1 00:00:00,490 --> 00:00:02,700 Supply Chain Assessment. 2 00:00:02,700 --> 00:00:03,660 In this lesson, 3 00:00:03,660 --> 00:00:05,850 we're going to talk about supply chain assessment 4 00:00:05,850 --> 00:00:07,180 and why it's so important. 5 00:00:07,180 --> 00:00:09,150 When you think about supply chain assessment, 6 00:00:09,150 --> 00:00:11,930 and more largely, supply chain management, 7 00:00:11,930 --> 00:00:13,770 you have to think about all the components 8 00:00:13,770 --> 00:00:15,800 that go into a particular product. 9 00:00:15,800 --> 00:00:18,750 So, for example, when I buy something off the shelf 10 00:00:18,750 --> 00:00:21,000 and I get something like a router or a switch, 11 00:00:21,000 --> 00:00:23,710 there are hundreds of different pieces inside of that. 12 00:00:23,710 --> 00:00:26,070 And each of those pieces could have been tampered with 13 00:00:26,070 --> 00:00:27,520 by somebody along the way. 14 00:00:27,520 --> 00:00:29,670 By conducting a supply chain assessment, 15 00:00:29,670 --> 00:00:30,990 you're going to be able to understand 16 00:00:30,990 --> 00:00:32,490 where those parts come from, 17 00:00:32,490 --> 00:00:34,980 and can you trust that end product. 18 00:00:34,980 --> 00:00:36,520 Now, I'm not saying you need to go down 19 00:00:36,520 --> 00:00:38,270 to the individual component here. 20 00:00:38,270 --> 00:00:39,570 But you do have to understand 21 00:00:39,570 --> 00:00:40,640 where do the devices 22 00:00:40,640 --> 00:00:42,480 that you're putting into your network come from, 23 00:00:42,480 --> 00:00:43,940 and can you trust them? 24 00:00:43,940 --> 00:00:46,750 After all, we're trying to conduct secure working 25 00:00:46,750 --> 00:00:48,400 in an unsecure environment. 26 00:00:48,400 --> 00:00:50,280 And this involves mitigating the risks 27 00:00:50,280 --> 00:00:51,950 that are caused by the supply chain. 28 00:00:51,950 --> 00:00:54,390 Now, to create a trusted computing environment, 29 00:00:54,390 --> 00:00:56,490 an organization really has to ensure 30 00:00:56,490 --> 00:00:58,210 that the operation of every element, 31 00:00:58,210 --> 00:01:01,300 which includes the hardware, the firmware, the drivers, 32 00:01:01,300 --> 00:01:03,500 the operating systems, and the applications, 33 00:01:03,500 --> 00:01:06,050 are all consistent and tamper-resistant. 34 00:01:06,050 --> 00:01:07,140 If you can do that, 35 00:01:07,140 --> 00:01:10,000 you will have created a trusted computing environment. 36 00:01:10,000 --> 00:01:11,310 Now, in some organizations, 37 00:01:11,310 --> 00:01:12,860 this is really, really important. 38 00:01:12,860 --> 00:01:15,010 In others, it's not nearly as important. 39 00:01:15,010 --> 00:01:16,394 And so, this is going to be one of those things 40 00:01:16,394 --> 00:01:19,050 that the risk appetite of your organization 41 00:01:19,050 --> 00:01:22,470 is going to define how much time, effort, and resources 42 00:01:22,470 --> 00:01:25,940 you put into this concept of supply chain assessment. 43 00:01:25,940 --> 00:01:27,550 Now, when you get a new vendor, 44 00:01:27,550 --> 00:01:29,630 you should conduct due diligence. 45 00:01:29,630 --> 00:01:32,140 Now, due diligence is a legal principle that says 46 00:01:32,140 --> 00:01:35,150 the subject has used best practice or reasonable care 47 00:01:35,150 --> 00:01:38,220 when setting up, configuring, and maintaining a system. 48 00:01:38,220 --> 00:01:39,810 When you're trying to hire a vendor, 49 00:01:39,810 --> 00:01:41,800 you need to ensure that they have done due diligence 50 00:01:41,800 --> 00:01:42,880 on their supply chain 51 00:01:42,880 --> 00:01:45,470 and you need to do your due diligence on them. 52 00:01:45,470 --> 00:01:46,990 This includes things like ensuring 53 00:01:46,990 --> 00:01:50,110 that their cybersecurity program is properly resourced. 54 00:01:50,110 --> 00:01:52,400 You also want to make sure that they have security assurance 55 00:01:52,400 --> 00:01:55,430 and risk management processes and programs in place. 56 00:01:55,430 --> 00:01:56,350 And by doing this, 57 00:01:56,350 --> 00:01:59,080 this will help make sure that they have a valid organization 58 00:01:59,080 --> 00:02:01,620 and a way of doing due diligence within themselves. 59 00:02:01,620 --> 00:02:02,730 Another thing you want to look at 60 00:02:02,730 --> 00:02:04,760 is the product support lifecycle. 61 00:02:04,760 --> 00:02:06,910 If you're going to buy a product, you need to make sure that 62 00:02:06,910 --> 00:02:09,430 they're going to be able to support it for the long term. 63 00:02:09,430 --> 00:02:11,850 For example, if you buy Microsoft Windows, 64 00:02:11,850 --> 00:02:13,110 you know that they're going to give you 65 00:02:13,110 --> 00:02:14,930 patches and updates and support 66 00:02:14,930 --> 00:02:16,400 for a certain amount of time. 67 00:02:16,400 --> 00:02:18,080 That's known as its end-of-life date. 68 00:02:18,080 --> 00:02:20,120 That's part of the product support lifecycle. 69 00:02:20,120 --> 00:02:22,740 If I buy a product from some brand new company, 70 00:02:22,740 --> 00:02:24,470 do I know they're going to be around in five years 71 00:02:24,470 --> 00:02:26,530 when I have a problem and need them to solve it? 72 00:02:26,530 --> 00:02:27,870 This is all things you have to consider 73 00:02:27,870 --> 00:02:29,330 as part of your due diligence. 74 00:02:29,330 --> 00:02:30,520 Another thing you want to consider 75 00:02:30,520 --> 00:02:32,860 is do they have the proper security controls in place 76 00:02:32,860 --> 00:02:34,240 for confidential data? 77 00:02:34,240 --> 00:02:35,740 If you're giving them access to your data 78 00:02:35,740 --> 00:02:38,050 because they're doing something like Software-as-a-Service, 79 00:02:38,050 --> 00:02:38,883 you want to make sure 80 00:02:38,883 --> 00:02:40,630 they have the proper security controls in place 81 00:02:40,630 --> 00:02:43,060 to ensure your data remains confidential. 82 00:02:43,060 --> 00:02:44,230 Another thing you have to think about 83 00:02:44,230 --> 00:02:46,980 is when things go wrong, will they be there to help you? 84 00:02:46,980 --> 00:02:48,620 If you have to conduct an incident response 85 00:02:48,620 --> 00:02:50,260 or do forensic investigations, 86 00:02:50,260 --> 00:02:52,240 will that company be able to support you 87 00:02:52,240 --> 00:02:53,880 and provide you assistance? 88 00:02:53,880 --> 00:02:55,380 And finally, we want to think about 89 00:02:55,380 --> 00:02:57,730 the general and historical company information. 90 00:02:57,730 --> 00:02:58,890 When you look at a company, 91 00:02:58,890 --> 00:03:00,500 do they have strong enough financials 92 00:03:00,500 --> 00:03:01,960 that they're going to be in business next year 93 00:03:01,960 --> 00:03:03,280 to support your needs? 94 00:03:03,280 --> 00:03:05,410 Or are they going to be a fly-by-night organization 95 00:03:05,410 --> 00:03:08,020 that's out of business in the next six to 12 months? 96 00:03:08,020 --> 00:03:09,770 These are all things you want to consider 97 00:03:09,770 --> 00:03:11,510 as you're doing your due diligence. 98 00:03:11,510 --> 00:03:12,590 Now, your due diligence 99 00:03:12,590 --> 00:03:14,380 should apply not only to your suppliers, 100 00:03:14,380 --> 00:03:16,170 but also to your contractors. 101 00:03:16,170 --> 00:03:19,010 If I'm going to hire people to work on my team as contractors, 102 00:03:19,010 --> 00:03:20,730 I need to do due diligence on them 103 00:03:20,730 --> 00:03:22,440 and make sure I can trust them. 104 00:03:22,440 --> 00:03:24,400 Now, another area that we have to start talking about 105 00:03:24,400 --> 00:03:27,160 is this concept of the hardware itself. 106 00:03:27,160 --> 00:03:28,150 I mentioned earlier, 107 00:03:28,150 --> 00:03:30,290 you have to think about where does this hardware come from? 108 00:03:30,290 --> 00:03:32,010 And based on your organization, 109 00:03:32,010 --> 00:03:33,530 you're going to either have more or less 110 00:03:33,530 --> 00:03:35,670 of a risk appetite for hardware. 111 00:03:35,670 --> 00:03:38,140 Now, one of the organization that has a very low tolerance 112 00:03:38,140 --> 00:03:40,060 or low risk appetite for hardware 113 00:03:40,060 --> 00:03:41,500 is the Department of Defense, 114 00:03:41,500 --> 00:03:44,290 and so they create something known as the trusted foundry. 115 00:03:44,290 --> 00:03:45,470 Now, the trusted foundry 116 00:03:45,470 --> 00:03:47,890 is a microprocessor manufacturing utility 117 00:03:47,890 --> 00:03:50,000 that's part of a validated supply chain, 118 00:03:50,000 --> 00:03:51,360 one where the hardware and software 119 00:03:51,360 --> 00:03:54,110 does not deviate from its documented function. 120 00:03:54,110 --> 00:03:56,130 And again, this was created and operated 121 00:03:56,130 --> 00:03:57,420 by the Department of Defense, 122 00:03:57,420 --> 00:03:59,020 which is the US military 123 00:03:59,020 --> 00:04:00,770 because if they're going to put up a microprocessor 124 00:04:00,770 --> 00:04:03,210 to run a jet or a bomb or something like that, 125 00:04:03,210 --> 00:04:04,043 they want to make sure 126 00:04:04,043 --> 00:04:05,950 it does exactly what it's supposed to do 127 00:04:05,950 --> 00:04:07,330 each and every time. 128 00:04:07,330 --> 00:04:09,960 And that's what the trusted foundry program is all about. 129 00:04:09,960 --> 00:04:10,920 For the exam, 130 00:04:10,920 --> 00:04:13,340 you really just need to understand that trusted foundry 131 00:04:13,340 --> 00:04:15,310 is a way to ensure that microprocessors 132 00:04:15,310 --> 00:04:16,900 in the supply chain are secure, 133 00:04:16,900 --> 00:04:19,120 and it's run by the Department of Defense. 134 00:04:19,120 --> 00:04:20,300 Now, another thing we want to talk about 135 00:04:20,300 --> 00:04:22,520 is hardware source authenticity. 136 00:04:22,520 --> 00:04:24,490 This is the process of ensuring the hardware 137 00:04:24,490 --> 00:04:27,970 is procured tamper-free from trustworthy suppliers. 138 00:04:27,970 --> 00:04:29,040 Now, the idea here is 139 00:04:29,040 --> 00:04:31,470 we have to know where our stuff comes from. 140 00:04:31,470 --> 00:04:32,930 Now, if you need a new router, 141 00:04:32,930 --> 00:04:34,560 do you buy it directly from Cisco 142 00:04:34,560 --> 00:04:36,030 from one of their authorized resellers, 143 00:04:36,030 --> 00:04:38,710 or do you go on eBay and buy a secondhand one? 144 00:04:38,710 --> 00:04:40,370 Well, depending on which way you do, 145 00:04:40,370 --> 00:04:43,050 that thing is going to be more or less trustworthy. 146 00:04:43,050 --> 00:04:45,400 There is a much greater risk of inadvertently obtaining 147 00:04:45,400 --> 00:04:47,540 counterfeited or compromised devices 148 00:04:47,540 --> 00:04:50,580 when you purchase from secondhand or aftermarket sources. 149 00:04:50,580 --> 00:04:53,750 So, whenever possible, go straight to the source. 150 00:04:53,750 --> 00:04:55,760 When I look at these routers and switches, 151 00:04:55,760 --> 00:04:56,740 just by looking at them, 152 00:04:56,740 --> 00:04:59,370 I can't tell if they've been modified on the inside. 153 00:04:59,370 --> 00:05:01,850 This is something that can be done inside of those machines. 154 00:05:01,850 --> 00:05:04,670 And there's been cases where there has been malware 155 00:05:04,670 --> 00:05:07,110 embedded into the firmware of these devices 156 00:05:07,110 --> 00:05:09,790 or extra chips being put inside these devices. 157 00:05:09,790 --> 00:05:11,890 And then they're sold at a cheap price online. 158 00:05:11,890 --> 00:05:13,690 And that way, you install this 159 00:05:13,690 --> 00:05:15,890 and now they have access to your entire network. 160 00:05:15,890 --> 00:05:17,550 So, you have to be careful with this stuff. 161 00:05:17,550 --> 00:05:19,400 And that is why supply chain assessments 162 00:05:19,400 --> 00:05:21,800 are so critical to the security of your network.