Singapore bids to snuff out APT fire as threats spell double trouble for APAC

Posted: January 24, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , | Leave a comment

big dataLast week APT and anti-malware firm FireEye announced the creation of a new Cyber Security Centre of Excellence (CoE) in partnership with the Singaporean government. It didn’t make many headlines outside of the city state but I think it’s worth a second look for a few reasons.

First up, FireEye is pledging 100 trained security professionals to this new regional hub, to provide intelligence to help the local government protect its citizens and infrastructure from attack as well as benefitting the vendor’s customers across APAC.

FireEye is one of the few infosec companies I’ve spoken to in this part of the world that is prepared to talk at length about the specific problems facing organisations in the region. More often than not when I try to go down this avenue with a vendor I’ll be told about how threats are global these days and attacks follow similar patterns no matter where you are on the planet.

While I know this is true to an extent, it was nevertheless refreshing to hear FireEye’s APAC CTO Bryce Boland tell me that the reason for building a team in Singapore was to have the necessary local language and cultural skills to deal with specific regional threats.

“We have a lot of countries here, many of which have tense relationships, so we see a lot of that boil over into cyber space,” he told me.

As well as the various hacktivist skirmishes that periodically hit the region, such as those between the Philippines and Indonesia or China and Japan, there are also more serious IP-stealing raids which stems from the fact that APAC represents more than 45 per cent of the world’s patents, Boland added.

As a result, regional organisations face almost twice as many advanced attacks as the global average.

Another reason the news of FireEye’s new CoE warrants attention is what it says about the approach to cyber security by the respective governments of Singapore and Hong Kong.

Although Hong Kong threw HK$9 million (£730,000) at a new Cyber Security Centre in 2012, my impression is that Singapore is more proactive all round when it comes to defending its virtual borders.

It was a view shared by Boland, who pointed to Singapore’s ability to attract and support infosec players looking to build regional headquarters there, as well as its efforts to attract globally renowned speakers to an annual security expo.

In my experience, what few events there are in Hong Kong are poorly attended, attract few speakers from outside the SAR, and rarely provide the audience with anything like compelling or useful content.

EU’s $30 billion data security block on India’s BPO giants

Posted: June 19, 2013 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , , | Leave a comment

taj mahalI don’t often cover India’s outsourcing market but an interesting piece of news emerged this week when local media reported that the EU has found some notable gaps in the country’s data protection legislation which could scupper a major trade agreement between the two.

Basically the two have been trying to thrash out the Broad-based Trade and Investment Agreement since 2006.

The idea is that India opens up more of its vast market for EU firms and vice versa, but with one of India’s biggest industries in Business Process Outsourcing, a key demand from that side was that the country be recognised as a “data secure destination” by Europe.

According to the Data Security Council of India (DSCI), this single accreditation could propel outsourcing revenues from European customers from $20bn to $50bn in no time at all.

Sadly for India, the EU Justice Department decided to launch a consultation on India’s data security credentials and now the mutterings are it doesn’t like what it sees.

Any further delays which require legislative amendments could take years – not exactly what IT services giants like Infosys, Mahindra and Unisys want.

However, Forrester security analyst Manatosh Das told me all may not be quite as bad as it seems.

For starters, he said, India is taking information security a lot more seriously nowadays since recent high profile cyber attacks.

With the proposed electronic surveillance Central Monitoring System, the country is apparently planning for stringent privacy laws, while the DSCI, set up by Nasscom, has a strict remit to monitor data security and privacy in the IT and BPO industries, he said.

“I really don’t think in the current scenario outsourcing will take a back seat,” Das added.

“Private organisations in India follow international security frameworks like ISO 27001, PCI DSS, SOX, HIPAA. They have strong contractual agreements with their clients. Clients have the right to audit the vendors as per the agreement.”

However, he did admit that the IT Amendment Act 2008 lacks enforcement and needs amending again to “remove ambiguity” and create specific exceptions.

As a side note, I’m sure the recent “landmark” agreement between the UK and India on data security will also help reassure European customers considering offloading some services to Indian firms.

As always though, rigorous planning and due diligence and early involvement from the IT department should be a given to prevent any unexpected outsourcing problems down the line.

China’s hacking problem: more sinned against than sinning?

Posted: May 20, 2013 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , | Leave a comment

hackerLast week I finished off an analysis of the China/cyber espionage stories that have been flying around in recent months, with a surprising conclusion – in many circumstances the country may well be as much a victim of attack as a perpetrator.

We are unlikely to ever find out the extent of state-sponsored cyber attacks on the US and its allies, although thanks to several high profile reports which name and shame Beijing it’s clear that the tip of the iceberg is well and truly showing.

However, we can be more clear about how secure or otherwise China’s IP address space is and make some general observations.

I spoke to several information security experts about this and they were all in agreement that China is a particularly attractive place to launch attacks from, simply because there are so many compromised PCs as well as enough bulletproof hosting firms there to use with impunity.

HKCERT senior consultant, SC Leung, explained to me how compromised computers, of bots, in China are helping cyber criminals from outside the country.

“The zombie computer, or bot, steals the data (using its IP address) and sends it back to the attacker. When tracing the compromise police can only find the bot computer IP address. The attacker can further command the bot to send the data to Dropbox or a third party forum, and then retrieved it directly or indirectly.  This long chain of investigation of different servers (probably in different jurisdictions) hampers the investigation.” 

It’s also worth mentioning that not all attacks are being carried out by external forces to compromise Chinese IP addresses which are then used as a staging point to attack other countries. China has a massive internal problem with home-grown cyber crims targeting their own – stealing data, IP, bank credentials and even blackmailing by DDoS or other means.

It’s interesting to note that a week or so after I published this story, the FT ran an interesting piece which reached the same conclusions, claiming that the government is failing to provide coherent oversight on information security matters and that the forensics industry is virtually non-existent in China.

Apart from changing these two problems, there needs to be greater user education and awareness to ensure fewer PCs are vulnerable to outside attack, and a crack down on bulletproof hosters.

At the moment, the Party seems to be happy to close down porn sites in high profile raids, willfully censor its citizens and hit out at any US accusations of cyber subterfuge, but not to get its own house in order.

Cleaning up its address space first would would surely improve China’s standing internationally and may even help foster more cross-border co-operation, rather than the relentless mud-slinging of late.

Cameron’s Indian deal exposes outsourcing security failings

Posted: February 21, 2013 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , , , | Leave a comment

taj mahalEarlier this week David Cameron signed a deal designed to elevate the Indo-British relationship to an “unprecedented level of co-operation” on cyber security issues. It came as part of the PM’s three day trade mission to India and is certainly to be welcomed, but the agreement also implies some rather worrying things about the cyber readiness of the country’s big outsourcing firms.

The deal will essentially mean two things. Firstly, UK technical know-how and expertise in the cyber security sphere will be shared with Indian outsourcers, essentially to help protect the vast amounts of data from UK consumers and businesses which are now held on servers in the country.

Secondly, the agreement will see the two countries share relevant threat intelligence in order to thwart attacks on their systems, whether they’re coming from the UK, India or elsewhere.

Now, as mentioned, any kind of international co-operation on cyber threat protection is a step in the right direction, and Cameron certainly can’t be faulted for his assertion that “other countries securing their data is effectively helping us secure our data”.

My surprise is that big name outsourcers like Wipro, HCL, Mahindra and Infosys – firms which have built their business presumably on the quality (and security) of their BPO offerings – need an extra hand.

Any CIO worth his salt would surely relegate to the scrap heap a potential outsourcing provider who could not satisfy his or her list of pre-determined security requirements.

Sure, the smaller outsourcers will benefit most from this deal, but the big boys too?

Well, yes, according to Forrester’s New Delhi-based analyst Katyayan Gupta.

“Even larger Indian firms like Infosys, TCS, etc. will also benefit because now they will have an additional layer of security against cyber criminals,” he told me.

“This is not to say that these firms do not have good security right now. But the question really is – is it enough to keep all attackers out? Probably not.”

Now I know in this age of APTs and highly targeted attacks no firm can claim to be impervious, but it’s slightly worrying when those with huge resources – in an industry where reputational damage following a data breaches could hit hard – are apparently getting expertise flown in from the UK that they haven’t obtained anyway.

Also, as Gupta argued, the deal will still do nothing to stop perhaps the biggest threat to UK data residing on these firms’ servers: corrupt insiders.

It may be time to revisit those SLAs.

RIM’s big differentiator: staying out of China

Posted: July 13, 2012 | Author: | Filed under: Uncategorized | Tags: , , , , , , , | Leave a comment

RIM logoIn a startlingly refreshing display of honesty, RIM CEO Thorsten Heins has come out and said the firm is steering clear of China when it comes to manufacturing to reduce the risk of IP theft which could cripple its business.

It’s a bold statement, given that in my experience most tech firms – and even analysts – are very reluctant to discuss China in anything approaching critical terms, especially when cyber security is mentioned.

It’s certainly a valid point. I’ve reported in the past for The Register how many multinationals are suffering IP loss from their Chinese business units.

As RIM is teetering on the brink financially and seems only to be able to differentiate competitively from its rivals by virtue of the superior security capabilities of its handsets and infrastructure, any breach would be a huge blow.

That’s not to say it is necessarily safer anywhere else, but eliminating China from the supply chain could be a wise move.

Even the Chinese government has indirectly admitted its firms do not innovate enough themselves – the inference I’m drawing here is they nick a lot of IP instead.

Kenny Lee, a forensics expert with Verizon Business, sat down with me on Thursday to explain what hacking activity he’s seeing inside Hong Kong and Chinese firms.

Interestingly, while he did admit there was a fair amount of “low level” IP theft from firms in the region, mainly due to employees looking to set up their own businesses, there is a more insidious data leakage problem – technology transfers.

These agreements are usually foisted on foreign multinationals wanting to expand into China. The deal is that they have to partner up with a local Chinese firm by law to sell into the country’s huge market, and in doing so will usually need to share IP with them.

After a certain point, Lee explained, the Chinese partner usually has enough knowledge to pull out of the venture, having sucked all the IP it needs from its foreign partner.

There’s the rub for foreign firms such as BT, who can’t gain direct access to the market but equally reject the idea of handing over their hard-earned IP.

There’s no chance of things changing from the top anytime soon, so foreign firms will continue to have to weigh the risks and make that judgement.

Newer Entries →