Day: July 1, 2022

A vulnerable spot in global commerce is the supply chain: It enables technology developers and vendors to create and deliver innovative products but can leave businesses, their finished wares, and ultimately their consumers open to cyberattacks. A new update to the National Institute of Standards and Technology’s (NIST’s) foundational cybersecurity supply chain risk management (C-SCRM) guidance aims to help organizations protect themselves as they acquire and use technology products and services. The revised publication, formally titled Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST Special Publication 800-161 Revision 1), provides guidance on identifying, assessing and responding to cybersecurity risks throughout the supply chain at all levels of an organization. It forms part of NIST’s response to Executive Order 14028: Improving the Nation’s Cybersecurity, specifically Sections 4 (c) and (d), which concern enhancing the security of the software supply chain. Released today after a multiyear development process that included two draft versions, the publication now offers key practices for organizations to adopt as they develop their capability to manage cybersecurity risks within and across their supply chains. It encourages organizations to consider the vulnerabilities not only of a finished product they are considering using, but also of its components – which may have been developed elsewhere – and the journey those components took to reach their destination. “Managing the cybersecurity of the supply chain is a need that is here to stay,” said NIST’s Jon Boyens, one of the Publication’s Authors, “If your agency or organization hasn’t started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately.” Modern products and services depend on their supply chains, which connect a worldwide network of manufacturers, software developers and other service providers. Though they enable the global economy, supply chains also place companies and consumers at risk because of the many sources of components and software that often compose a finished product. A device may have been designed in one country and built in another using multiple components from various parts of the world that have themselves been assembled of parts from disparate manufacturers. Not only might the resulting product contain malicious software or be susceptible to cyberattack, but the vulnerability of the supply chain itself can affect a company’s bottom line. “A manufacturer might experience a supply disruption for critical manufacturing components due to a ransomware attack at one of its suppliers, or a retail chain might experience a data breach because the company that maintains its air conditioning systems has access to the store’s data sharing portal,” Boyens said. The primary audience for the revised publication is acquirers and end users of products, software and services. The guidance helps organizations build cybersecurity supply chain risk considerations and requirements into their acquisition processes and highlights the importance of monitoring for risks. Because cybersecurity risks can arise at any point in the life cycle or any link in the supply chain, the guidance now considers potential vulnerabilities such as the sources of code within a product, for example, or retailers that carry it. “If your agency or organization hasn’t started on (C-SCRM), this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately,” said NIST’s Jon Boyens “It has to do with trust and confidence,” said NIST’s Angela Smith, an Information Security Specialist and one of the Publication’s Authors, “Organizations need to have greater assurance that what they are purchasing and using is trustworthy. This new guidance can help you understand what risks to look for and what actions to consider taking in response.” Before providing specific guidance – called cybersecurity controls – the publication offers help to the varied groups in its intended audience, which ranges from cybersecurity specialists and risk managers to systems engineers and procurement officials. Each group is offered a ‘user profile’ in Section 1.4, which advises what parts of the publication are most relevant to the group. The publication’s Sections 1.6 and 1.7 specify how it integrates guidance promoted within other NIST publications and tailors that guidance for C-SCRM. These other publications include NIST’s Cybersecurity Framework and Risk Management Framework, as well as Security and Privacy Controls for Information Systems and Organizations, or SP 800-53 Rev. 5, its flagship catalog of information system safeguards. Organizations that are already using SP 800-53 Rev. 5’s safeguards may find useful perspective in Appendix B, which details how SP 800-161 Rev. 1’s cybersecurity controls map onto them. Organizations seeking to implement C-SCRM in accordance with Executive Order 14028 should visit NIST’s dedicated web-based portal, as Appendix F now indicates. This information has been moved online, in part to reflect evolving guidance without directly affecting the published version of SP 800-161 Rev. 1. In part because of the complexity of the subject, the authors are planning a quick-start guide to help readers who may be just beginning their organization’s C-SCRM effort. Boyens said they also plan to offer the main publication as a user-friendly webpage. “We plan to augment the document’s current PDF format with a clickable web version,” he said, “Depending on what group of users you fall into, it will allow you to click on a link and find the sections you need.”  

Global security company, Gallagher has recently announced they have achieved ISO 27001 accreditation, the leading international standard focused on information security. The ISO 27001 standard ensures organizations protect their information in a systematic and efficient way, through the adaptation of a robust and comprehensive Information Security Management System (ISMS). “Achieving this certification further demonstrates to our Channel Partners and customers around the world that we are committed to ensuring the delivery of robust and industry-leading security solutions which protect and safeguard the data of each and every one of them,” said Greg Barclay, Chief Operating Officer at Gallagher. The certification verifies Gallagher’s outstanding safeguards in three critical areas, including confidentiality, integrity, and authorized availability of all key data and information. Achieving the standard is a detailed and comprehensive process that requires a dedicated approach to all aspects of an organization’s processes in and around their ISMS. The ISO 27001 certification is the latest in a long list of key accreditations Gallagher has achieved in recent years. As Greg goes on to note, “We are proud to deliver solutions that meet government and industry compliance standards and certifications around the world. This is an essential part of our customer offering and commitment to protect what matters most.”  

An INTERPOL-coordinated operation targeting migrant smuggling and human trafficking has triggered 121 arrests across 25 countries, prompting 193 new investigations. Operation Storm Makers (21-25 March 2022) saw authorities carry out enforcement actions against organized crime groups believed to be facilitating the travel of Asian men, women and children across borders for exploitation and/ or profit. In total, authorities rescued 80 human trafficking victims and identified some 3,400 irregular migrants. Operational coordination units were set up in Hanoi (Vietnam) and Abu Dhabi (United Arab Emirates), helping assess intelligence and facilitating enforcement actions between participating countries. Smart electronic gates, connected to INTERPOL’s databases, were activated at airports across the United Arab Emirates (UAE) to boost passport checks and help detect forged documents. Globally, some 15 million checks were carried out against INTERPOL’s databases at air, land and sea borders, generating ‘hits’ or alerts for fraudulent travel documents, as well as INTERPOL Notices against individuals wanted on various charges, including murder and fraud. Organ trafficking, forced labour, sexual exploitation uncovered In Turkey, police arrested four people, dismantling a suspected international organ trafficking ring. The criminal network, originating in India, is accused of targeting vulnerable Indonesian nationals and facilitating kidney transplants in Turkey. The suspects went as far as staging wedding photos and falsifying documents in order to establish fake family relationships between recipients and donors. With each kidney fetching USD37,000 on the black market, the organ donor would receive USD15,000, with the remainder split among members of the network. Police in Malaysia and Cambodia worked closely on a case involving 15 men and one woman lured to Cambodia on the promise of a lucrative salary to work in a call centre. On arrival, however, they were locked up and forced to work 14-hour days as scammers. Authorities in both countries believe there are more victims of the criminal group and the ongoing investigation is being supported by INTERPOL’s Human Trafficking and Smuggling of Migrants unit. Additional operational highlights The Philippines rescued 32 victims of human trafficking and arrested eight suspects on charges of trafficking, child exploitation and child abuse. Authorities in Greece intercepted a car carrying five irregular migrants from Afghanistan and Syria, who had each paid EUR 4,000 to a smuggler in Turkey for transport to Thessaloniki. Vietnamese migrants were intercepted on the Hungary-Romania border, on their way to Germany. Their smugglers, also of Vietnamese origin, had coordinated all aspects of their illegal journey via social media platforms. In the UAE, a 17-year old girl was rescued from sexual exploitation. Brought to the UAE from Pakistan when she was just 13, the girl had been forced into prostitution by a family member. In the Maldives, intelligence led authorities to a possible brothel operating as a salon and spa, where they believe trafficked Thai women had been forced into prostitution. Authorities liaised with the women to ensure their safe return to Thailand and are working via the INTERPOL National Central Bureau in Bangkok to investigate the organized crime group behind their recruitment and exploitation. INTERPOL’s Secretary General, Jürgen Stock, said, “In just one week, this operation generated nearly 200 new investigations, revealing the sheer scale of these crimes. It is a huge responsibility for law enforcement, particularly when you know that the victims are in abusive or life-threatening situations. INTERPOL will continue to help authorities close the gaps and ensure the offenders behind these appalling activities are brought to justice.” Working together Participating countries received support from INTERPOL’s Specialized Operational Network against migrant smuggling, as well as its Human Trafficking Experts Group. AIRCOP, Homeland Security Investigations, the International Organization Migration and the Regional Support Office for The Bali Process delivered pre operational training. EUROPOL actively supported the operational phase by cross-checking information against its databases. Participating countries Australia, Bangladesh, Brunei, Cambodia, China, France, Germany, Greece, India, Indonesia, Laos, Malaysia, Maldives, Myanmar, Pakistan, Philippines, Portugal, Qatar, Romania, Singapore, Spain, Turkey, UAE, UK, Vietnam. Operation Storm makers was funded by the INTERPOL Foundation for a safer world.