China, Russia, Syria, North Korea and Iran are commonly in the papers for physically attacking us, attacking us or our allies by the wire (the CAT5 cable or whatever type of cable you are using these days). The majority of people including myself agree with the above and I am not here to say these countries are perfect, far from it, they are all dictatorships.
Huawei has been in the media a lot lately though not for a few weeks now. Yes, Huawei and other Chinese manufacturers are not perfect, nor can they be fully trusted because of the government which is a one-party state like many other countries. We are bashing foreign companies and nation states for hacking us, but can we really blame them when our attitudes to cyber security and technical defences are poor?
China, which as we know, manufactures pretty much all tech kit including Western brands like Cisco does not need to bug the equipment they sell to spy on us. I have been doing this for nearly fifteen years and I have been inside an assortment of big companies and public sector outfits which shall remain nameless. As you can see from my writings, I say the truth and I am not scared of telling a organisation xyz is wrong.
You do not need to be an APT (advanced persistent threat, or aka a marketing term) to break into a organisation. Very large corporations will often state in their press release: “we were hit by a sophisticated APT”. What does that mean in reality? They were hit by a 15-year-old boy or girl from their parent’s bedroom. Why do they say this? Saying we were hit by an APT means it was “impossible to stop”. Hmm. Admitting a child hit them would be very embarrassing.
If you have ever watched Vice’s Cyberwar you will know from blacked out figures working in foreign intelligence services most attacks are easy - spear phishing is often all you need to steal data or daisy chain an attack. A sizeable amount of attacks can be stopped if you roll out decent defences. My personal bug bear is “FTV”; firewalling, two factor authentication and VPN’s. Most companies do not understand this.
You will get spear-phished if your subdomains which do all sorts are exposed to the entire planet or maybe the universe. Firewall them off so only people at your offices or VPN IP ranges can visit them. Two factor them if they have to be exposed - 2FA can still be phished in many occasions. Have a VPN be required which is 2FA’ed before the service will allow connections. Numerous organisations do not understand this and still roll out new services without any of these controls.
Currently you do not need to be a nation state to break into most companies. A skilled under 16 year could break into some, think of TalkTalk from a few years ago. For the non-Western world which excludes: Germany, France, United Kingdom, Ireland, Canada, United States, Israel, New Zealand, Australia and so on, a ten-year-old could literally hack an entire government (Africa & Asia+) from my findings. Large banks and pharmaceutical firms are at the top of their game and would beat other companies and some British government departments.
So, the next time you are going to bash another regime for breaking into us, stop, can you blame them when many organisations do not take security seriously and are nearly screaming out to be breached?