be prepared to stop working with a partner if their security systems are not approved and improved. For shared systems (including Slack channels), be prepared to quarantine data exchange items from other systems. Be open, be friendly, be paranoid.

Prepare for the rain: in today’s environment, it is best to assume that a security breach is inevitable. This means that in addition to investing in systems to enhance the security of your business, you need to create and practice your data breach response plan. What will you do if you (or your partners) are attacked? Your company, employees, customers and partners should already know.

It may also be a good time to examine Apple’s white paper.