Terms like China, APT and Zero-Day are synonymous with Fear, Uncertainty and Doubt (FUD). The trouble is that, in our opinion anyway, these terms and respective news articles detract from the actual problem. For example, in 2011 only 0.12% of compromises were attributed to zero-day exploitation and 99.88% were attributed to known vulnerabilities. Yet, despite this fact the media continued to write about the zero-day threat as if it was a matter of urgency. What they really should have been writing about is that the majority of people aren’t protecting their networks properly. After all, if 99.88% of all compromises were the result of the exploitation of known vulnerabilities then someone must not have been doing their job. Moreover, if people are unable to protect their networks from the known threat then how are they ever going to defend against the unknown?
All of the recent press about China and their Advanced Persistent Threat is the same, it detracts from the real problem. More clearly, the problem isn’t China, Anonymous, LulzSec, or any other FUD ridden buzzword. The problem is that networks are not being maintained properly from a security perspective and so threats are aligning with risks to successfully affect penetration. A large part of the reason why these networks are such soft targets is because their maintainers are sold a false sense of security from both the services and technology perspective.
In this article we’ll show you how easy it was for us to hack into a sensitive government network that was guarded by industry technologies and testing best practices. Our techniques deliberately mimicked those used by China. You’ll notice that the techniques aren’t particularly advanced (despite the fact that the press calls them Advanced) and in fact are based […]