Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
10/11/2012
03:12 PM
Dark Reading
Dark Reading
Security Insights
50%
50%

Finding Against Chinese Firms Has Lessons For Security Professionals Beyond Mere Avoidance

Sometimes the biggest threats to data security hide in plain sight

As has been widely reported this week, the U.S. House of Representatives issued a report that recommends that Chinese firms Huawei and ZTE should be barred from the U.S. market because their products could be used to undermine domestic cyber security. But what are the implications for day-to-day security for the rest of us?

Yes, there's the familiar dialogue around protectionism. This is a subject with which I have some knowledge and experience. In 2007-2008 I was a contract writer for 3Com Corporation, which was updating its website in anticipation of acquiring certain assets (e.g., routers and other infrastructure related hardware) from the company’s joint venture with Huawei. Known as H3C (Huawei-3Com), this venture eventually came to the attention of Washington legislators who voiced concerns (even then) of a Chinese company with ties to the People's Liberation Army gaining a foothold to a networking equipment company. (Of course, in 2009, 3Com was instead acquired and fully absorbed a year later by Hewlett Packard).

According to a reportin eWeek, the U.S. isn’t the only country to express concerns about Huawei and ZTE. The UK and Australia have put restrictions on how the companies may operate within their borders. New Zealand is in the process of implementing similar restrictions. A former French defense secretary has strongly recommended that both companies be banned across Europe.

And earlier this year, in a report of the National Counterintelligence Executive (ONCIX) China was identified as the most active and persistent economic espionage actor.

There's also another dimension to the report, that state-sponsored espionage will likely continue unfettered by the actions--or more precisely words--of any Congressional body of inquiry. Given what we already know about the makeup of crime syndicates I think it’s probably an uncomfortable truth.

So let each side sort all of that out and what it means for geopolitical and trade relations between the U.S. and China. Instead let's examine what all this means from a strict security standpoint (and allowing, of course, that many of these recommendations can be applied to circumstances not directly associated with this "China question").

Malware and spyware don’t always originate exclusively from external sources. While the House committee's report could not find a "smoking gun" in its investigation of Huawei or ZTE, it’s important to realize and respect that malware and spyware can be seeded in infrastructure such as switches, servers and routers before they're ever turned over to a customer. In turn, the information collected can be presumably (and transparently) transmitted to bad actors or anyone else interested in capturing confidential data. Additionally, to mitigate back door threats, always keep your devices up to date with all current patches.

Sometimes the biggest threat comes from those hiding in plain sight. You're a responsible information security professional who's diligent, who monitors your network continuously, and audits instances of viruses, Trojans, spyware and the like that threaten the integrity of your network and its data. Still, if the vendor you're buying your network equipment from is reputed to be a bad actor then you may have inadvertently placed your company and its data assets at risk. And the effect could be insidious as well as long-term since you may not be aware until it's too late that your data is already being bought and sold offshore and being leveraged against you. In a word, always take both a global as well as holistic view of security. It's to no one's benefit, including yours, to put on blinders, roll the dice and hope for the best.

Suspicion and vigilance are not mutually exclusive terms. There's a certain ideology that's surfaced recently in the security world that says no matter what you do you will suffer a breach and you need to figure out how you're going to deal with it. But temper that view with reality. Don’t apply security measures and assume they will be perfect. Part of your security program must be to prepare for what you will do in the event of a breach. In responding, it's neither completely all-defense or all-breach all of the time. You need both. In fact, a healthy dose of suspicion and vigilance helps to keep you sensitized to any and all changes on your network. Maintain an approved vendor list and keep it updated. Track, audit and report on anomalous behavior either by users or your infrastructure equipment. And be aware that hardware from OEM suppliers is often rebranded before you see it, which can obscure its source and potentially amplify its risk to you.

I’ll end this post with the words of Scott Aken, a former special FBI agent who worked on counterintelligence on cyber espionage cases. As reported by Dark Reading, while the content of the House Intelligence Committee’s report comes as no surprise to the intelligence community, it’s a significant message to the general public.

"Cyber espionage is certainly going to continue for [our] lifetimes. By making this a well-known issue to those outside the U.S. government, now U.S. companies can make better decisions on who they purchase [equipment] from. To me, it's really important because this is the first time they are letting the general public know what maybe those in the intelligence community and DoD (Department of Defense) already know, " Aken says.

As a fellow member of the security community, we should consider ourselves warned.

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7830
Published: 2014-11-24
Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse cap...

CVE-2014-7831
Published: 2014-11-24
lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service.

CVE-2014-7832
Published: 2014-11-24
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by vi...

CVE-2014-7833
Published: 2014-11-24
mod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher.

CVE-2014-7834
Published: 2014-11-24
mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remote authenticated users to access a forum via the forum_get_discussions web service.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?