After reading several articles about the Google-China Attack, I have come to a conclusion as to what lessons we can learn as a Country or a Business or as Security Consultants.
1. Heed the warning signals in advance: If you have read the Northrop Grumman PRC Cyber Paper Approved Report, written on 16 October 2009, you will see that Google could have averted the attacks. Some of the things I found interesting in that report was the "Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation" which was stated yet Google failed to heed the warning.
In the content to that paper, history of other network exploits were made reference to. How much can we emphasize the need to be on guard and not trust an alleged enemy. Art of War-"Entice the Enemy". Was Google enticed(Social Engineered) in a way by the Chinese? Did Google lay its guards down in the name of trust? These are some of the questions we should be asking about who we trust accessing our IT Infrastructure. I say Trust No One but Your Instincts and actions.
2."Breach-by-design": Many developers ignore warning signals provided by Security Assessment teams and even classify vulnerabilities as minor in some cases. Microsoft has had to face a few of those which have come back to haunt them and affect lots of users. Adobe has faced similar issues too. Microsoft is the most guilty of them all. Vulnerabilities are left in the open and the release of a patch takes ages. There are several articles and online that have proved this. How much can developers be warned to take serious the assessment reports of Penetration Testers and redesign their applications where required. The flaw in the design of the Google App used by the governments of China and USA to provide user data opened the gates for hacks... dont wait to be hacked by your clients.
3. Constant Employee Security Awareness: Remember what happened with the Google employees? They had a reverse reconnaissance done on them including their relatives and friends. If you are a firm, how much do you invest in security awareness for your employees! Its time to raise the red-flag on what information to give out and what not to give out. I think its vital that as Security Consultants we inform clients on the need to have weekly security overhauls where necessary especially when we are meeting new challenges and new techniques of attacking firms around the world.
4. Keep an eye on every log and packet: Sometimes its easy to undermine the need to have a critical log and packet analysis . A colleague of mine always says "logs don't lie". But that is the situation where it has not been tampered with. Hacking inode is becoming a can-do thing even for script kiddies so its becoming a challenge trusting logs. However having a packet logger can be of vital help. Some have found this a miracle in monitoring activities on their network and servers. If you can critically analyse the activities of every packet arriving on your network, sometimes it goes a long way to help you strengthen and beef up security :(
5. No Security Is too Small: Anything human is not 100% efficient, however it does not suggest total ignorance either. Every bit of security measure that can be implemented must be done and constant review of the existing systems in place is very vital. How much emphasis can we lay on the need to review your security strategy at defined intervals.
6. Hire firms cut out for security audits: No pun intended, but hiring an accounting auditor to do security audit is very lame. There are several examples to relate to prove this. Most of these firms come to do the text-book style of audits and run automated tools and produce reports from the tools. For any company requiring security audits I will state that, hiring firms like Redspin or individuals such as Richard Stiennon of IT-Harvest with the skills of running manual assessment is your ideal and trusted solution. Will you trust your surgeon or you GP if you needed a Open Heart surgery? So don't trust the Account Auditors and automated tool test. Get a professional(s) to do a clean job and do not think twice though some times the cost is high.
These are just the few pointers I have gleaned from the Google attack. There are several others to think of that you can include.
I just love to hear that the police have "set up Olympics Crime teams" to combat Cyber crime for the London games :)
Till then, keep h4ck|ng for d3ph3ns3.