Sunday, November 18, 2012

Fear and Loathing in China - U.S.-China Economic and Security Review Commission

If you haven't heard the 2012 REPORT TO CONGRESS of the U.S.-CHINA ECONOMIC AND 
SECURITY REVIEW COMMISSION is out. I've read through some of it and thought it would benefit the InfoSec community to highlight some of the key points (at least to me) of what I've read. 

The first thing that struck me was the branding of the attacks as "advanced persistent threats". It had all the signs of a marketing campaign from * security vendors. At one point this sentiment is stated:

"Anecdotally, Chinese hackers’ sophistication may fall short of their counterparts in Russia or elsewhere, but some indicators suggest improving skills. Obscuring the matter is a notable capability gap between various Chinese actors and a common practice of expending the minimum amount of effort necessary to compromise a target. This includes the utilization of widely available tools and known exploits, which require less skill than original or customized exploitation methods."
I interpret this as them adjusting their tactics as we adjust ours, cat and mouse game. They don't need another king when the pawns are doing just fine. Like any good chess player they are already planning their future moves.

"The PLA does not have a deep reservoir of personnel able to manage sophisticated information systems. Chinese military leaders, however, recognize this weakness and intend to develop a pool of soldiers who can conduct or plan joint military operations, manage information systems and cyber technology, and use or maintain advanced weapon systems.The PLA’s goal is to achieve this expanded pool of personnel by 2020."
After reading more of this I start to see their desire for more talent not as a weakness but as a sign of their success. We've all read countless stories proving this. Take NASA for example, I've been reading about them getting hacked for the last decade (ok actually more than that, remember The Cuckoo's Egg).

"For example, the National Aeronautics and Space Administration (NASA) in February disclosed a series of penetrations against its networks. According to testimony to the House Committee on Science, Space, and Technology, Subcommittee on Investigations and Oversight, from Paul K. Martin, NASA inspector general: In FY [fiscal year] 2011, NASA reported it was the victim of 47 APT [Advanced Persistent Threat] *  attacks, 13 of which successfully compromised Agency computers. In one of the successful attacks, intruders stole user credentials for more than 150 NASA employees—credentials that could have been used to gain unauthorized access to NASA systems. Our ongoing investigation of another such attack at JPL [Jet Propulsion Laboratory] involving Chinese-based Internet protocol (IP) addresses has confirmed that the intruders gained full . . . functional control over these [JPL] networks."

I can't help but think that our approach to tackling this problem is done with poor strategy.  I say this because the approach taken to fight this is analogous to that of the local fire department 20-years ago. Even today many of us still rely on the smoke detectors known in IT as antivirus or customers calling the helpdesk (911) reporting viruses.  A big difference is that our "smoke detectors" can only alert on a fraction of fires.

I certainly don't have the cure all answers for this problem but I do know that equal focus needs to be placed in preventing the execution of malicious software as we typically place in detecting them. More attention to application privileges and managing them needs to be addressed. This problem is not going away and is only getting worse. On the bright side, tomorrow is monday ;)