Tag Archives: supply chain

Hardware failure can lead to 70% breakout in Cloud / virtualization setup

cosmic raysGoogle released details on how an attacker can take advantage of the physical design and setup of some memory chips in computers. This exploit basically is based on setting and releasing a charge on one memory block to the point it leaks over to the neighbor block (simplifying here). Stated another way – Imagine cutting an onion and then using the same knife to cut a tomato… the taste of the onion would definitely transfer to the tomato, ask any toddler ūüėČ

  • What does this mean to enterprises – well it is early, but this type of risk to an organization should be addressed and covered in your third party supplier / procurement security team. Leading organizations are already vetting hardware vendors and the components included in each purchase to prevent malicious firmware and snooping technology.
  • In addition, the supplier team managing all of the deployed cloud and virtualization relationships (your Cloud Relationship Manager) should begin a process of reviewing their provider evaluations.

Of course this is a new release and the attack is not simple, but that doesn’t mean it won’t and could not occur.

The attack identified by Google plus the virtualized environment creates a situation where an attacker “…can design a program such that a single-bit error in the process address space gives him a 70% probability of completely taking over the JVM to execute arbitrary code” – Research paper

Given the probability of success, it is definitely valuable to have this on your risk and supplier program evaluations.

Here is the full analysis by Google and the virtualized research paper.


James DeLuccia



Methodology for the identification of critical connected infrastructure and services ‚ÄĒ SAAS, shared services..

ENISA released a study with a methodology identifying critical infrastructure in communication networks. While this is important and valuable as a topic, I dove into this study for a particularly selfish reason … I am SEEKING a methodology that we could leverage for identifying critical connected infrastructure (cloud providers, SAAS, shared services internally for large corporations, etc..) for the larger public/private sector. ¬†Here are my highlights – I would value any additional analysis, always:

  • Challenge to the organization: “..which are exactly those assets that can be identified as Critical Information Infrastructure and how we can make sure they are secure and resilient?”
  • Key success factors:
    • Detailed list of critical services
    • Criticality criteria for¬†internal and external interdependencies
    • Effective collaboration between providers (internal and external)
  • Interdependency angles:
    • Interdependencies within a category of service
    • Interdependencies between categories of services
    • Interdependencies among data assets
  • Establish¬†baseline security guidelines (due care):
    • Balanced to business risks & needs
    • Established at procurement cycle
    • Regularly verified (at least w/in 3 yr cycle)
  • Tagging/Grouping of critical¬†categories of service
    • Allows for clean tracking & regular security verifications
    • Enables troubleshooting
    • Threat determination and incident response
  • Methodology next steps:
    • Partner with business and product teams to identify economic entity / market value
    • Identify the dependencies listed about and mark criticality based on entity / market value
    • Develop standards needed by providers
    • Investigate how monitoring to standards can be managed and achieved (in some cases contracts can support you, others will be a monopoly and you’ll need to augment their processes to protect you)
    • Refresh and adjust annually to reflect modifications of business values

I hope this breakout is helpful. The ENISA document has a heavy focused on promoting government / operator ownership, but businesses cannot rely or wait for such action and should move accordingly. The above is heavily modified and original thinking based on my experience with structuring similar business programs. A bit about ENISA’s original intent of the study:

This study aims to tackle the problem of identification of Critical Information Infrastructures in communication networks. The goal is to provide an overview of the current state of play in Europe and depict possible improvements in order to be ready for future threat landscapes and challenges. Publication date: Feb 23, 2015 via Methodologies for the identification of Critical Information Infrastructure assets and services ‚ÄĒ ENISA.

Best, James

Amateurs Study Strategy; Experts Study Logistics – Battlefield Leadership series

Angoville ChurchIn the business world, the military analogy “Amateurs strategy; experts study logistics”¬†emphasizes the importance beyond the initial success of a surge effort. Specifically, in relation to D-Day, the analogy shows the importance of establishing a port to provide fuel, reinforcements, ammunition, food, and supplies to the troops. The initial Normandy invasion of 135,000 troops required a daily landing of 15,000 tons of supplies a day and as the presence increased so did the supplies. Thus, the Allies were forced to secure a port.

The Allies chose to build two ports and bring them to the coast of Normandy. This allowed them the opportunity to establish a port at an area that was not heavily fortified (the Germans defended port locations closely). This out of the box thinking allowed the Allies to achieve the objective and support the ongoing mission on land.

Business Reflections…

The importance of innovation and ability to think beyond the traditional structures is sometimes the only pathway to success. Think about Uber, Amazon, and other disruptive methods of transacting business. Each approached the same objective (black cars, books for reading), but achieved the ‘big picture’ in a manner not conceived viable by the incumbents.

The key elements to achieve innovation from lessons at Arromanches:

  1. Focus on the objective and not the details on ‘how.’ This allows for iterations on methods while maintaining the continued support structure.
  2. Establish a team with a leader to drive the innovation. The team should be organized differently than the primary organization. This was done in Britain and allowed the the Skunkworks group to succeed. The Skunkworks failed the first time and were reorganized in a new team to finally reach success.
  3. Plan redundancy. Two Allied piers were built. One of the piers was destroyed by weather (an identified risk), but luckily there was still one standing and supported the logistics for many months.
  4. Demonstrate success capability through detailed analysis. To allay counter arguments, it is necessary to present a clear and evidence-supported case proving how the solution will be successful.

The Supply Chain

Here are a few generally obvious but necessary statements on the make-up of supply chain. The service of the business and the delivery of product depends upon the inputs. These inputs are as important as the final work product. Failure to receive any input or damage of an input will lead to failure in the market. Each input must meet the integrity, quality, and security standards of the product it seeks to become.

Suppliers need to posses integrity to ensure the inputs are not damaged, sabotaged, or fraudulent. The reliability and availability of the inputs need to be vetted with redundant providers and consideration of every part of the delivery channel is key. For instance, regarding a Cloud service provider hosting data: what are the ISPs, routers, equipment, regional laws, etc. that effect this delivery of such a service?

A business must be able to achieve entry into a market category and sustain it! It is not enough to put a toe in the water, but rather sustain the patience and capability to grow in the market. Success is achieved through building scales into the business architecture and forming teams that are innovative and strong enough to become the senior management and leads.

What is Battlefield Leadership and what is this series about … 

This is the fifth paper in this series. As part of my pursuit to learn and grow, I sought out the excellent management training team at¬†Battlefield Leadership. I am¬†professionally¬†leveraging this across multi-million dollar projects I am overseeing (currently I am the lead executive building global compliance and security programs specifically in the online services / cloud leader space). Personally I am bringing these lessons to bear within my pursuits to cross the chasm. To often I see brilliant technical individuals fail to communicate to very smart business leaders and to the common person on the street.¬†My new book¬†‚ÄstHow Not to be hacked¬†seeks to be a first step in bringing deep information security practices beyond the technologist.

Most exciting the Battlefield group for this training placed it in Normandy France. This allowed for senior executives to be trained in a setting where serious decisions were placed by both sides, and each provided a lesson. This series represents my notes (that I could take down) and takeaways. I share to continue the conversation with those great individuals I met, and with the larger community.

Kind regards,



Elevating your Vendor / Supply Chain risk assessment

This past few weeks I have been working with a few clients and researchers on the vendor side / supply chain risk of business operations.  The common place activities of course exist, and include at least:

  1. Weighing the criticality of each vendor (to refer to supply chain too moving forward) to operational state of the business
  2. Weighing aspects of regulatory and contractual mandates of said vendor
  3. Weighing classic #infosec considerations – C.I.A. ++
  4. Establishing a tiered system of vendor management practices based upon data, system access, and of course points 1 & 2 above.
  5. Executing and evaluating these vendors through an actual evaluation of their operations (appropriate scope applied) to ensure that security and operational activities are in place for YOUR business dependent assets — this is key here: a powerpoint presentation is not satisfactory, period. ¬†It does not matter who the vendor is – big, small, big brand, or otherwise… ¬†the vendor assessment is not satisfied with this type of response, and should be considered a fail and raised to management to consider next steps.)
  6. Tight integration with legal, procurement, and risk management to ensure that (garbage in and garbage out) good vendors are added, and that actions can be taken balancing the strategic need of the business properly.
  7. Severe relationships with vendors that do not meet the requirements of your business

Now the above doesn’t mean establish a static assessment approach with a litany of questions pulled from the internet, but instead should be a thoughtful key set of controls that the vendor MUST address and maintain over the course of the relationship.

Generally, the above are quite standard and commonplace.. ¬†What recently has been interesting to me is (pardon the use of an industry phrase) the use of ‘out-of-band’ signals regarding vendor and supply chain risk. ¬†I shared two of these thoughts online today on twitter:

  • How often does your risk assessment & vendor mgmt program factor in supply chain risk? Low hanging fruit: Monitor their breaches
  • Who follows the 10-k filings of key businesses that are suppliers and peers at the CSO / CRO / CISO level? ¬†These are key inputs into where vendors are setting their priorities, and any red flags (infosec issues; operational concerns; financial challenges)

It is imperative today to KNOW what vendors (supply chain) participate in your organization, and extend the vendor program to bring these into consideration.

There are many other areas to consider, and I would love to hear others ideas .. here or @jdeluccia


James DeLuccia