A Case Study in a Foiled Chinese Cyber Espionage Attempt
*Note: This article was originally published by the author on April 2, 2019.
This whole security cyber-espionage fiasco seems to have gone abruptly bad for the Chinese. However, how many such espionage attacks are successful? We’ll probably never know. They are brazen, I will give them that. Just waltz up into Mar-a-Lago and implant some malware right?
When the authorities searched her belongings, they found that she was carrying four cellphones, a hard drive, a laptop and a thumb drive that was found to be infected with malware.
Doesn’t everyone travel with 4 cell phones, a hard drive, a laptop, and a thumb drive loaded with malware? Hmmm. Maybe it’s just me…
He said the fact that Secret Service agents apparently relied on the determination by a Mar-a-Lago security agent that Ms. Zhang was related to a member of the club — simply because she shared the member’s last name — was problematic.
“It’s a hard position for Secret Service to be in to potentially deny a million-dollar committee member,” Mr. Mihalek said. “It puts Secret Service in a very difficult position because we don’t know who are members and who aren’t.”
“You’re depending on them to say this is an employee and this isn’t an employee. We work off a list of names,” he said. “Our priority is, are you coming in with explosives or not.”
When you have Secret Service relying on resort security to vet personnel access control, that’s a problem that cannot be allowed to happen when you’re protecting a VIP. Whether you like Trump or not, which I do not, I still think we have to respect the Office of the Presidency and protect those who fill that role. Remember that without physical security, most of our technical security controls are worthless. With physical access to a system, there isn’t much you cannot do given time and resources. Also, you can never, ever, ever outsource responsibility. You can delegate responsibility, but ultimately you are still responsible. In this case, the Secret Service would have been at fault had something bad happened to the President because they essentially outsourced the responsibility of vetting personnel who had access to the resort area where the President was going to be or possibly be later on in the day. Not a good look for the Secret Service or a good situation to be in.
Chinese woman carrying 'malware' arrested at Mar-a-Lago heading to a Cindy Yang event
A Chinese woman carrying a thumb drive loaded with malware was detained at Mar-a-Lago Saturday after trying to gain…
Whenever you read about cases like this it should make you question what your physical security processes and controls are. How easy is it to bypass those physical security controls? If it is possible, then what other layers have you emplaced as an impediment to a would-be attacker from reaching your information systems where the sensitive data is stored? Ever heard of Gates, Guards, and Guns? Those questions in the ISC2 Common Body of Knowledge (CBK) for the CISSP certification come to mind. How tall should a fence be to discourage people from scaling it? Or, from my time spent in the Marines, what type of barbed wire would be the most effective deterrent for scaling a fence? What type of Closed Circuit Television (CCTV) cameras work best? How should the cameras be positioned? How long do we keep the video footage backed up for those cameras? Do we use mantraps on the doors and bollards in front of building entrances?
What if someone does make it past all our physical layers of defense? Then it comes down to technical or logical security controls that may or may not be implemented for TEMPEST, full disk encryption if someone walks out the doors with an HDD, etc. These are all things that you need to think about as an information security professional. You cannot allow yourself to be only focused on computers 24/7/365. Get to know your physical security team, take them out to lunch. Get over the stigma that these big, muscle-headed ex-military or cop-type freaks are responsible for the security and they might view you as some kind of computer geek. Who cares? Your job is to bridge that gap, try to understand where they are coming from.
Maybe consider buying them a coffee because you probably can afford to much more than they can. Get out from behind your desk and walk around. See what people in your organization are doing apart from what you can see in the system event logs and firewall logs. Talk to the physical team members about strategies and how you can interweave your physical and technical security controls to form the most secure posture against various types of attacks. An effective, layered security strategy that will defeat something like a well-coordinated cyber-espionage attack requires coordination of all elements of an organization. It’s never just about cybersecurity folks, you would do well to remember that. Stop seeing yourself as the center of the universe, we’re not. We’re only one planet in the solar system that is the right attitude to have. A very important planet or element of the organization, but still just one aspect.