Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
10/11/2012
03:12 PM
Dark Reading
Dark Reading
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

Finding Against Chinese Firms Has Lessons For Security Professionals Beyond Mere Avoidance

Sometimes the biggest threats to data security hide in plain sight

As has been widely reported this week, the U.S. House of Representatives issued a report that recommends that Chinese firms Huawei and ZTE should be barred from the U.S. market because their products could be used to undermine domestic cyber security. But what are the implications for day-to-day security for the rest of us?

Yes, there's the familiar dialogue around protectionism. This is a subject with which I have some knowledge and experience. In 2007-2008 I was a contract writer for 3Com Corporation, which was updating its website in anticipation of acquiring certain assets (e.g., routers and other infrastructure related hardware) from the company’s joint venture with Huawei. Known as H3C (Huawei-3Com), this venture eventually came to the attention of Washington legislators who voiced concerns (even then) of a Chinese company with ties to the People's Liberation Army gaining a foothold to a networking equipment company. (Of course, in 2009, 3Com was instead acquired and fully absorbed a year later by Hewlett Packard).

According to a reportin eWeek, the U.S. isn’t the only country to express concerns about Huawei and ZTE. The UK and Australia have put restrictions on how the companies may operate within their borders. New Zealand is in the process of implementing similar restrictions. A former French defense secretary has strongly recommended that both companies be banned across Europe.

And earlier this year, in a report of the National Counterintelligence Executive (ONCIX) China was identified as the most active and persistent economic espionage actor.

There's also another dimension to the report, that state-sponsored espionage will likely continue unfettered by the actions--or more precisely words--of any Congressional body of inquiry. Given what we already know about the makeup of crime syndicates I think it’s probably an uncomfortable truth.

So let each side sort all of that out and what it means for geopolitical and trade relations between the U.S. and China. Instead let's examine what all this means from a strict security standpoint (and allowing, of course, that many of these recommendations can be applied to circumstances not directly associated with this "China question").

Malware and spyware don’t always originate exclusively from external sources. While the House committee's report could not find a "smoking gun" in its investigation of Huawei or ZTE, it’s important to realize and respect that malware and spyware can be seeded in infrastructure such as switches, servers and routers before they're ever turned over to a customer. In turn, the information collected can be presumably (and transparently) transmitted to bad actors or anyone else interested in capturing confidential data. Additionally, to mitigate back door threats, always keep your devices up to date with all current patches.

Sometimes the biggest threat comes from those hiding in plain sight. You're a responsible information security professional who's diligent, who monitors your network continuously, and audits instances of viruses, Trojans, spyware and the like that threaten the integrity of your network and its data. Still, if the vendor you're buying your network equipment from is reputed to be a bad actor then you may have inadvertently placed your company and its data assets at risk. And the effect could be insidious as well as long-term since you may not be aware until it's too late that your data is already being bought and sold offshore and being leveraged against you. In a word, always take both a global as well as holistic view of security. It's to no one's benefit, including yours, to put on blinders, roll the dice and hope for the best.

Suspicion and vigilance are not mutually exclusive terms. There's a certain ideology that's surfaced recently in the security world that says no matter what you do you will suffer a breach and you need to figure out how you're going to deal with it. But temper that view with reality. Don’t apply security measures and assume they will be perfect. Part of your security program must be to prepare for what you will do in the event of a breach. In responding, it's neither completely all-defense or all-breach all of the time. You need both. In fact, a healthy dose of suspicion and vigilance helps to keep you sensitized to any and all changes on your network. Maintain an approved vendor list and keep it updated. Track, audit and report on anomalous behavior either by users or your infrastructure equipment. And be aware that hardware from OEM suppliers is often rebranded before you see it, which can obscure its source and potentially amplify its risk to you.

I’ll end this post with the words of Scott Aken, a former special FBI agent who worked on counterintelligence on cyber espionage cases. As reported by Dark Reading, while the content of the House Intelligence Committee’s report comes as no surprise to the intelligence community, it’s a significant message to the general public.

"Cyber espionage is certainly going to continue for [our] lifetimes. By making this a well-known issue to those outside the U.S. government, now U.S. companies can make better decisions on who they purchase [equipment] from. To me, it's really important because this is the first time they are letting the general public know what maybe those in the intelligence community and DoD (Department of Defense) already know, " Aken says.

As a fellow member of the security community, we should consider ourselves warned.

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1032
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party inf...

CVE-2012-1417
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

CVE-2012-1506
Published: 2014-09-17
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from th...

CVE-2012-1507
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index...

CVE-2012-2583
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.

Best of the Web
Dark Reading Radio