30 Oct Digital Espionage
James Bond, Ethan Hunt, Maxwell Smart, Johnny English have all been turned into relics. The Mission Impossible franchise is still up & running, but in the real world, the dark allies, wide brimmed hats and meetings on a park benches beside the Washington monument to exchange intel information have gone the way of the Dodo. It’s all digital now.
With enough resources at your disposal, not a single system is safe from your hacking. If you think that your systems are bulletproof and won’t be hacked, it only means that you are not interesting enough to popup on the radar of digital espionage. It’s called the lower hanging fruit theory. Good information security practises are designed to raise your fruit towards the crown of the fruit tree, leaving the lower fruits ripe for picking. Good information security is a competitive advantage.
Recently, we’ve been educated about the digital espionage capabilities of the NSA, and now it seems that the Russian intelligence was caught red-handed pilfering secrets using a commercial anti-virus vendor software. Who put the capability into the anti-virus vendor software? In the cloak & dagger times, smoking gun was a decent telltale of someone doing something they perhaps shouldn’t have. Finding the smoking gun in the digital realm is much more difficult. If the Israelis, who alerted the NSA, were able to hack their way into Kaspersky – why wouldn’t another nation state?
We must assume that digital espionage is happening all the time, it would be foolish not to. Sometimes vulnerabilities are introduced into critical software components through government pressure. Sometimes a nation state with enough resources will infiltrate the vendor’s systems and implements spying capabilities. Criminals with limited resources rely on malware, social engineering and other methods to conduct their business – usually exploiting a known & unpatched vulnerability (Wannacry anyone?), misconfigurations or rarely a 0-day. Sophisticated and stealthy attacks are the bread and butter of nation states.
One way to mitigate the risk of using (forcefully) compromised software is to turn to vendors that come from certain geographic areas, where government coercion is impossible, or extremely unlikely. Look for vendors who are leaders in their field from that area. I would imagine that the 12 US government departments would have been better off by using an anti-virus software from e.g. F-Secure, or perhaps a domestic vendor – then only the NSA would’ve been listening (assuming coerced vulnerabilities were put in place). At this moment, globally, pure European vendors should have the upper hand. Perhaps omitting the UK as the GHCQ seems awfully similar to the NSA.
We Finns have a saying amongst the sailing people. You have two types of boats; One that has gone to the rocks, and one that hasn’t yet done so. The Finnish archipelago is one of the most treacherous waters to sail. You should assume that you are going to be hacked at some point, especially if you become a major player or otherwise elicit the interest from the eye of the Sauron, i.e. digital espionage. What’s really important for anyone doing online business, or trying to protect their assets that could be reached through the digital realm, is to follow and evolve good (info) security practises. Equally important is to have a good & practised plan and procedures in place when you do get breached. Equifax has shown for the whole world how not to do things after a breach. If you are ready and practised, a breach won’t be the end of the world. Don’t be like Equifax.