Guest Blog // Selected Security Content Provided By Sophos
What's This?
03:12 PM
Dark Reading
Dark Reading
Security Insights

Finding Against Chinese Firms Has Lessons For Security Professionals Beyond Mere Avoidance

Sometimes the biggest threats to data security hide in plain sight

As has been widely reported this week, the U.S. House of Representatives issued a report that recommends that Chinese firms Huawei and ZTE should be barred from the U.S. market because their products could be used to undermine domestic cyber security. But what are the implications for day-to-day security for the rest of us?

Yes, there's the familiar dialogue around protectionism. This is a subject with which I have some knowledge and experience. In 2007-2008 I was a contract writer for 3Com Corporation, which was updating its website in anticipation of acquiring certain assets (e.g., routers and other infrastructure related hardware) from the company’s joint venture with Huawei. Known as H3C (Huawei-3Com), this venture eventually came to the attention of Washington legislators who voiced concerns (even then) of a Chinese company with ties to the People's Liberation Army gaining a foothold to a networking equipment company. (Of course, in 2009, 3Com was instead acquired and fully absorbed a year later by Hewlett Packard).

According to a reportin eWeek, the U.S. isn’t the only country to express concerns about Huawei and ZTE. The UK and Australia have put restrictions on how the companies may operate within their borders. New Zealand is in the process of implementing similar restrictions. A former French defense secretary has strongly recommended that both companies be banned across Europe.

And earlier this year, in a report of the National Counterintelligence Executive (ONCIX) China was identified as the most active and persistent economic espionage actor.

There's also another dimension to the report, that state-sponsored espionage will likely continue unfettered by the actions--or more precisely words--of any Congressional body of inquiry. Given what we already know about the makeup of crime syndicates I think it’s probably an uncomfortable truth.

So let each side sort all of that out and what it means for geopolitical and trade relations between the U.S. and China. Instead let's examine what all this means from a strict security standpoint (and allowing, of course, that many of these recommendations can be applied to circumstances not directly associated with this "China question").

Malware and spyware don’t always originate exclusively from external sources. While the House committee's report could not find a "smoking gun" in its investigation of Huawei or ZTE, it’s important to realize and respect that malware and spyware can be seeded in infrastructure such as switches, servers and routers before they're ever turned over to a customer. In turn, the information collected can be presumably (and transparently) transmitted to bad actors or anyone else interested in capturing confidential data. Additionally, to mitigate back door threats, always keep your devices up to date with all current patches.

Sometimes the biggest threat comes from those hiding in plain sight. You're a responsible information security professional who's diligent, who monitors your network continuously, and audits instances of viruses, Trojans, spyware and the like that threaten the integrity of your network and its data. Still, if the vendor you're buying your network equipment from is reputed to be a bad actor then you may have inadvertently placed your company and its data assets at risk. And the effect could be insidious as well as long-term since you may not be aware until it's too late that your data is already being bought and sold offshore and being leveraged against you. In a word, always take both a global as well as holistic view of security. It's to no one's benefit, including yours, to put on blinders, roll the dice and hope for the best.

Suspicion and vigilance are not mutually exclusive terms. There's a certain ideology that's surfaced recently in the security world that says no matter what you do you will suffer a breach and you need to figure out how you're going to deal with it. But temper that view with reality. Don’t apply security measures and assume they will be perfect. Part of your security program must be to prepare for what you will do in the event of a breach. In responding, it's neither completely all-defense or all-breach all of the time. You need both. In fact, a healthy dose of suspicion and vigilance helps to keep you sensitized to any and all changes on your network. Maintain an approved vendor list and keep it updated. Track, audit and report on anomalous behavior either by users or your infrastructure equipment. And be aware that hardware from OEM suppliers is often rebranded before you see it, which can obscure its source and potentially amplify its risk to you.

I’ll end this post with the words of Scott Aken, a former special FBI agent who worked on counterintelligence on cyber espionage cases. As reported by Dark Reading, while the content of the House Intelligence Committee’s report comes as no surprise to the intelligence community, it’s a significant message to the general public.

"Cyber espionage is certainly going to continue for [our] lifetimes. By making this a well-known issue to those outside the U.S. government, now U.S. companies can make better decisions on who they purchase [equipment] from. To me, it's really important because this is the first time they are letting the general public know what maybe those in the intelligence community and DoD (Department of Defense) already know, " Aken says.

As a fellow member of the security community, we should consider ourselves warned.

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.