From the article “Malware-infected flash cards shipped out with HP switches”

By John Leyden • Get more from this author

Posted in Enterprise Security, 11th April 2012 15:26 GMT

Interesting (understatement) that a malware laden compact flash card can get shipped out with a product from a respected and revered company such that HP is. I find myself shocked for the most part, but then somehow it seems par for the course. The question still remains, how the hell did the malware get on the card – let alone thinking – did you check the cards before deploying them?

It’s almost inconceivable to think that something like this could happen, but then take a glance into supply chain operations. Are those sourcing the technology armed with enough information to understand the risk? Are those that are deploying the project plan asking the right people the right questions?

It seems no matter which angle you take, there is propensity for issues, and I hazard a guess that the angle is always going to be skewed where people are involved. That’s not slighting people, it’s more the knowledge angle. I’ll use the phrase “you don’t know what you don’t know”.

Example: Information Security Awareness Training: one weak link in securing an environment is people. So, Joe Bloggs, when was the last time you upgraded the firmware on your home router, or updated and scanned your home system? You get a blank look! That’s the point – they don’t know that connecting to your environment through the SSL VPN is a huge risk.

Back to the point – it falls back on us to make sure we ‘sanitize’ all and every piece of media or hardware (etc) that comes into our environment, exactly to negate issues such as this, and that’s just the starting point.

Can you see how big the problem is yet?