Apple: It’s time to bolster supply chain security

Supply chains are vulnerable to cyberattack and for the good of your business, it’s time to move to secure them as best you can, according to Apple and the White House.

Apple to secure the tech supply chain

That’s one item of news to emerge following a high-level cybersecurity meeting between US President Joseph Biden and big tech firms, including Apple, IBM, Microsoft, Google, Amazon, and others. Most of the companies who attended the meeting have since announced plans to beef-up security resilience and awareness, with a focus on training and security awareness.

Apple’s contribution seems different.

“Apple announced it will establish a new program to drive continuous security improvements throughout the technology supply chain. As part of that program, Apple will work with its suppliers — including more than 9,000 in the United States — to drive the mass adoption of multi-factor authentication, security training, vulnerability remediation, event logging, and incident response.”

What’s the takeaway? Working on the assumption that the most obvious answer is probably the correct response, it is this: most enterprises should think about how to best secure not only their own systems, but those across the entire supply chain.

That’s going to mean partnerships — sometimes between competing companies — education, deep investments in training, and maybe even investment in partners.

It is interesting that while Apple is seen as being secure, it is not widely regarded as a security company (though it is). Now it is taking on responsibility for remediation and response. That’s a nod to what the company presumably already does internally. It seems probable that this also reflects the company’s growing place in enterprise tech. It suggests that Face ID, Touch ID, and use of USB security keys such as those made by Yubico will become more prevalent when accessing enterprise software and systems.

I expect this will be reflected in MDM, which suggests enhancements in Apple’s offerings (and those from everyone else). It also sheds new light on Apple’s recent decision to put a password authenticator in iOS 15, which helps reduce the friction of using two-factor authentication while also maintaining security.

Why the rush?

We know that during the pandemic cybersecurity incidents have spiked. They have also become more imaginative, exploiting everything from cell phone towers to the electric grid. Phishing scams are rife, and ransomware attacks are proliferating. And there aren’t enough cybersecurity professionals to hold the line. That’s why many of the announcements made after the meeting focus on security awareness and training.

[Also read: The future of work is hybrid and remote]

When it comes to securing the supply chain, Apple appears close to the Biden administration. The White House said the US National Institute of Standards and Technology (NIST) will now collaborate with the tech industry and others to develop new security frameworks to protect supply chains. It seems certain Apple will play some part in setting those standards, alongside other tech firms.

Who is the weakest link?

The focus on supply chain security should be a message to any enterprise. It means the security of your business relies on the weakest link in your security chain.

That link can be an internal vulnerability but can also be an external vulnerability at any one of your partners. In an increasingly connected world, less well-secured business partners can become vehicles to undermine your existing protection, and vice versa.

Criminals are smart. The well-funded and international rise of state-sponsored cybercrime has seemingly unlimited budgets. Bad actors probe constantly for weak spots — phishing attacks against individuals are matched by similar attempts to subvert systems. No one should forget how Target’s network was penetrated by hackers who used network credentials stolen from one of its partners back in 2014.

Attackers track companies across their supply chains to identify vulnerabilities like these. If you can’t access the computers at your primary target, why not attack those at a supplier to find a way past existing perimeter defence?

What happens now?

Apple’s recent introduction of CSAM protection is a significant red flag for privacy, but one element of what that system does could become part of future security protection. I’m talking about on-device activity monitoring.

After all, if devices can scan Messages content, they can also scan network activity (as many anti-fraud protection systems already do).

We know there are typical patterns that reflect an active security incident, particularly unexpected data flows sent to unrecognized servers. It’s no great imaginative leap to think Microsoft, Google, Apple, and the others could conceivably supplement existing security protection with more on-device situational awareness.

The basic information already exists and is already in use – apps like Little Snitch or Activity Monitor show how this data is already exposed. Specialized security firms such as Orange Cyberdefense or Splunk already deploy network monitoring systems for clients.

The latest White House intervention suggests a need for enhanced security awareness across the supply chain, extending all the way from the core to the very edge. Apple’s involvement hints at future work to help secure that edge. Perhaps this will involve on-device intelligence — but at what cost? Will we see Big Tech enlist security support in the form of quantum computing?

What can your business do today?

Much of this sits in the future. What can your enterprises do to protect themselves in the present?

Typical problems and solutions may include:

  • Employee awareness, training and support: Every enterprise should invest in security and situation awareness training for staff. That extends to remote workers: Malware checkers matter, but so do well-secured Wi-Fi networks. Invest in security and finance equipment right to the edge. And make sure to use strong passwords.
  • Communication:  Every enterprise should take steps to reassure employees and partners of a blame-free approach to security errors. You don’t want to be kept waiting for weeks to learn that an employee has opened a malware-laden email and infected your internal system; nor do you want to wait to learn a business partner has suffered the same thing. A culture of blame makes you less secure because it makes people less likely to disclose problems quickly. Like everything else in the digital transformation of the enterprise, such self-regarding hierarchical management models need to be abandoned in favor of more open cultures.
  • Secure the perimeter and the core: Ensure use of 2FA security on all your devices. Employ MDM systems to manage hardware, software, and data. Make full use of all the security features on your fleet and diversify your tech stack where possible. Many MDM systems now offer geolocation-based security protections; be sure to use them where you can. Use back-up, fail-safe systems, redundant networks, firewalls, and ensure security updates are installed.
  • Work with partners (and competitors): Try to be open with your partners and competitors. Establish shared collective security policies and keep to them. Be prepared to cease working with a partner if their security systems do not pass muster and won’t improve. In the case of shared systems (even Slack channels) be ready to quarantine elements of your data exchange from your other systems. Be open, be friendly, be paranoid.
  • Prepare for rain: In the current environment, it’s best to assume a security breach is inevitable. That means as well as investing in systems to harden your enterprise security, you should also build and practice your data breach response plan. What will you do if you (or your partners) are attacked? Your business, employees, customers and partners should already know.

It may also be a good time to review Apple’s security white papers.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.