Modern Australian
The Times

How suppliers of everyday devices make you vulnerable to cyber attack – and what to do about it

  • Written by Richard Matthews, PhD Candidate, University of Adelaide

If you run a business, you’re probably concerned about IT security. Maybe you invest in antivirus software, firewalls and regular system updates.

Unfortunately, these measures might not protect you from malicious attacks that enter your systems through everyday devices.

On the evening of Friday the 24th of October 2008 Richard C. Schaeffer Jr, the NSA’s top computer systems protection officer was in a briefing with US President George W. Bush when an aide passed him a note. The note was brief and to the point. They had been hacked.

How did it happen? The culprit was a simple USB.

Read more: Australia's car industry needs cybersecurity rules to deal with the hacking threat

USB supply chain attacks

The attack was unexpected because classified military systems are not connected to outside networks. The source was isolated to a worm loaded onto a USB key that had been carefully set up and left in large numbers to be purchased from a local internet kiosk.

This is an example of a supply chain attack, which focuses on the least secure elements in an organisation’s supply chain.

The US military immediately moved to ban USB drives in the field. Some years later, the US would use the same tactic to breach and disrupt Iran’s nuclear weapons program in an attack that has now been dubbed Stuxnet.

How suppliers of everyday devices make you vulnerable to cyber attack – and what to do about it The Bushehr nuclear power plant in Iran is thought to have been infected with a malicious computer worm known as Stuxnet in 2010. ABEDIN TAHERKENAREH/AAP

The lesson is clear: if you are plugging USB drives into your systems, you need to be very sure where they came from and what’s on them.

If a supplier can get a secret payload onto a USB stick, then there is no safe period in which a USB is a good choice. For example, you can currently buy a USB stick that is secretly a small computer, and it will, on insertion, open up a window on your machine and play the Death Star march.

This is just one kind of supply chain attack. What are the other kinds?

Network supply chain attacks

Computer users have an increasing tendency to store all their information on a network, concentrating their assets in one place. In this scenario, if one computer is compromised then the entire system is open to an attacker.

Consider a conference phone used in your organisation. Suppose this network-enabled phone had a built in fault that would allow attackers to listen in on any conversations in the vicinity. This was the reality in 2012 when more than 16 versions of Cisco’s popular IP phone were affected. Cisco released a patch for their phones, which could be installed by most companies’ IT security departments.

How suppliers of everyday devices make you vulnerable to cyber attack – and what to do about it The basic model of a network supply chain attack shows how vulnerable interconnected systems are within an organisation. Author Supplied

In 2017, a similar issue arose when a brand of hospital grade dishwasher was affected by a built-in insecure web server. In the case of a hospital, there is a great deal of private data and specialist equipment that could be compromised by such a vulnerability. While a patch was eventually released, it required a specialised service technician to upload it.

Read more: Guarding against the possible Spectre in every machine

Supply chain attacks have recently been implicated in the disastrous failure rate of the North Korean missile program. David Kennedy, in a video for The Insider, discusses how the US has previously disrupted nuclear programs using cyber. If they still possess this capability, it’s possible they would wish to keep it covert. Should this be the case, it’s conceivable one of the numerous North Korean failures could have been a test of such a cyber weapon.

Five ways companies can protect themselves

To protect yourself against all of this you need to set up basic cyber hygiene processes that can help keep your business free from infection.

  1. Purchase and install good anti-virus software and run it in protective mode, where it scans everything on your machine. Yes, even Macs get viruses

  2. monitor who is on your network, avoid using untrusted devices such as USBs and have your administrators block autorun as a system-wide policy

  3. segregate your networks. Have critical plant infrastructure? Don’t have it on the same network as your day to day, public-facing or guest access networks

  4. update regularly. Don’t worry about the latest and greatest issues, patch the known vulnerabilities in your systems – especially that one from 1980

  5. pay for your software and labour. If you’re not paying for the product, then someone is paying for you as the product.

How suppliers of everyday devices make you vulnerable to cyber attack – and what to do about it By separating your critical infrastructure from the internet facing and supplier available networks it is possible to provide a level of protection. However, some attacks are able to bridge this ‘air gap’. Author Provided

Cyber awareness is crucial

Finally, you can maximise cyber resilience by training everyone in your organisation to learn new skills. But it’s vital to test whether your training is working. Use actual exercises – in conjunction with security professionals – to examine your organisation, practice those skills, and work out where you need to make improvements.

Read more: Everyone falls for fake emails: lessons from cybersecurity summer school

The price of any connection to the internet is that it’s vulnerable to attack. But as we’ve shown, not even standalone systems are safe. Deliberate practice and thoughtful approaches to security can increase the protection of your business or workplace.

Authors: Richard Matthews, PhD Candidate, University of Adelaide

Read more http://theconversation.com/how-suppliers-of-everyday-devices-make-you-vulnerable-to-cyber-attack-and-what-to-do-about-it-98254

7 Signs It's Time to Upgrade Your Piston Air Compressor

If you run a workshop, panel shop, or fabrication business anywhere around Perth, you already know what heat and dust do to equipment over a few sum...

How Long Do Bathroom Renovations Melbourne Take? Step-by-Step Process Explained

Planning a bathroom renovation is exciting, but one of the biggest questions homeowners ask is, "How long will it take?" While every project is uniq...

Why Your Skin Breaks Out: The Science of Acne Explained

Acne is the most common skin condition in the world. An estimated 85% of people experience it at some point between the ages of 12 and 24, and a gro...

10 Swimwear Trends Australian Women Are Wearing This Summer

Every Australian summer brings a fresh wave of swimwear trends, but some styles have much greater staying power than others. While fashion constantly ...

Why Regular Skills Updates Are Essential for Licensed Security Officers

A guard at a Brisbane shopping centre gets a call about a shoplifter who's turned aggressive.  They’ve done the job for six years. But their de-...

10 Benefits of Choosing Professional Tutoring Penrith Services

Every student has unique learning strengths, challenges, and academic goals. While classroom teaching provides essential knowledge and structure, so...

Sunshine Coast Baby Classes Prove Big Hit Among First-Time Mums

There's a movement gaining traction on the Sunshine Coast, providing a village of support, socialisation and relief for first-time mothers and babie...

Father's Day Gift Ideas for Men Who Are Hard to Buy For

Some dads are easy to buy for. Others do not want anything, already have everything, or give you the classic "don't worry about me" answer every yea...

Top 5 Mistakes That Wear Out Your Brakes Faster

Brakes don't need frequent replacements like oil changes do.   But a lot of the wear happens quietly, over months, because of habits most drivers...

Plantation Shutters vs Curtains: Which Is Better for Your New Home?

Moving into a new home is an exciting opportunity to personalise your space and make it your own. While many homeowners focus on furniture, flooring...

Celebration of Life vs Traditional Funeral: What's the Difference?

When saying goodbye to someone you love, there is no single way to honour their life. Every family has different traditions, beliefs, and preference...

Building Approval for Roofing Projects: What Homeowners Need to Know

Roofing projects are an important part of maintaining and protecting your home. Whether you're repairing storm damage, replacing an ageing roof, or ...

Chatswood Tutoring And Its Role In Academic Achievement

Academic success often requires more than classroom attendance alone. Students face increasing expectations as they progress through school, particu...

Why Laser Hair Removal Treatments Continue Growing In Popularity

Managing unwanted hair can become time-consuming and frustrating for many people, especially when shaving, waxing, and other temporary methods requi...

Choosing the Right Devices for a Flexible Workplace

For IT leaders managing large fleets, the device layer is where workforce productivity and security policy meet. The shift towards flexible and hybrid...

How Business Advisory Services Help Companies Achieve Sustainable Growth

Every business owner aims to build a profitable and sustainable organisation. While dedication, innovation, and hard work are important, achieving l...

Why Body Contouring Has Become A Popular Cosmetic Treatment

Many people maintain healthy lifestyles through regular exercise and balanced eating habits but still struggle with stubborn areas of fat that are d...

How to Choose the Right POS Hardware for Your Business in Australia

A lot of Australian business owners spend weeks researching POS software but buy hardware almost as an afterthought. That's a mistake. The wrong har...