Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including Privileged Access, Organizational Cyber Security, Foundational Security, Windows Security, Active Directory Security, Insider Threats and other topics.


May 31, 2013

Does the Chinese Government Pose an Advanced Persistent Threat to the United States on the Cyber Security Front?

Folks,

Not a week seems to go by without there being a news headline about the cyber security threat posed to the United States by the Chinese Government.

Does the Chinese Government Pose an Advanced Persistent Threat to the United States on the Cyber Security Front?

The latest slew of headlines allege that the Chinese may have gained access to extensive design information on advanced American weapons. On Friday U.S, Defense Secretary Chuck Hagel said that cyber threats posed a "quiet, stealthy, insidious" danger to the United States and other nations, and called for "rules of the road" to guide behavior and avoid conflict on global computer networks. So, the (rhetorical) question is...


Do the Chinese Pose an Advanced Persistent Threat to the United States on the Cyber Security Front?

Well, let's look at the definition of an Advanced Persistent Threat, courtesy Wikipedia...

"Advanced persistent threat (APT) usually refers to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information, but applies equally to other threats such as that of traditional espionage or attack."


Perhaps we should dissect the defintion ...

a group, such as a foreign government - The Chinese government, and more specifically the Communist Party and the People's Liberation Army (PLA) are a foreign government

with both capability and intent - According to Dr. Larry M Wortzel, a retired U.S. Army Colonel, the PLA has developed doctrine and exercised an integrated information warfare capability that can defend military and civilian computer networks while seizing control of an adversary’s information systems in a conflict.

to persistently and effectively target - According to Arthur Herman of the American Enterprise Institute, over the last 30 months, Chinese hackers have targeted Bloomberg News, Google, Hotmail, Yahoo, The New York Times and The Wall Street Journal — as well as the US Chamber of Commerce, then-Secretary of State Hillary Clinton and then-Chairman of the Joint Chiefs of Staff Mike Mullen.

a specific entity - Well, how about not just one but so many specific business and government organizations of the United States of America that have been targeted thus far.


Based on the above, it does seem to the logical mind that the Chinese Government may very well pose an Advanced Persistent Threat to the United States.



An Organized and Structured Cyber War/Espionage Effort?

According to Mark Stokes and his colleagues at the Project 2049 institute, the PLA General Staff Department (GSD), Third Department and Fourth Department are organized and structured to systematically penetrate communications and computer systems, extract information and exploit that information.


Unit 61398?
Their research indicates that cyber operations are a massive effort in China with the GSD Third Department being responsible for monitoring communications, communications security, computer network exploitation, and cyber security for the PLA, and the the GSD Fourth Department being responsible for electronic countermeasures, electronic support measures, gathering electronic intelligence, and probably cyber attack to penetrate information systems and assists in computer network exploitation. There apparently also are militia units that have cyber-related missions for the PLA, and the People’s Armed Police has its own technical reconnaissance unit.
 
According to Mike McConnell, former Director of National Intelligence, Michael Chertoff, former Secretary of Homeland Security; and William Lynn, former Deputy Secretary of Defense, China has a national policy of espionage in cyberspace and is "the world’s most active and persistent practitioner of cyber espionage today"


  
Chinese Attempts to Gather Know-How on Advanced Exploitation Techniques

If you scroll down the Wikipedia page on Advanced Persistent Threats to the APT life cycle section, you'll find the following excerpt: "In 2013, Mandiant presented results of their research on alleged Chinese attacks using APT methodology between 2004 and 2013 that followed similar lifecycle:
  1. Initial compromise — performed by ...
  2. Establish Foothold — plant ... 
  3. Escalate Privileges — use exploits and password cracking to acquire administrator privileges over victim's computer and possibly expand it to Windows domain administrator accounts.
  4. Internal Reconnaissance — collect ...
  5. Move Laterally — expand ...
  6. Complete Mission — exfiltrate stolen data from victim's network."
The 3rd step, Escalate Privileges is the defining step that gives a perpetrator administrative access in target IT infrastructures, by virtue of which substantial willful damage can be inflicted.

We happen to know a thing or two about it because we help organizations worldwide prevent the successful enactment of this step in their Active Directory infrastructures, which is where the prized "domain administrator" accounts reside.

We have seen the Chinese attempt to gather information on a specific, advanced exploitation technique / threat related to the escalation of privileges in Windows environments, "Active Directory Privilege Escalation".

We also believe that many business and government organizations may still be vulnerable to such attacks, and we have been privately and publicly helping organizations become aware of the importance of adequately protecting their foundational Active Directory infrastructures, so that any attempts to infiltrate their networks and subsequently escalate privilege to obtain unrestricted administrative access in their internal IT environments can be thwarted.


A Call to Establish Rules of the Road - Is the U.S. Government Scrambling?

The U.S. government would like to see Rules of the Road established for Cyber Security, and it would like the Chinese to adhere to these rules, apparently so as to prevent the continued barrage of cyber security attacks and breaches.



That's very gentlemanly, but with all due respect, that's like Iron Man requesting his adversaries to please not kick him on his knees while engaging in battle, since the armour around his knees is not strong enough yet.

One cannot rely on the presence of rules of the road for protection, especially with the Chinese. What is needed is for our organizations to realize just how serious the threat of cyber security is, and to take immediate steps to adequately bolster their defenses, so as to be resilient in the face of attacks.

I say so because the threat is not only from China. The threat is equally from any other foreign government or a non-national business entity that might have something to gain by compromising or breaching an organization's IT security defenses. Examples include organized mafia, ideological groups, groups engaged in corporate espionage, and even individuals.

By the same token, its not just U.S organizations that are at risk. Business and government organizations in our ally countries, such as the United Kingdom, Canada, Germany, France, Switzerland, the Middle East, India, Australia etc. are all equally at risk.

The challenge with cyber security is that, unlike physical security, which involves clearly definable and defensible borders, it is very difficult to draw boundaries online, and thus very difficult to protect organizations from attackers and attacks.

I do believe that most organizations do want to adequately bolster their defenses, but struggle to determine how to do so efficiently, measurably and provably. My humble suggestion to them would be to begin by establishing their top cyber security priorities, then performing prioritized risk assessments to assess risks and weaknesses, and subsequently determine and implement an adequate set of asset-specific risk mitigation measures aimed at providing comprehensive security at all times.

No organization can ever completely eliminate risk, but they can substantially minimize it.


Time's Up

I could share a lot more, but my 10 minute alarm just rang, so I'm afraid I'll have to end this here.

More next time. Stay tuned. Alright, back to work.

Best wishes,
Sanjay

May 29, 2013

New Coordinates - Cyber Security Blog

Folks,

On April 24 2013, this blog's url changed from www.identitysecurityandaccessblog.com/ to www.cyber-security-blog.com/

Now that might sound like the height of conceit, but there's a very good and selfless reason for that. Allow me to explain.

You see, ideally I would have been happy with something like, say www.justanotherblog.com/. However, when you know a thing or two about security, and you see the likes of Kim Cameron demonstrate the height of conceit by blogging on urls like www.identityblog.com/, you sometimes have to make a point to the Kim Camerons of the world, that there are others, who could shed light on things far more important, and that's what motivated the url www.identitysecurityandaccessblog.com/.



Active Directory Security - A Top Cyber Security Priority
 
As for the new coordinates, Cyber-Security-Blog.com, the reason was simple. There's just so much senseless noise being made by the media regarding cyber security that organizations worldwide are actually missing out on the need to protect the very foundation of their cyber security, their foundational Active Directory infrastructures. So, we decided to acquire that url so we could shed light on the most paramount aspect of cyber security - protecting the very foundation of cyber security itself.

Speaking of foundational security, in case you didn't know, the entire U.S Federal Government and all state governments, virtually all other national and state governments, Microsoft, CNN, Symantec, HP, Dell, etc. all operate on Active Directory.


Active Directory is the Foundation of Cyber Security

In fact, from Wall Street to Fortune 1000, virtually all business and government organizations worldwide operate on Active Directory. So I hope you'll see just how important it is to help them understand that their underbellies are rather soft.

Now, of course, reporters at the CNNs of the world aren't going to tell you that, because even though they too operate on Active Directory, I doubt their reporters have even heard of Active Directory. Or for that matter I wouldn't be surprised if 90% of the world's hackers know anything about it (which is a good thing for us good guys). Its the other 10% that we worry about.

So, you see, the reason is simple - we merely wish to help organizations worldwide understand the importance of protecting their very foundation of security, because even the tallest of skyscrapers are only as strong as its foundation.

Oh, just one more thing.

As for the date April 24, 2013, the reason we made the change that day is because on that day we made an announcement that has far-reaching implications for the cyber security space. On that day, we announced that we had been granted a very important cyber security patent by the United States Patent and Trademark Organizations (U.S PTO.)

You see, security (including cyber security) is fundamentally about access control (i.e. the prevention of unauthorized access to resources), and apart from controlling access, one of the most important aspects of access control is access assessment i.e. being able to assess what access someone effectively has in a system.


The Need to Know Who has Access To What is Paramount To Cyber Security

The patent we were awarded covers exactly that - a method and system for assessing the access that a user effectively has in a system. So you see, that patent has huge implications for the entire cyber security space, because it potentially applies to everything from trying to determine who has what effective access to a web server to who has what effective access to a file residing on a file server, and from determining who has what effective access to data residing in a database to determining who has what effective access to administer an IT infrastructure.

In other words, as you'll hopefully agree, we've hopefully earned the right to stake claim to www.cyber-security-blog.com/.

In weeks to come, you can expect some insightful perspectives on the subject.

Best wishes,
Sanjay