Hacking: Chinese Army, Shanghai and You

Yesterday’s New York Times – and today’s Economist Online – carry extensive coverage of the recently released Mandiant Intelligence Centre Report. This report details the activities, players and modus operandus of what it claims is one of the Chinese PLA’s most prolific and effective hacker groups, with information about its activities stretching back to 2006, and even a photograph of what is said to be its HQ building in Shanghai. (If you haven’t yet, you really should read 21st Century Chinese Cyberwarfare – it has extensive and fascinating background to why the Chinese cyber threat is so significant.)

China denies the accusations and, in any case, we shouldn’t demonise China – the USA has its own growing army of cyber warriors – as do Russia, Iran, North Korea, the UK, and most other significant countries – the important thing is to understand what are called APTs – Advanced Persistent Threats – and to at least take basic precautions against your own organisation finding itself in the cross-hairs of a cyber sniper.

The most basic of precautions are as follows:

  1. Encryption – first, of mobile devices (laptops, phones, USB sticks) – lock down and protect the data;
  2. Penetration testing – make sure attackers can’t get inside your networks and websites;
  3. Staff training and awareness – the weakest link, exploited ruthlessly by big game cyber phishermen, is employee gullibility. The easiest and fastest route into a network is increasingly (as described in the Mandiant report) to target an employee – or small group of employees – with a specially crafted email, or to leave a small bit of code on a legitimate website – which the target employee is likely to open or click on. This will then download to the target system Trojan and other software which is designed to exploit – over time – its location.

Staff training and awareness is best delivered via e-Learning; administratively, this vector gives you a level of certainty about who has completed the training, their level of comprehension, and it also means that you can update and refresh the training on a regular basis.

So, if you’re a director or general manager, and you’re concerned about cyber security, you should be insisting that your IT team report to you on a regular basis on encryption and penetration testing (and a budget will have to be allocated for this activity, yes), and that your HR/training people operate an effective staff training and awareness programme. If you’re in IT security, on the other hand, you should be ensuring that you have adequate budget to tackle these most basic of modern security precautions.