Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
10/11/2012
03:12 PM
Dark Reading
Dark Reading
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

Finding Against Chinese Firms Has Lessons For Security Professionals Beyond Mere Avoidance

Sometimes the biggest threats to data security hide in plain sight

As has been widely reported this week, the U.S. House of Representatives issued a report that recommends that Chinese firms Huawei and ZTE should be barred from the U.S. market because their products could be used to undermine domestic cyber security. But what are the implications for day-to-day security for the rest of us?

Yes, there's the familiar dialogue around protectionism. This is a subject with which I have some knowledge and experience. In 2007-2008 I was a contract writer for 3Com Corporation, which was updating its website in anticipation of acquiring certain assets (e.g., routers and other infrastructure related hardware) from the company’s joint venture with Huawei. Known as H3C (Huawei-3Com), this venture eventually came to the attention of Washington legislators who voiced concerns (even then) of a Chinese company with ties to the People's Liberation Army gaining a foothold to a networking equipment company. (Of course, in 2009, 3Com was instead acquired and fully absorbed a year later by Hewlett Packard).

According to a reportin eWeek, the U.S. isn’t the only country to express concerns about Huawei and ZTE. The UK and Australia have put restrictions on how the companies may operate within their borders. New Zealand is in the process of implementing similar restrictions. A former French defense secretary has strongly recommended that both companies be banned across Europe.

And earlier this year, in a report of the National Counterintelligence Executive (ONCIX) China was identified as the most active and persistent economic espionage actor.

There's also another dimension to the report, that state-sponsored espionage will likely continue unfettered by the actions--or more precisely words--of any Congressional body of inquiry. Given what we already know about the makeup of crime syndicates I think it’s probably an uncomfortable truth.

So let each side sort all of that out and what it means for geopolitical and trade relations between the U.S. and China. Instead let's examine what all this means from a strict security standpoint (and allowing, of course, that many of these recommendations can be applied to circumstances not directly associated with this "China question").

Malware and spyware don’t always originate exclusively from external sources. While the House committee's report could not find a "smoking gun" in its investigation of Huawei or ZTE, it’s important to realize and respect that malware and spyware can be seeded in infrastructure such as switches, servers and routers before they're ever turned over to a customer. In turn, the information collected can be presumably (and transparently) transmitted to bad actors or anyone else interested in capturing confidential data. Additionally, to mitigate back door threats, always keep your devices up to date with all current patches.

Sometimes the biggest threat comes from those hiding in plain sight. You're a responsible information security professional who's diligent, who monitors your network continuously, and audits instances of viruses, Trojans, spyware and the like that threaten the integrity of your network and its data. Still, if the vendor you're buying your network equipment from is reputed to be a bad actor then you may have inadvertently placed your company and its data assets at risk. And the effect could be insidious as well as long-term since you may not be aware until it's too late that your data is already being bought and sold offshore and being leveraged against you. In a word, always take both a global as well as holistic view of security. It's to no one's benefit, including yours, to put on blinders, roll the dice and hope for the best.

Suspicion and vigilance are not mutually exclusive terms. There's a certain ideology that's surfaced recently in the security world that says no matter what you do you will suffer a breach and you need to figure out how you're going to deal with it. But temper that view with reality. Don’t apply security measures and assume they will be perfect. Part of your security program must be to prepare for what you will do in the event of a breach. In responding, it's neither completely all-defense or all-breach all of the time. You need both. In fact, a healthy dose of suspicion and vigilance helps to keep you sensitized to any and all changes on your network. Maintain an approved vendor list and keep it updated. Track, audit and report on anomalous behavior either by users or your infrastructure equipment. And be aware that hardware from OEM suppliers is often rebranded before you see it, which can obscure its source and potentially amplify its risk to you.

I’ll end this post with the words of Scott Aken, a former special FBI agent who worked on counterintelligence on cyber espionage cases. As reported by Dark Reading, while the content of the House Intelligence Committee’s report comes as no surprise to the intelligence community, it’s a significant message to the general public.

"Cyber espionage is certainly going to continue for [our] lifetimes. By making this a well-known issue to those outside the U.S. government, now U.S. companies can make better decisions on who they purchase [equipment] from. To me, it's really important because this is the first time they are letting the general public know what maybe those in the intelligence community and DoD (Department of Defense) already know, " Aken says.

As a fellow member of the security community, we should consider ourselves warned.

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.