Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
10/11/2012
03:12 PM
Dark Reading
Dark Reading
Security Insights
50%
50%

Finding Against Chinese Firms Has Lessons For Security Professionals Beyond Mere Avoidance

Sometimes the biggest threats to data security hide in plain sight

As has been widely reported this week, the U.S. House of Representatives issued a report that recommends that Chinese firms Huawei and ZTE should be barred from the U.S. market because their products could be used to undermine domestic cyber security. But what are the implications for day-to-day security for the rest of us?

Yes, there's the familiar dialogue around protectionism. This is a subject with which I have some knowledge and experience. In 2007-2008 I was a contract writer for 3Com Corporation, which was updating its website in anticipation of acquiring certain assets (e.g., routers and other infrastructure related hardware) from the company’s joint venture with Huawei. Known as H3C (Huawei-3Com), this venture eventually came to the attention of Washington legislators who voiced concerns (even then) of a Chinese company with ties to the People's Liberation Army gaining a foothold to a networking equipment company. (Of course, in 2009, 3Com was instead acquired and fully absorbed a year later by Hewlett Packard).

According to a reportin eWeek, the U.S. isn’t the only country to express concerns about Huawei and ZTE. The UK and Australia have put restrictions on how the companies may operate within their borders. New Zealand is in the process of implementing similar restrictions. A former French defense secretary has strongly recommended that both companies be banned across Europe.

And earlier this year, in a report of the National Counterintelligence Executive (ONCIX) China was identified as the most active and persistent economic espionage actor.

There's also another dimension to the report, that state-sponsored espionage will likely continue unfettered by the actions--or more precisely words--of any Congressional body of inquiry. Given what we already know about the makeup of crime syndicates I think it’s probably an uncomfortable truth.

So let each side sort all of that out and what it means for geopolitical and trade relations between the U.S. and China. Instead let's examine what all this means from a strict security standpoint (and allowing, of course, that many of these recommendations can be applied to circumstances not directly associated with this "China question").

Malware and spyware don’t always originate exclusively from external sources. While the House committee's report could not find a "smoking gun" in its investigation of Huawei or ZTE, it’s important to realize and respect that malware and spyware can be seeded in infrastructure such as switches, servers and routers before they're ever turned over to a customer. In turn, the information collected can be presumably (and transparently) transmitted to bad actors or anyone else interested in capturing confidential data. Additionally, to mitigate back door threats, always keep your devices up to date with all current patches.

Sometimes the biggest threat comes from those hiding in plain sight. You're a responsible information security professional who's diligent, who monitors your network continuously, and audits instances of viruses, Trojans, spyware and the like that threaten the integrity of your network and its data. Still, if the vendor you're buying your network equipment from is reputed to be a bad actor then you may have inadvertently placed your company and its data assets at risk. And the effect could be insidious as well as long-term since you may not be aware until it's too late that your data is already being bought and sold offshore and being leveraged against you. In a word, always take both a global as well as holistic view of security. It's to no one's benefit, including yours, to put on blinders, roll the dice and hope for the best.

Suspicion and vigilance are not mutually exclusive terms. There's a certain ideology that's surfaced recently in the security world that says no matter what you do you will suffer a breach and you need to figure out how you're going to deal with it. But temper that view with reality. Don’t apply security measures and assume they will be perfect. Part of your security program must be to prepare for what you will do in the event of a breach. In responding, it's neither completely all-defense or all-breach all of the time. You need both. In fact, a healthy dose of suspicion and vigilance helps to keep you sensitized to any and all changes on your network. Maintain an approved vendor list and keep it updated. Track, audit and report on anomalous behavior either by users or your infrastructure equipment. And be aware that hardware from OEM suppliers is often rebranded before you see it, which can obscure its source and potentially amplify its risk to you.

I’ll end this post with the words of Scott Aken, a former special FBI agent who worked on counterintelligence on cyber espionage cases. As reported by Dark Reading, while the content of the House Intelligence Committee’s report comes as no surprise to the intelligence community, it’s a significant message to the general public.

"Cyber espionage is certainly going to continue for [our] lifetimes. By making this a well-known issue to those outside the U.S. government, now U.S. companies can make better decisions on who they purchase [equipment] from. To me, it's really important because this is the first time they are letting the general public know what maybe those in the intelligence community and DoD (Department of Defense) already know, " Aken says.

As a fellow member of the security community, we should consider ourselves warned.

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8891
Published: 2015-03-06
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to escape the Java sandbox and execute arbitrary code via unspecified vectors...

CVE-2014-8892
Published: 2015-03-06
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to bypass intended access permissions and obtain sensitive information via un...

CVE-2015-1170
Published: 2015-03-06
The NVIDIA Display Driver R304 before 309.08, R340 before 341.44, R343 before 345.20, and R346 before 347.52 does not properly validate local client impersonation levels when performing a "kernel administrator check," which allows local users to gain administrator privileges via unspecified API call...

CVE-2015-1637
Published: 2015-03-06
Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict TLS state transitions, which makes it easier for r...

CVE-2014-2130
Published: 2015-03-05
Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka B...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.