[ISN] Corporate espionage: Not if, but when

From: InfoSec News (alerts@private)
Date: Thu Mar 13 2008 - 00:09:10 PST


http://resources.zdnet.co.uk/articles/features/0,1000002000,39365959,00.htm

By Sally Whittle
ZDNet.co.uk
12 March 2008

When it comes to business-to-business theft of information, experts 
agree — it's best to assume it will happen to your company

Corporate espionage is defined as the theft of commercially valuable 
information. This may be the secret formulation of a new product, but 
equally it could be the names and salaries of senior executives or 
simply the date of your next marketing initiative.

This type of corporate crime costs the world's 1,000 largest companies 
in excess of $45bn (£22.4bn) every year, according to research from 
consulting firm PricewaterhouseCoopers.

Some of the world's largest corporations have been targeted: for 
example, in 2000, Microsoft fell victim to what the company called "a 
deplorable act of industrial espionage" when hackers broke into the 
company's system and accessed Windows and Office source code. Hackers 
had access to the source code for up to three months.

In the pharmaceutical sector, Proctor & Gamble and Unilever became 
involved in a dispute over corporate espionage when Fortune magazine 
reported that P&G had been involved in illegal corporate espionage 
against its archrival. Agents appointed by P&G were alleged to have 
misrepresented themselves as market researchers and used various other 
methods to collect information about its rival.

In 2006, two hackers were extradited from the UK to Israel when it was 
alleged that they had developed and sold spyware which was used by 
companies to spy on rivals in their native Israel. Three private 
investigation companies in Israel were alleged to have sent emails with 
Trojan horse packages designed to evade detection by security tools.

"What you need to know is that this is happening more than ever before, 
and on a bigger scale than ever before," warns Toralv Dirro, a security 
strategist with McAfee. "Any business that derives competitive advantage 
from information should be concerned about this issue."

Corporate espionage has increased rapidly in the past decade, as more 
information is put onto corporate networks — and potentially within the 
reach of hackers, Dirro explains. Certainly, PricewaterhouseCoopers 
reported that corporate espionage losses doubled between 1990 and 2000.

Knowing whether you're at risk of corporate espionage isn't easy, admits 
Paul King, a senior security advisor with Cisco UK. In fact, you could 
be a victim of corporate espionage and never even realise it, King says. 
"At Cisco, we don't ask ourselves why we might be at risk of this stuff, 
we ask why not?" he says. The company's security experts constantly scan 
the internet for reports of attacks on other organisations, and assess 
their own risk to similar attacks.

It's difficult to know exactly how common corporate espionage is because 
most victims never report the attack to the police, fearful of the 
consequences of going public, says King. And is a hacker is sufficiently 
skilled, many companies won't even realise they've been attacked. "I 
think the best we can do is monitor our systems carefully and if we hear 
of an attack on another organisation, ensure that it couldn't affect 
us," he says.

The question isn't whether you know you're vulnerable to corporate 
espionage, it's knowing how vulnerable you could be, adds King. "If your 
chief executive says he's not a victim of this stuff, how confident is 
he? And the only way to be really confident is to be looking hard for 
it."

The first step in corporate-espionage protection is to close the most 
obvious loopholes — those that can be exploited by hackers without even 
breaking the law. "We're seeing massive growth in something called 
Google hacking," says Rhodri Davies, a technical architect with security 
specialist Vistorm. "This is the process of using really smart Google 
searches to find information left open on web servers. It's 
unsportsmanlike, but definitely not illegal."

With Google hacking, hackers can routinely find information on projects 
and personnel, and the file names of confidential documents, even if 
they cannot access the documents themselves. "You can easily automate 
searches, so that if a document is online even briefly, you'll be 
emailed that search result," says Davies. The danger is that this 
information will then be used as the basis of an illegal attack, 
enabling a hacker to pretend to be inside the company, or to launch a 
social-engineering attack.

Security companies have seen a dramatic increase in what's known as 
"spear phishing", a highly targeted phishing attack where a single 
executive may receive an email that appears to be from an authorised 
partner or supplier, relating to a project that isn't widely known 
outside the company. "The usual trick with this sort of email is to 
encourage the user to open a file, which will launch a Trojan, 
potentially giving someone access to the whole network," says Toralv 
Dirro, a security strategist with McAfee. "We have been seeing an awful 
lot of these in the last year or so."

How do you know if you have been a victim of corporate espionage? In 
many cases, you'll never know, says Dirro. "If it's a skilled hacker, 
they will have used Trojans to ensure the intrusion detection system 
isn't triggered." Security experts recommend regularly conducting 
penetration testing (including looking for search vulnerabilities) to 
protect against this kind of attack. However, to protect against illegal 
hackers attempting corporate espionage, the best advice is to know your 
data.

Audit your corporate data and identify what information is potentially 
sensitive and therefore vulnerable to attack, says Dirro. Next, separate 
this…

…information into dedicated areas of the network, and consider 
separating highly sensitive information entirely. "If you have a highly 
confidential R&D project, I would consider putting it on its own 
network, with no external links whatsoever," says Dirro. "Regardless, 
you should have a clear idea of your data structure, so you know who is 
accessing sensitive data and what they're able to do with it."

There isn't a single technical solution to corporate espionage, adds 
Cisco's King. "If there was, we'd be selling it," he says. However, 
companies can take steps to minimise the risks it poses. King's key 
advice is not to rely on reactive security systems, which will warn you 
only when something specific happens. Although a good intrusion 
detection system and firewall are essential, they aren't enough. "If 
you're waiting for an alarm to go off, that's not good enough, and it 
won't alert you to most corporate espionage," King says.

For example, you may want to investigate the latest data log protection 
systems. These software tools can "mark" confidential data with a 
virtual watermark, which prevents it from being copied to a mobile 
device or distributed via email. "The technology is relatively new, and 
can be quite difficult to get up and running, but once you've done the 
upfront work they're highly effective," Dirro says.

In addition, King recommends routinely checking through IDS log files 
and access logs looking for attacks or patterns of unusual activity. "We 
have a product that monitors all our log files from routers and 
firewalls and looks for anomalous behaviour," says King. "It's different 
from only reacting to something you know has happened."

It's also important to pay attention to less sophisticated forms of 
information theft. "Educate people on risks that may seem small, like 
using a laptop on a plane," advises King. Cisco executives are routinely 
provided with plastic privacy shields that prevent so-called shoulder 
surfing, and the IT department provides training videos that help make 
people more aware of the risks in discussing confidential projects in 
public.

"Sometimes you can be at risk in the most public places," says King. 
"For example, someone at a trade show might ask you a question that is 
designed to help them later to do some kind of social engineering." 
Since producing videos on this topic for the corporate intranet, King's 
team has received many more calls from employees who say they have 
received suspicious telephone enquiries.

The vast majority of corporate espionage attacks have the involvement of 
someone inside the company, argues Mark Schettenhelm, a security 
consultant with Compuware and a Certified Information Privacy 
Professional (CIPP). "We've done such a good job of blocking hackers and 
spam from outside that it's easy to forget the threat from people inside 
the company who have all the authority and access."

However, King believes it's important to keep corporate espionage in 
perspective. "We want security to enable the business, and we're not 
going to lock down systems and stop people doing business," he says. For 
this reason, Cisco does allow employees to use memory sticks and mobile 
devices, but with appropriate encryption and other security measures.

The best approach is to accept that providing employees with access to 
sensitive information will always carry some risk, but to mitigate that 
risk as far as possible, says Schettenhelm. Compuware provides a range 
of tools designed for "application auditing", which basically means 
monitoring who uses software, and what they do with it. One of the 
biggest challenges of any company that has been hacked is knowing the 
extent of the breach, and application auditing can also help in this 
respect, showing which screens and fields of data were viewed by an 
individual user.

"It means if there is a breach, you can easily see where it happened, 
who did it, and what was breached," says Schettenhelm. "It also protects 
employees from false accusations, because it shows where there was no 
inappropriate action."

Application auditing can be combined with data mining tools to reveal 
patterns of usage and alert managers to anomalous activities. For 
example, you could monitor the activity level in a customer service 
centre to show that a typical agent accessed 100 records per day, while 
one employee is regularly accessing 500 records. "That type of spike 
might indicate a problem, and further investigation may show which sort 
of records he is accessing, and whether it tallies with the number of 
inbound calls they were handling," says Schettenhelm. "You can then ask, 
why did you need that screen for that call?"

This type of technology works best when sensitive data is held on 
separate screens, Schettenhelm adds, so that you can track exactly who 
is accessing information such as credit-card details or medical records. 
It will also help in preventing future problems, because auditing will 
show which screens really are needed to do a specific job — allowing 
access to be restricted to any information that isn't strictly needed.

Of course, an organisation can't simply block access to all confidential 
data — developing new products is difficult if the engineers can't 
access the plans, after all. But analysing network traffic can show who 
is downloading information and at what times. "A common trigger which 
might indicate a problem or a hacker is someone accessing files outside 
office hours, when they can't be seen by colleagues," says Schettenhelm.

Copyright © 1995-2008 CNET Networks, Inc. All rights reserved



___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Thu Mar 13 2008 - 00:16:37 PST