Conditions préalables
Access to the product during the initial or continuous development. This access is often obtained via insider access to include the third-party component after deployment.
Atténuations
Assess software and hardware during development and prior to deployment to ensure that it functions as intended and without any malicious functionality. This includes both initial development, as well as updates propagated to the product after deployment.
Don't assume popular third-party components are free from malware or vulnerabilities. For software, assess for malicious functionality via update/commit reviews or automated static/dynamic analysis prior to including the component within the application and deploying in a production environment.
Références
REF-379
Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft)
Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf REF-707
How Lenovo's Superfish 'Malware' Works And What You Can Do To Kill It
Thomas Brewster.
https://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/?sh=991ab8c38776 REF-708
Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections
Dan Goodin.
https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/ REF-709
Extracting the SuperFish certificate
Rob Graham.
https://blog.erratasec.com/2015/02/extracting-superfish-certificate.html#.VOX5Ky57RqE REF-713
The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies
Jordan Robertson, Michael Riley.
https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
Soumission
Nom |
Organisation |
Date |
Date de publication |
CAPEC Content Team |
The MITRE Corporation |
2014-06-23 +00:00 |
|
Modifications
Nom |
Organisation |
Date |
Commentaire |
CAPEC Content Team |
The MITRE Corporation |
2018-07-31 +00:00 |
Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity |
CAPEC Content Team |
The MITRE Corporation |
2019-09-30 +00:00 |
Updated Related_Attack_Patterns |
CAPEC Content Team |
The MITRE Corporation |
2021-06-24 +00:00 |
Updated Related_Attack_Patterns |
CAPEC Content Team |
The MITRE Corporation |
2022-02-22 +00:00 |
Updated Example_Instances, References |
CAPEC Content Team |
The MITRE Corporation |
2022-09-29 +00:00 |
Updated @Name, Description, Example_Instances, Extended_Description, Mitigations, Prerequisites, References, Related_Attack_Patterns, Taxonomy_Mappings |