Chinese government supports citizen hacking
18 March 2014 | 0
The Chinese government can sponsor and support citizen hacking, but it cannot control it. That was one of the assertions made by retired US Marine Lieutenant Colonel William Hagestad at the Secure Computing Forum 2014.
In its second year, the DataSolutions forum 2014 focused on security and privacy, and the balance between the two.
Hagestad is an author, IT security expert and acknowledged authority on China and its cyberespionage capabilities, and asserts that Chinese cyberespionage poses a credible threat to many organisations who wish to do business in China. In his presentation, he said that while state-sponsored in China, cyberespionage is nearly impossible to directly attribute, but that the Chinese government has both offensive and defensive capabilities in the area.
More worrying, was the fact that, according to Hagestad, “all commercial intrusion prevention systems (IPS) are ineffective against Chinese cyberattacks”. Furthermore, he said that much of the malware, remote access tools (RAT) and botnet-borne attacks used by state-sponsored Chinese hackers are virtually undiscoverable with current commercial tools.
He also asserted that commercial organisations that engage in commercial partnerships with Chinese companies will, almost invariably, be putting their own intellectual property (IP) at risk.
Getting slightly more granular, Dr Robert Griffin, chief security architect, RSA Security, warned that it is important in defending against one type of attacker, not to disregard others.
Dr Griffin went on to say that along with the changing nature of attackers, the campaigns that they execute are changing too.
“Destructive attacks are now becoming a feature of campaigns, as well as disruptive attacks,” said Dr Griffin, indicating that real damage is now a feature in many campaigns, as opposed to mere disruption and down time.
While praising the capabilities of analytics and intelligence in determining the nature, scope and effectiveness of threats, he warned against a singular focus in the area.
“It is quite dangerous to focus just on analytics in security.”
“Security should damn well get in the way of users doing their job,” Andrew Harbison, Grant Thornton
Michael Schrenk, author, internet strategist and developer, outlined the concept of privacy for an organisation. He highlighted how an organisation, through web site information, job advertisements and ill-considered written materials can give away information which can be of use to a hacker in crafting an attack.
Schrenk said that an organisation must think holistically about what information it makes publically available, allowing various departments to review it and pass it as appropriate — what one department sees as acceptable for general consumption, another may find objectionable.
One of the most thought provoking speakers on the day was Dr Ciaran McMahon, R&D Coordinator, RCSI Cyberpsychology Research Centre. As a psychologist, Dr McMahon posed the question of why we care about privacy, from an online perspective.
Dr McMahon argued that we tend to treat our online identity as an extension of ourselves and thus we become territorial about it. He argued that this is why we often see certain irrational behaviours from people online, as the threat to identity online, whether through identity theft, misuse or abuse, often elicits deeply emotional responses, akin to primal defensive actions.
Dr McMahon said that further research is needed in the area, but much evidence from his personal work, as well as other studies, point in this direction.
Keith Bird, managing director UK and Ireland, Check Point, outlined the concept of Software Defined Protection (SDP), which is a blueprint for security architecture.
SDP is described as a three-layer security architecture comprised of enforcement, control and management layers.
“This framework decouples the control layer from the enforcement layer, enabling robust and highly-reliable enforcement points that obtain real-time protection updates from a software-based control layer. SDP converts threat intelligence into immediate protections and is managed by a modular and open management structure,” according to Check Point.
Not proprietary technology but rather an approach to a new architecture to meet emerging security needs, Bird advocated its adoption to provide a new basis from which to develop the next generation of security tools.
Andrew Harbison, director and head of litigation, Technology, Grant Thornton, gave an interesting legal perspective on security and privacy. Focusing on the end user in enterprise, he argued that it was not necessarily the job of security measures to be unobtrusive.
“Security should damn well get in the way of users doing their job,” said Harbison. Continuing the point, he argued that “security should not be afraid to get in the way where it needs to.”