The Chinese are coming! The Chinese are coming!
Thanks to headlines splashed over every major newspaper in recent weeks, you'd be hard-pressed to miss the news that digital forensic investigation firm Mandiant has blamed People's Liberation Army (PLA) Unit 61398, a Chinese military cyber operations group, for launching advanced persistent threat (APT) attacks against over 140 businesses and government organizations since 2006.
Clearly, the panic button has been pushed. But as happens too often with outbreaks of sudden or uncontrolled anxiety, it misses the point: Don't worry about China. Worry instead if the pitiful state of your information security defenses will allow any attacker to wield nothing more than malicious email attachments to steal valuable intellectual property or even state secrets.
"The Chinese are like the Kardashians," says John Pescatore, a former Gartner analyst who last month joined the SANS Institute as director of emerging security trends, speaking by phone. "There are thousands of attacks and many are just as clever, using the same techniques -- before we saw them in Chinese attacks. But you mention China in an attack, and every radio or news station picks it up."
[ There are lessons to be learned everywhere you look. Read S.C. Security Blunders Show Why States Get Hacked. ]
The folly of the Chinese blame game has been quickly seized upon by information security experts. "If you know that the People's Liberation Army is spying on you, do you change your defenses? How? Do you look for Chinese language intrusion prevention tools?" said Alan Paller, director of research for SANS, in a recent newsletter.
"The continuous China bashing simply reflects the inability of watchers to see evidence of the stealthier attacks coming from many nations that may take a different approach to penetrating our telecommunications and banking and power systems and stealing our national wealth," he said. "The number of bad actors, spread among nations, terrorists, anarchists and criminals, is so great that their identity is not as important as what we do to defend our systems -- because they usually exploit the same weaknesses."
No doubt some of the China-bashing stems from outrage over the perception that business ideas are being stolen from American entrepreneurs who spent their own time and money to develop them. "China, France, and several other countries have been known -- for dozens of years -- to do government-sponsored industrial espionage," says Pescatore. "The U.S. tends to not do that. We do intelligence collection as a country. We may or may not have been part of Stuxnet, where cyber is used in the name of national defense. But the U.S. has never been one to say, 'Let's go help U.S. industry by helping to spy on Huawei,' for example."
The crux of the matter, however, is that without robust information security practices, your network can be owned by anyone from a hacktivist group or angry ex-employees to online criminal gangs and foreign intelligence services. The point isn't who owned you, but rather that despite the prevalence of known -- and cost-effective -- defenses against these types of attacks, you failed to protect your business.
Take last week's news that Apple, Facebook, Microsoft and Twitter were all compromised by attackers who gained access to a third-party iOS development website, then used it to infect visitors' Mac OS X systems via drive-by malware attacks against a zero-day vulnerability in Java. Twitter's systems were compromised, and 250,000 user accounts exposed. Facebook, meanwhile, said it saw suspicious activity on its network, which it traced back to developers' Mac OS X systems, which led to a security lockdown. Apple and Facebook haven't said what attackers did or didn't access, except to say that it doesn't seem to have included user data. Still, score "one" for their information security defenses.
Who attacked the tech giants? From a defensive standpoint, it doesn't matter. The point is that the businesses managed to defend themselves relatively well. Now it's up to other businesses to follow their example.
Hacking is far too easy -- more than 90% of targeted attacks succeeded using only the most basic of exploits. Then again, only 3% of breaches would have required expensive or complicated defenses to stop. Those statistics come from a recently released report, "Raising the Bar for Cybersecurity," written by White House cyber security advisor Jim Lewis, of the Center for Strategic and International Studies (CSIS).
To create better information security defenses, Lewis says businesses should look to Australia's Defense Signals Directorate (DSD), which together with the National Security Agency compiled a list of 35 techniques which block over 85% of all known attacks.
Don't worry from the start about all 35 countermeasures. Instead, Lewis says, most targeted attacks can be stopped using just four techniques: application "whitelisting" to only allow approved applications to run on any PC or server, rapidly patching both operating systems and applications, and minimizing the number of administrator-level accounts.
"Agencies and companies implementing these measures saw risk fall by 85% and, in some cases, to zero," says Lewis.
SANS has launched a related effort -- helmed by former NSA official Tony Sager and Pescatore -- to drive businesses to adopt these countermeasures. "What we as a community must do is identify the barriers that stop broad based adoption of these defenses and lower them," says Paller, who's called on information security experts to email SANS ("[email protected]") with the top barriers they're currently facing.
For the rest of us, let's judge businesses' information security efforts based not who might be attacking them, but how well they defend themselves. "If you close the vulnerability, you keep out the Chinese APT attacker, Russian organized crime, Anonymous group and the pissed-off teenager," says Pescatore. "Because there are a whole lot more cyber criminals than there are countries of China."