Tuesday, January 19, 2010

What we can learn from Google's China attack

The Internet has been abuzz over Google's admission that it was targeted in a coordinated and allegedly state sponsored cyber attack. Some are applauding Google's stance, while others question Google’s true motivation. This story is too big to just disappear so I have no doubt that we'll learn more as time goes on, but let's consider what we should have learned thus far.

1.) Corporations make corporate decisions

It makes for a lovely feel good story to believe that Sergey Brin charged into Eric Schmidt's office to demand that Google exit China as retaliation for the attack. It's nice to believe that "do no evil" can survive in the corporate jungle. The reality is that Google is a large (very large) corporation and mottos other than "do what's best for the shareholder's" are little more than advertising hype. Sure Sergey and Larry own a big piece of the pie, but like all large corporations, Google is controlled by large, faceless institutional investors doing what they've been tasked with - looking at the bottom line. Google didn't go public with this story to save the world. They did so because they believe that it's the right business decision and they've decided that the benefits of doing business in China simply aren't worth the costs. They remain a long way from winning in China the way that they've won in the rest of the world. They have decided that the cost of the negative public perception created when they agreed to censor search results simply hasn't been worth it, especially when they are also forced to deal with state sponsored infiltrations, possibly aided by insiders.

2.) Outdated Web Browsers Leave a Gaping Security Hole

Just because software hasn't reached end-of-life status isn't justification for using it. It has been a long standing gripe of mine that IE 6 continues to control significant market share in the enterprise. Any CISO that hasn't fought to change this should be fired. Yes, IE 7 & 8 are also allegedly vulnerable but public exploit code seen to date has not successfully exploited these versions of IE. Why? Because they have additional security measures that make this vulnerability harder to exploit. In this case, the protection making the difference is Data Execution Prevention (DEP) but additionally, they include a number of additional protections such as Address Space Layout Randomization (ASLR), malicious URL/phishing blacklists, XSS protection, etc. The answer is not to avoid IE altogether as Germany and France suggest, but at a minimum, enterprises must ensure that they are running the latest browsers, with the most current security protections.

3.) 0Day, Targeted Attacks are Very Hard to Defend Against

Perfect security lives on Pandora. We live on Earth. Don't waste time looking for it.

When an attacker possesses a weapon that you haven't seen before, you are at a significant disadvantage. 0day attacks present a fundamental challenge because we don't know what we're looking for. Combine that with a knowledgeable adversary that can effectively employ social engineering and no matter what security measures you have in place, at some point you will be compromised. Should we roll over and give up? Of course not. The goal is not perfect security but rather to mitigate threats to an acceptable level. We can achieve that by employing defense-in-depth and assuring that our detective controls are sufficient to understand the extent of damage, control it and quickly recover should a breach occur.

4.) The Best Defense is a Good Offense

One of the more surprising angles to this story has been the revelation that Google went on the offensive to get to the bottom of the attack. While such an approach can put an organization in a legal grey area, it is unlikely that Google would ever have had the evidence necessary to be confident of the origin of the attacks and the fact that some 33 other companies were affected had they not broken into a server in Taiwan. Did Google coordinate it's efforts with law enforcement? Is this a tipping point in the evolution of cyber warfare, when corporations frustrated with the red tape encountered by law enforcement crossing international borders begin to take matters into their own hands? Stay tuned...

- michael

2 comments:

Anonymous said...

Its true that corps must be updated to the most recent versions of all SW. But to achieve this is extremely difficult in a large corp, and even worst when there are hundreds of apps that must constantly be patched, IT will be always in a constant patching mode, so here is a difficulty. And not to mention 0-days. Whats the role of SW corps (Adobe, MS, etc.) in all this situation? Dude, if my car had a malfunction I would return it immediately. SW cannot be done with the feet anymore.

Michael Sutton said...

Anonymous - I don't disagree that patching is a constant challenge for corporations but IE 6 is now 8 1/2 years old. Any CISO allowing it to be run in an organization is simply failing to do his job.