Chinese government behind Chinese hack-a-thon...really?

Josh Beckett The Pentagon has come out and stated the obvious. When listening to this story this morning on NPR, the immediate thought that came to me was, "Yeah, well, what are you going to do now?"  Of course, the interviewer asked that very question and the interviewee burbled and hemmed and hawed.  No real answer.  What can you do in a war that is not fought on a physical battlefield with physical weapons, but inside of computers?

Of course the Chinese government denied the whole thing and said that this isn't helping relations.  Thus the political game is played, much like chess.  An obvious move with a pawn is countered with an equally obvious response.

There was a more troubling aspect to the radio version of the story where the economics of doing business with Chinese firms were discussed.  As you might expect, the point was brought up that US firms find it difficult to stay out of the burgeoning Chinese economy.  The temptation is just too great.  Many tend to think of not being in the Chinese market as simply too costly as contrasted with the risk of being hacked.

You will get better odds in Las Vegas

Here is the reality of it.  You will get better odds with your money at a craps table in a Las Vegas casino than gambling and doing business in China.  Considering the all-out warfare that is currently happening on the cyber-battle fields between China and the rest of the world, your odds of surviving are as near zero as you can calculate.  You may make some money in the short run, but you will lose everything in the end.

I heard a talk at the RSA USA 2013 security conference back in February that likened the Chinese attack model to an economic model.  The panelist claimed that each attack represented an investment by the attacker, whether large or small, that could be countered in terms of economics.  The more sophisticated the attack, the more expensive it was to develop.  The more costly to develop, the more important for you to counter, in order to increase the cost on the bad guy for coming after you.  It makes sense up to a point.

When a growing economy has a vast labor pool that is eager to learn and advance, they can afford to use you as on the job training.  Even when learning the basics of security attack strategies, the cheap and easy attacks, they still stand the possibility of success with real world money in play. That makes for a very affordable internship when you consider that such cheap attacks can be pointed at just about any company on the internet and its pool of intellectual capital.

Practiced Response

I've been asked the question before about how best to defend against such strategies.  Well, it is quite simple.  Practice what you know:  Incident Response.  Get really good at it.  Take a page from the emergency response handbook.  If there aren't real incidents going on in your company, create drill scenarios to test your incident response plan.  Perform periodic table top exercises.  Assemble representatives from each group that will have to play a role in a corporate-wide incident.  Have someone play the role of the incident itself and stand outside of the response group.  Give them information about what they know and let them respond according to your organizational plan.  You do have a plan, don't you?  If they respond correctly, reward them with some more information that gives them a clue to the next response that they should be performing.  At certain predetermined times, if they get stuck, give specific responders additional information and let them play their role accordingly.

This is what many organizations do that have to deal with large scale incidents, like disasters.  I'm sure you have read of such drills in your city for large scale disaster planning.  Your response team should engage the drill like a hosted dinner mystery at a friend's house.  Try to solve the problem using your incident response plan.  Your drill should try to test as many aspects of your plan as possible to engage all parties:  Networking, IT Admin, Communications (internal and external), NOC/SOC, Legal, Security Admin (logical rules), etc.


After the drill is over, be very serious and go over what went well and what didn't go well.  Talk about how you can improve on the things that were problematic.  Learn from your successes and see if there are opportunities to expand on them by spreading those techniques to other parts of the organization.  Find the areas of your plan where more specificity is needed.  Improve!

In times of war everyone has to do their part.  In the dark days of WWII, many civilian organizations helped in any way that they could and practiced doing their part in order to be ready to respond if the war came their way.  This is war.  Make no mistake.  Don't be a casualty of it.

No comments :

Post a Comment