4 Ways to Defend Against Nation-State AttacksEnterprises Challenged to Safeguard IT from Chinese, Others
With reports - the latest one issued this past week from the Defense Department - that document the Chinese military and government targeting key government, military and business computer systems in the United States and elsewhere, operators of those systems face a challenge of defending their IT assets [see DoD Outlines China's Spying on U.S. IT].
See Also: 2016 State of Threat Intelligence Study
Security experts generally agree that the best defense against nation-state attacks needn't be tailored to a specific attacker. "No, there is nothing truly unique to the Chinese cyber-attack malware," says Robert Bigman, who spent 15 years as the chief information security officer at the U.S. Central Intelligence Agency.
No one solution will help organizations to defend against nation-state attacks, whether from China, Iran, Russia or elsewhere. Still, knowing who's attacking IT systems can help organizations better plan their defenses.
"One of the key differences between state-sponsored espionage and organized crime or hackers is their level of persistence and determination to break through defenses," says Steve Durbin, vice president at the Information Security Forum, a not-for-profit organization that promotes information security and risk management best practices.
Security experts say fundamental cybersecurity and risk management practices, if implemented properly, should reduce the damage done from all types of attackers, including those from nation-states. Based on interviews with security experts, here are four steps organizations can take to shore up their defenses against nation-states cyber-attacks, although not all of these approaches would be appropriate for each organization:
- Avoid acquiring technology from companies based in nations that pose a threat;
- Isolate internal networks from the Internet;
- Share cyberthreat information with other organizations;
- Enhance employee cybersecurity awareness programs, including testing worker' knowledge of best IT security practices.
Avoid Vendors from Nations that Pose Threat
The National Institute of Standards and Technology's latest guidance on security controls, Special Publication 800-53 Revision 4, issued late last month, includes a control to restrict purchases from specific suppliers or countries [see NIST Unveils Security, Privacy Controls].
The control, buried 323 pages deep in the 457-page guidance, mirrors a report issued last fall by the House Permanent Select Committee on Intelligence that recommends the U.S. federal government refrain from using equipment and component parts manufactured by two Chinese companies, Huawei and ZTE. Lawmakers worried the components could be altered to spy on secrets stored on government computers [see House Panel: 2 Chinese Firms Pose IT Security Risks].
"Government officials should remain equivocal while acknowledging risk, since foreign private corporations by nature are not synonymous with foreign governments," says Gavin Long, a contributing expert with SafeGov.org, in a blog he wrote for Information Security Media Group. "Still, caution is necessary to mitigate the potential cybersecurity threat to U.S. businesses and consumers."
But Greg Garcia, former assistant secretary for cybersecurity and communications at the Department of Homeland Security, cautions that restricting purchases from companies based in nations posing a cyberthreat doesn't mean those manufactured domestically are always secure.
"Such guidance should not be interpreted to mean that buying wares from domestic entities that don't have sufficient supply-chain security control in place is acceptable," Garcia says. "We should be aware about blanket 'buy America' edicts in the name of security. We should have better awareness about how something is made, not just where it is made."
Jacob Olcott, a principal for cybersecurity at the risk-management adviser Good Harbor Consulting, says companies can better manage cyber-risk by requiring vendors to show their work. "Ask your vendor to provide evidence about the security process used to create the application or hardware," says Olcott, who served as counsel on IT security matters for the Senate Committee on Commerce, Science and Transportation. "If the application wasn't developed securely, you can be sure that you're introducing more risk into your enterprise."
Perhaps the safest way to protect data is to remove internal systems from the Internet entirely.
"The best defense is a low-price DMZ [demilitarized zone] that completely isolates the internal network from the Internet," Bigman says. "Access to the Internet should optimally be physically isolated from the internal network with one-way, tightly secured paths to move data into and out of the internal network."
That, of course, poses problems for many organizations that have architected their networks to be integrated into the Internet. For enterprises where segregating internal networks from the Internet isn't feasible, adopting an attitude that an intrusion will occur can help develop defenses to prevent the pilfering of vital data.
"It is critical to protect data with encryption and data-loss-prevention technologies," Garcia says. "Assume the attacker has already penetrated perimeter defenses and spend your resources understanding where your data is stored, who has access to it, and protecting it from exfiltration."
Share Cyberthreat Information
Sharing of cyberthreat information among businesses, as well as between government and business, could help mitigate attacks from nation-states. Larry Clinton, president of the trade association Internet Security Alliance, favors the model known as the Defense Industrial Base, or DIB, which aims to protect sensitive, unclassified Defense Department program and technology information residing on or transiting among DoD and defense-contractor computers.
"What they are trying to do is get companies to upgrade their information security systems substantially, and those that can or will make the necessary upgrade are rewarded by gaining access to truly high-level data," he says. "Companies that do get access to this info, similar to the DIB companies in an earlier model, can develop mitigation strategies and products, which they can deploy broadly throughout their systems."
Information sharing enhances situational awareness as well. "Monitor the threat landscape, collaborate with industry bodies, law enforcement and government agencies to stay on top of attack patterns and trends," Durbin says.
Information sharing can be personal, too. Patricia Titus, a former CISO at security provider Symantec, systems integrator Unisys and the federal Transportation Security Administration, says one-to-one contact among security professionals could help mitigate foreign threats to IT systems. "CISOs are calling each other when they see their colleague's company pop up on the hackers chat rooms," Titus says.
Enhance Security Awareness
Garcia says don't discount building employee awareness. "One very important protective technique should be the easiest, but it isn't: training," he says. "The inadvertent insider threat might be the biggest vulnerability in any enterprise. Sophisticated phishing and spear-phishing techniques continue to thwart even the most informed cranial defense. Still, CISOs can lower risk by regularly training and testing employees about proper cyberhygiene and awareness."
Titus says organizations that feel threatened by nation-state hackers could turn to organizations such as InfraGard, an information sharing and analysis initiative between the private sector and the FBI, which provides self-education modules to enlighten employees about hackers and other bad actors.
Organizations have many ways to gain insight into the nation-state threat. "The real question is what do companies do with all this information, are they capable of protecting themselves and are they willing to reach out and spend a few dollars in security technologies or services that will aid in protecting their precious critical data?" Titus asks.