Tuesday, April 23, 2013

The American company is the unwitting accessory in China cyber attacks

In a growing conflict between China and the United States in a hacking attack, landscape Move, thanks to the 74-page report (PDF) by the security firm Mandiant who painstakingly outlines some evidence China insists that the best is yet to involvement in a series of attacks that built seven years. The current report answers many questions about the involvement of China, it has also raised new report issues.What particularly important about the apparent lack of sophistication on the part of the Chinese hackers. From the data, we conclude that the compromise China's computer just by sending targeted e-mail sending rude employees with a program that can control their machines remotely. This is essentially the same style of attacking virus writers used back in the 1990s. It is known exploits most security professionals and is one that is easy to guard against. Apparently, there is no need to use China's more advanced tools to compromise their targets.The U.S. government and companies operating in the U.S. must pause to reflect on the fact that this approach is so successful hacker big. (The report also provides numerous Chinese military to think about how they relate to operational security and how they can do better.) First reaction was shock and embarrassment. As we have more than emotion to take action, we need to proceed with caution and skepticism before we blindly swallow a proposed solution to this problem. Although it is understandable that the U.S. companies should get better defend against cyber attacks, the solutions proposed by the government officials too often convoluted based on new legislation that could destroy the freedom of the internet, all in the name of protecting us from our nation's newest ghost. Cybersecurity Act of 2012, for example, contains many of the proposed provisions, many of the Electronic Frontier Foundation, among others, thinks the government goes beyond the right to monitor private conversations. The good news is that most of the proposals were defeated, but they kept resurfacing in a different way to go too far and violate "the rights of citizens. What we really need to hold the company's technology for higher safety standards so they do not make the next version of the Java weak (ORCL) or non-secure SCADA system that is easy to grab, to allow control of industrial machines running our power plants and other critical infrastructure.Laws will never replace the real responsibility of the organization to make safety a priority, from the CEO down. Reporting security should be mandated, as in other aspects of the business such as financial statements. Regularly scheduled updates, the CEOs have to talk about the security fixes that were made in the organization, or of dangerous occurrences. CEOs do not need to be an expert on things more than they need to be an expert on how the product or service is developed from end-to-end, but they must define metrics and, more importantly, make sure that they have someone in charge of Payroll relationship of trust and security in accountability.Those senior manager to lead the safety culture of the organization and accountability, not only as lip service but as a factor that is not less important than the security of strong quarterly numbers. People do not easily show title.

No comments:

Post a Comment