A seasoned IT practitioner may think they’re savvy enough to spot the difference between legitimate networking gear and some hunk of metal with a sticker loosely stuck on it that says “Sisco,” but counterfeit devices have found their way into everyday IT systems—even aircraft.
On May 2, 2024, the US Department of Justice sentenced a Florida resident and dual citizen of the United States and Turkey to six-plus years in prison for trafficking “fraudulent and counterfeit” Cisco networking equipment.
The sentenced man, Onur Aksoy, “sold hundreds of millions of dollars’ worth of counterfeit computer networking equipment that ended up in US hospitals, schools, and highly sensitive military and other governmental systems, including platforms supporting sophisticated US fighter jets and military aircraft,” Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department’s criminal division, said in a May 2 statement.
The announcement also provided an opportunity for IT pros to remind other IT pros: Vet your supplier.
Check the device. Some vendors have ways to verify their gear. Dates on security labels from new products purchased from Cisco-authorized channels, for example, should correlate to the transaction date, Cisco warns on its site; the company also recommended other checks like inspection for specific stickers and holographic labels. Additionally, Cisco also provides a Secure Hash Algorithm 512 bits (SHA512) checksum, or integrity fingerprint, to validate downloaded Cisco images. For possible counterfeits, Tom Pace, co-founder and CEO at software supply chain risk management (SSCRM) company NetRise, recommends using command-line tools to compare SHA256 hashes.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Check the vendor. For those tiny parts that don’t have verifiable serial numbers or holograms, Pete Nicoletti, global CISO, Americas, at Check Point Software Technologies, advised IT professionals to take a look at the reseller and make sure they’re both certified and vendor-authorized—another recommendation from Cisco as well. Rating and accreditation data can be found on sites like Better Business Bureau, added Pace.
The Department of Justice’s May 2 announcement mentioned that Aksoy was running “approximately 15 Amazon storefronts and at least 10 eBay storefronts,” a major indicator of a suspicious vendor, according to Sue Bergamo, CISO and CIO at cybersecurity firm BTE Partners. “If you’re going to have stuff on military planes and naval ships, you’re going to go through Amazon?” Bergamo wondered aloud in a conversation with IT Brew.
After assessing business legitimacy and supply chain partners as best as you can, Bergamo also recommended looking at the vendor’s security program to check practices like asset management, disaster recovery, and business continuity.
Check the price. If the deal looks way too cheap, the product may be as well. “If the cost is too good to be true, that should be a flag,” Nicoletti said, adding that it’s a good idea to take your questions to a vendor rep—someone who’s more likely to be who they say they are.