Pirated Software and Network Segmentation

July 17, 2017

Global financial services enterprises face a complex web of risk management challenges.
Sometimes finding the right grain for security controls can be a difficult problem.
This can be especially problematic when there is a tendency to attribute specific risks to cultures or nations.

A couple months ago I read a short article on how wannacry ransomware impacted organizations in China. Recently, while responding to a question about data communications connectivity and segmenting enterprise networks, I used some of the factoids in this article. While some propose material “savings” and “agility” enabled by uninhibited workforce communications and sharing, the global financial services marketplace imposes the need for rational/rationalized risk management and some level of due diligence evidence. Paul Mozur provides a brief vignette about some of the risks associated with what seems like China’s dependence on pirated software. Mr. Mozur argues that unlicensed Windows software is not being patched, so the vulnerability ecosystem in China is much richer for attackers than is found in societies where software piracy is less pronounced. Because of the scale of the issue, this seems like it is a valid nation-specific risk — one that might add some context to some individual’s urges to enforce China-specific data communications controls.

Again, there is no perfect approach to identifying security controls at the right grain. Story-telling about risks works best with real and relevant fact-sets. This little article may help flesh out one facet of the risks associated with more-open, rather than more segmented data communications networks.

REFERENCES:
“China, Addicted to Bootleg Software, Reels From Ransomware Attack.”
https://mobile.nytimes.com/2017/05/15/business/china-ransomware-wannacry-hacking.html

Advertisements

FBI Director James Comey on Some China Risks

October 5, 2014

For a variety of reasons, it is often a challenge to generate the appropriate level of information security awareness in executive leadership.
For some this has been especially true when the issues are associated with nation-state actors or a given culture.

For enterprises extending their operations into China, it may be difficult to build an effective risk-management message in the face of the virtually-intoxicating potential for growth and profit.

In that context, a recent interview with FBI Director James Comey included some unambiguous statements that might be helpful in framing some of the risks of integrating or extending your Financial Services operations into China. The interview was aired on the October 5, 2014 episode of 60 Minutes.

Scott Pelley: What countries are attacking the United States as we sit here in cyberspace?

James Comey: Well, I don’t want to give you a complete list. But I can tell you the top of the list is the Chinese. As we have demonstrated with the charges we brought earlier this year against five members of the People’s Liberation Army. They are extremely aggressive and widespread in their efforts to break into American systems to steal information that would benefit their industry.

Scott Pelley: What are they trying to get?

James Comey: Information that’s useful to them so they don’t have to invent. They can copy or steal so learn about how a company might approach negotiation with a Chinese company, all manner of things.

Scott Pelley: How many hits from China do we take in a day?

James Comey: Many, many, many. I mean, there are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.

Scott Pelley: The Chinese are that good?

James Comey: Actually, not that good. I liken them a bit to a drunk burglar. They’re kicking in the front door, knocking over the vase, while they’re walking out with your television set. They’re just prolific. Their strategy seems to be: We’ll just be everywhere all the time. And there’s no way they can stop us.

Scott Pelley: How much does that cost the U.S. economy every year?

James Comey: Impossible to count. Billions.

The entire transcript is available at:
http://www.cbsnews.com/news/fbi-director-james-comey-on-threat-of-isis-cybercrime/

REFERENCE:

Other Completosec Channel blog entries on this topic:
https://completosec.wordpress.com/category/china/


Third-Party Security Assessments – We Need a Better Way

July 6, 2014

“According to a February 2013 Ponemon Institute survey, 65% of organizations transferring consumer data to third-party vendors reported a breach involving the loss or theft of their information. In addition, nearly half of organizations surveyed did not evaluate their partners before sharing sensitive data.” [DarkReading]

Assessing the risks associated with extending Financial Services operations into vendor/partner environments is a challenge.  It often results in less-than-crisp indicators of more or less risk.  Identifying, measuring, and dealing with these risks with a risk-relevant level of objectivity is generally not cheap and often takes time — and sometimes it is just not practical using our traditional approaches.  Some approaches also only attempt to deal with a single point-in-time, which ignores the velocity of business and technical change.

There are a number of talented security assessment companies that offer specialized talent, experience, and localized access virtually world-wide.  The challenge is less about available talent, but of time/delay, expense, and risks that are sometimes associated with revealing your interest in any given target(s).

There are also organizations which attempt to replace a repetitive, labor-intensive process with a non-repetitive, labor-saving approach that may reduce operational expenses and may also support some amount of staff redeployment.  The Financial Services Round Table/BITS has worked toward this goal for over a decade.  Their guidance is invaluable.  For those in the “sharing” club, it appears to work well when used applied to a range established vendor types.  It is also, though, a difficult fit for many situations where the candidate vendor/partners are all relatively new (some still living on venture capital) and are still undergoing rapid evolution.  Some types of niche, cloud-based specialty service providers fall easily into this category.  The incentive to invest in a “BITS compliant” assessment for these types of targets seems small, and any assessment’s lasting value seems equally small.

Some challenges are enhanced by increasing globalization – for example, how do we evaluate the risks associated with a candidate vendor that has technical and infrastructure administrative support personnel spread across Brazil, Costa Rica, U.S East & West coasts, Viet Nam, China, India, Georgia, Germany, and Ireland?  Culture still matters.  What a hassle…

None of that alters the fact that as global financial services organizations we have obligations to many of our stakeholders to effectively manage the risks associated with extending our operations into vendor’s environments and building business partnerships.

When the stakes are material – for example during merger or acquisition research – it is easy to understand the importance of investing in an understanding of existing and candidate third-party risks.  There are many other situations where it seems “easy” to understand that a third party security assessment is mandated.  Unfortunately, not all use cases seem so universally clear-cut.

When we are attempting to evaluate platform or vendor opportunities, especially when in the early stages of doing so, the time and expense associated with traditional approaches to full-bore third-party risk assessments are a mismatch.  Performing third-party risk assessments in-house can also reveal sensitive tactical or strategic planning which can negatively impact existing relationships, add unnecessary complexity to negotiations, or, in edge cases, even disrupt relationships with key regulators.  As an industry, we have got to get better at quick-turn-around third-party risk assessments that are “good-enough” for many types of financial services decision-making.

For years, “technicians” have been evaluating Internet-facing infrastructure for signals of effective technology-centric risk management practices – or for their absence.  Poorly configured or vulnerable email or DNS infrastructure, open SNMP services, “external” exposure of “internal” administrative interfaces, SSL configurations, public announcements of breaches, and more have been used by many in their attempts to read “signals” of stronger or weaker risk management practices.  A colleague just introduced me to a company that uses “externally-observable” data to infer how diligent a target organization is in mitigating technology-associated risks.  Based on a quick scan of their site, they tell a good story.*  I am interested in learning about anyone’s experience with this, or this type of service.

*I have no relationships with BitsightTech, financial or otherwise.

 

REFERENCES:

“BitSight Technologies Launches Information Security Risk Rating Service.” 9/10/2013
http://www.darkreading.com/bitsight-technologies-launches-information-security-risk-rating-service/d/d-id/1140452?

“Bits Framework For Managing Technology Risk For Service Provider Relationships.” November 2003 Revised In Part February 2010.
http://www.bits.org/publications/vendormanagement/TechRiskFramework0210.pdf

Shared Assessments.
https://sharedassessments.org/

The company a colleague mentioned to me…
http://www.bitsighttech.com/


Infrastructure and Integration, Culture Matters

December 17, 2013

A recent 60 Minutes episode highlighted an NSA staffer describing a Chinese plot to “take down” the U.S. financial system using social engineering & a firmware update to brick the computers that support all economic activity.  The story received a lot of unflattering attention (Google it).  The broader piece about recent NSA data-gathering and spying also seemed less like news than an advertisement.  This has resulted in a lot of attention on the nature of the story and the likelihood that there is material distance between the themes highlighted by the CBS report and the behaviors of NSA staff and leadership.  So, why should we care?

There are many reasons.  One assumes that many in our industry receive “news” via feeds & tweets — which must radically distill stories down to a very few words.  Many senior decision-makers “grew up” with news shows like 60 Minutes and have sensors tuned to content from its brand.  So, that channel can deliver messages to financial services leaders in ways many others can’t.

Later in the December 15th 60 Minutes broadcast was a report about the Chinese telecommunications equipment giant “Huawei.”  It could have been a useful reminder that infrastructure matters in global Financial Services risk management.  Global data communications networking makes decision-making about ‘inside’ & ‘outside’ and what or whom to trust much more complex and challenging.  Culture matters.  Nation-state behaviors matter.  The scale and scope of Financial Services operations make it an attractive target for intellectual property theft.  We all need to continue to enhance our understanding of threats associated with infrastructure purchasing and integration, as well as with extending our operations using partners and massive shared ‘cloud’ infrastructure.

REFERENCES

“Update on Huawei.” Dec. 15, 2013 http://www.cbsnews.com/videos/update-on-huawei/

“Chinese telecom giant eyed as security threat.” Oct. 05, 2012, http://www.cbsnews.com/news/chinese-telecom-giant-eyed-as-security-threat/

 


Symantec Report Highlights Hidden Lynx Threat to Financial Services Enterprises

September 25, 2013

Last week researchers at security vendor Symantec released a whitepaper attempting to describe the nature and activities of a group of advanced, professional attackers working out of China, dubbed the Hidden Lynx team.

They report that Hidden Lynx offers a ‘hackers for hire’ operation that has stayed busy the last four years stealing specific information from a wide range of corporate targets.  Symantec says that Hidden Lynx activities display skill-sets far above some other attack groups also operating out of China — for example the Comment Crew (aka APT1) — and adds that they are “breaking into some of the best-protected organizations in the world.”

Hidden Lynx has targeted hundreds of organizations worldwide since November 2011.  Financial services organizations (not commercial banks) have been the vertical targeted most often by this group, amounting to almost 25% of the top 10 targeted industries.  In that same period, they also hit targets in United States almost 53% of the time.

Symantec’s analysis suggests that Hidden Lynx is “tasked with obtaining very specific information that could be used to gain competitive advantages… It is unlikely that this organization engages in processing or using the stolen information for direct financial gain.”

When Symantec looked at Hidden Lynx’s large scale attacks, the focus on Financial Services increased, amounting to 30% of their attacks.

The key conclusion offered by Symantec is that “cyber-espionage campaigns are becoming increasingly common,” and that “these attacks are becoming increasingly sophisticated.”

We can take steps to help resist attacks like those by Hidden Lynx keeping valuable information from falling into their hands. The key is to take those steps! Work with your information security consultants.  Protect all endpoints, yours included, from malware.  Use ‘safe’ web filtering services. Train your workforce to resist social engineering through all communications channels, including your browser.  Incorporate secure software practices into all of your business application investments.  Insist on secure infrastructure configurations and practices.

REFERENCES:

“Hidden Lynx – Professional Hackers for Hire.”
By Stephen Doherty, Jozsef Gegeny, Branko Spasojevic, and Jonell Baltazar.
Version 1.0 – Sept 17, 2013
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf

“Hidden Lynx – Professional Hackers for Hire.”
http://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire
17 Sept 2013

“Hidden Lynx and MSS protection.”
http://www.symantec.com/connect/blogs/hidden-lynx-and-mss-protection
18 Sept 2013


China Cyber-Threat Again Highlighted

February 19, 2013

Responding to the buzz generated by the release of a new evidence-rich report on  China’s cyber threat actors by Mandiant, a pair of articles today point out again China-sourced cyber-threats to businesses.  Financial services is a global enterprise.  Virtually all financial services organizations are attempting to enter China markets and are pursuing investments in China in order to better diversify their portfolios and offer their customers opportunities in throughout Asia.

The report by Mandiant and signals from the U.S. government remind us again that it is important to resist the types of attacks that seem to continue out of China.  Mandiant documented that the China-based hostile actors have systematically stolen hundreds of terabytes of data from at least 141 organizations.  The White House specifically highlighted that this threat was directed against Financial Services organizations, among others.

Writers at The Washington Post said that the recent “Mandiant report echoed a classified National Intelligence Estimate by the U.S. intelligence community that concluded that China was the most aggressive perpetrator of a massive campaign of cyber-espionage against commercial targets in the United States.”

Writers in the Wall Street Journal added that:

“U.S. officials said the allegations in the Mandiant report come as no surprise and build on other evidence of cyber infiltration.

A 2011 intelligence report publicly accused China of a role in cyberattacks. More recently, a U.S. assessment known as a National Intelligence Estimate, which remains classified and hasn’t been released, cited the Chinese government as being behind pervasive cyberthefts resulting in the loss of intellectual property, according to people who have read it.”

Bringing value to China appears to come at a material risk.  Can you afford to lose your risk models?  Your fraud analysis engines? Your portfolio management tooling?  Your investing strategies?  We all have material investments in highly-portable intellectual property.  Protect it from known threats as a demonstration of threshold due diligence.

At a minimum, ensure that you have employed a full spectrum of threat-resisting technology and process that is already hand in every financial services organization. Ensure that your protective layers overlap and compensate for each other, and do so throughout your infrastructure, not just at the Internet edge. Plan for and fund enhancement of your detective, preventative, corrective, and compensating control capabilities — as the issue of persistent “world-class” state-sponsored hostile actors appears to be with us for the forseeable future.

REFERENCES:

“Mandiant Intelligence Center Report — APT1: Exposing One of China’s Cyber Espionage Units.”
http://intelreport.mandiant.com/

“Report ties cyberattacks on U.S. computers to Chinese military.”
By William Wan and Ellen Nakashima; 02-19-2013
http://www.washingtonpost.com/world/report-ties-100-plus-cyber-attacks-on-us-computers-to-chinese-military/2013/02/19/2700228e-7a6a-11e2-9a75-dab0201670da_story.html

“U.S., China Ties Tested in Cyberspace.”
By JULIAN E. BARNES and SIOBHAN GORMAN in Washington and JEREMY PAGE in Beijing; 02-19-2013
http://online.wsj.com/article/SB10001424127887323764804578314591857289004.html

Updated to include the following reference on 04-15-2013:
“contextChina’s Guide to Understanding Recent News on Chinese Hackers.”
By  , 02-22-2013
http://contextchina.com/2013/02/contextchinas-guide-to-understanding-the-recent-news-on-chinese-hackers/


Risks Are High For Extending Financial Services into China

February 18, 2012

The economic trajectory of 1.3 billion Chinese has Western financial services leadership giddy.  They project oceans of profits generated through services to China’s growing middle class and wealthy elites.  Shareholders read about our corporation’s efforts to plumb critical hubs of their global operations into Chinese joint ventures, and seem to support leader’s optimism.  In the rush for earnings, systems are rapidly being integrated across virtually all lines of personal and corporate finance.

In many situations, this vision seems out of phase with guidance from seasoned financial services security and risk management professionals.  All material players in global financial services distinguish their organizations from the competition through their market reach and human capital.  Some also tout the value of their brand or their access to non-human capital.  But a key differentiator remains proprietary business rules, investments analysis and operations platforms, and data.  These foundational assets exist in highly-portable digital form and cannot be replaced or easily re-factored if they are stolen.  It is already difficult and expensive to resist targeted cyber-attacks, many of which emanate from China.  Casually extending financial services infrastructure into China is an elevated risk gamble — of a magnitude rarely undertaken even by the most aggressive of our peers.  Plan to lose some of these bets as core intellectual property and data are appropriated into our Chinese competitor’s operations.

This should not be new news…

After years of reticence to engage the issue, it seems like the U.S. government is now changing course and attempting to help engage U.S. businesses in efforts to more effectively address some of the risks associated with Chinese cyber-threats.  Last fall House Intelligence Chairman Mike Rogers (R-MI) accused China of widespread cyber economic espionage.  Chairman Rogers said, “China’s economic espionage has reached an intolerable level…”

Late last month three individuals in positions to have extensive, long-running access to secret intelligence concerning cyber-threats against United States targets released an opinion column in the Wall Street Journal titled: “China’s Cyber Thievery Is National Policy—And Must Be Challenged.”  The piece was written by Mike McConnell (Director of the National Security Agency 1992-1996, and Director of National Intelligence 2007-2009), Michael Chertoff (Secretary of Homeland Security from 2005-2009), and William Lynn (Deputy Secretary of Defense 2009-2011).  Their central message was that “The Chinese government has a national policy of economic espionage in cyberspace. In fact, the Chinese are the world’s most active and persistent practitioners of cyber espionage today.”

Reporting on the topic, NPR’s Tom Gjelten quoted Mike McConnell: “We know, and there’s good evidence … of very deliberate, focused cyber espionage to capture very valuable research and development information, or innovative ideas, or source code or business plans for their own advantage.”  Writing about the WSJ column on the topic, Gelton went on to write that “One reason they were anxious to publicize China’s cyber espionage was to counter those who claimed there was little concrete evidence to link the Chinese definitively to major hacking activity.”

Attackers from China have been conducting sustained, coordinated, covert intellectual property and sensitive financial information thefts against corporations, in some cases for years.  There are powerful forces influencing the dialog on this topic.  With few exceptions, representatives of companies doing business in China seem to have a pattern of stumbling whenever asked to discuss this topic in public.  As leaders in global financial services organizations intensify their focus on extracting value from Chinese markets, we need to ensure that sufficient fact-based risk management influence is applied to technology, infrastructure, operations, and information security decision-making.

References:
“US lawmaker: China cyber espionage ‘intolerable.'”
October 4, 2011, Susan Cornwell, Reuters.
http://www.reuters.com/article/2011/10/04/us-usa-china-cyber-idUSTRE7934L220111004

“China’s Cyber Thievery Is National Policy—And Must Be Challenged.”
January 27th, 2012, Wall Street Journal.
http://online.wsj.com/article/SB10001424052970203718504577178832338032176.html

“U.S. Not Afraid To Say It: China’s The Cyber Bad Guy.”
February 18, by Tom Gjelten, National Public Radio
http://www.npr.org/2012/02/18/147077148/chinas-hacking-of-u-s-remains-a-top-concern


%d bloggers like this: