Monthly Archives: January 2022

The Importance of Securing Embedded and Connected Devices in the Supply Chain

Click to register for Larry’s webinar about supply chain security on Wednesday, Feb. 9, 2022 at 2 p.m. ET.

The Kaseya supply chain compromise has demonstrated the threats to supply chains that ransomware groups pose. The supply chain compromise of SolarWinds Orion network management due to the SUNBURST malware has also underscored how vulnerable supply chains are to attacks. According to participants in this research, these compromises and the increase in supply chain and IoT attacks require organizations to rethink supply chain and product security processes.

Sponsored by Finite State, Ponemon Institute surveyed 632 IT and IT security practitioners in the U.S. who are familiar with their organizations’ approach to securing embedded and connected devices and have complete or partial responsibility for setting and/or implementing their supply chain security strategies. The research targets device and connected device manufacturers in highly regulated industries.

Larry Ponemon will present findings from the study at a webinar on Wednesday, February 9, 2022, at 2 p.m. ET. Also presenting: Rich Nass,Executive Vice-President, Brand Director, Embedded Franchise, OpenSystems Media. Register for the webinar at this link

Seventy-three percent of respondents say their organizations are very committed (40 percent) or committed (33 percent) to achieving a secure supply chain. Twenty-seven percent of respondents say their organizations are only somewhat committed.

While respondents are aware and very concerned about the threats to their organizations’ supply chain based on recent compromises, only 39 percent of respondents say there is a direct risk assessment of the security of the supplied hardware and/or software, such as penetration testing, vulnerability scanning, requests for Software Bills of Materials and requests for security reports. Further, only 43 percent of respondents say their organizations conduct a risk assessment of the security development lifecycle for third-party vendors.

The following findings reveal why organizations are not making supply chain security as important as it should be.

  • Product security is not a priority. Only 41 percent of respondents say their organizations make it a priority despite the finding that 76 percent of respondents say the security of an IoT device is very important
  • Executives and boards of directors are not involved as they should be in their organizations’ product security practices. Only 27 percent of respondents say the leadership requires assurances that product security is being assessed, managed and monitored appropriately.
  • Product security processes and programs are not reviewed frequently. Only 24 percent of respondents say such a review occurs frequently to address evolving supply chain risks. 
  • Lack of resources and in-house expertise are obstacles to achieving a strong security posture. When asked what is preventing the development of secure IoT/embedded products, 62 percent of respondents say it is a lack of resources and 60 percent of respondents say it is a lack of in-house expertise. 
  • Organizations need more resources to improve product security. Fifty percent of respondents say their organizations are not increasing investments for product security. As mentioned above, the number one obstacle to improved product security is the lack of resources.
  • Organizations find it difficult to manage supply chain risks. Sixty percent of respondents say their organizations find it difficult to rapidly respond to new vulnerability disclosures that may affect their devices.

To read the full report, The Importance of Securing Connected and Embedded Devices In the Supply Chain, visit Finite State’s website.


‘The distraction is more important than the lie’ – and wow, are we distracted

Bob Sullivan

I’ve been thinking a lot about distraction lately.  We are all living lives of grand distractions these days, with one eye over our shoulder keeping track of Covid and its consequences.  The constant drumbeat of cases and science and conspiracy and bickering never ends.  If you are lucky enough that so far Covid has been just a distraction — and not something worse for you or your family — perhaps you managed to keep it together through nearly two years of remote everything. But right now, as our gas tank for pandemic tolerance is nearing empty, Omicron has arisen, seemingly to finish us off.  Sure, try to focus on that big work project, or the book you are reading, or on getting healthy, or getting your finances in order, or even the conversation you are having with a loved one, with everything else going on.

This is not a new problem.

I’ve been interested in distraction for a long time — since at least the 1990s, when a computer science researcher at Xerox Parc named Mark Weiser turned me onto the issue. I do believe it is the crisis of our time. Attention is our most precious commodity and it is under relentless attack right now. I tried to write a book about the problem about 10 years ago, but I couldn’t get publishers to focus on it. (Really!)  I did write an op-ed for The New York Times called “Brain, Interrupted,” which is still among the most popular piece I’ve written.

The digital age is the age of interruptions. Gadgets surround us, constantly beeping and blinking and popping up to get in our way, bringing whatever we might be doing to a screeching halt. Billions of dollars in research have been spent hacking your brain, and mine, to learn just how to steal your attention — and ultimately sell it to someone for a price. Think about it: if we live in the attention economy, then grabbing someone’s focus without their consent is theft.  The phrase is “pay attention,” after all. A new book called Stolen Focus: Why You Can’t Pay Attention by Johann Hari makes this argument, too, and cites some of my earlier research.

The cost is very real. About 10 years ago, when writing our book The Plateau Effect, I helped plan a distraction study at Carnegie Mellon University. You can read the details in my op-ed, but basically, students who received text messages during tests performed about 20% worse.  Other studies show that people who are interrupted for even just a few moments at work can languish for 20 or 30 minutes before regaining focus on whatever it was they were doing.

Constant task-switching robs our brains and hearts of the satisfying feeling that “stick-to-it-ive-ness” brings, the dopamine hit we get for setting a goal and completing a task. It robs us of intimacy, too. Try talking to someone who glances at their smartphone every 15 seconds, and you understand how every dancer in history has felt when they catch their partner looking around the club for someone more attractive.

Today I want to mention another cost of distraction, however. Crime.

If you grew up anywhere near New York City in the 1970s and 80s, you know who Crazy Eddie is (His prices are INNNNNSAAAAAANE!). The ubiquitous electronics store with the never-ending TV ads succeeded for one reason: Crazy Eddie was a cheater.  He eventually was convicted of tax fraud and went to jail. His brother, Sam Antar, former company chief financial officer and also convicted of fraud, later became a forensic accountant. He also gives a mighty fine speech about how white-collar criminals commit crimes. They create diversions.  “The distraction is more important than the lie,” he says over and over. He’s right.

You’ve seen it on TV, if you haven’t seen it yourself in person — pickpockets often bump into their victims to cause a distraction, then use that moment to steal a wallet or purse.  That’s the simple version.  Antar, speaking on the Bloomberg Odd Lots podcast a couple of years ago, explains how such distractions can work at scale. I won’t steal his material, it’s well worth the 10-minute watch on YouTube.  But Eddie’s real talent wasn’t lying about sales taxes. It was distracting the auditors when they came every year.

Distractions have been a key tool for ripoff artists throughout history. Car dealers sneak fees into loans while chatting about cupholders.  Real estate agents gloss over the cost of flood insurance while they describe how great the big garage will be for loading and unloading the kids’ car seats. Websites nudge you into trial subscriptions with a single click, then require a 30-minute call to cancel. (The FTC is finally taking on that one!) It’s up to consumers to refocus, constantly, on the bottom line, and on what matters. That’s a fair fight, I guess, or at least it can be. It’s a fight made much harder by endless fine print, dark patterns on websites, automated payments, and other gadget-driven intrusions.

But now, digital distractions are only half the problem. Covid has made so much of our lives a daily battle.  Did I forget my mask? Are we out of toilet paper? Should I book that vacation? That dental appointment?  Why is that person ignoring the guidelines / taking the guidelines too seriously?

We are all living lives of constant distraction. And that makes us all vulnerable. Charlatans smell this kind of distraction and go in for the kill. Early in the pandemic, we saw criminals steal billions of dollars from unemployment benefits programs.  TV characters and politicians are using this moment to incite hatred and distrust, to consolidate power, and most of all, to make money.  Whatever TV channel you watch, I challenge you to spend an hour or two paying more attention to the advertisements than the “content” and ask yourself how you feel supporting those products.

I wish I had a silver bullet or even some good-enough words of advice for this dark time. All I know is this: attention is indeed the most valuable commodity in the world. That’s what I learned from Mark Weiser at Xerox Parc when I wrote about it decades ago. Attention is like time; we just can’t make any more of it. We have what we have, and we decide how to use it.  At this time of crippling distractions, try to take things a little more slowly. Find some extra time to make big financial decisions if you can. Be gentle with yourself and with others as they try to find their focus.  And from my perch as a consumer reporter, beware people and things that interrupt you from doing what’s really important.