You’ve just spent the last 6 months pushing that IT Security rope uphill, fixing all those red hot items on that internal audit report. The CIO is quite pleased that you passed that annual regulatory exam. You’ve had a vulnerability assessment and network penetration test done within the last year, and have all the recommended fixes in place. You’ve even updated your information security policy. Feeling pretty secure right about now, hunh?
It is time that you assessed your position the way that a criminal does, not like an Information Security Professional. Technically savvy crooks have been involved in information security as long or even longer than you have. They have attended all of the same conferences, events, and webinars, that you do. They know that most security programs focus on meeting regulatory compliance requirements rather than building truly effective security measures. They know that IT departments are doing more these days, with reduced budgets and resources. They are also aware that you must defend an expanding perimeter against a virtually unlimited number of attack vectors, while they only need to find that one vulnerability to exploit.
How do you protect against a sophisticated and motivated attacker? What about a hired professional spy, targeting your company’s trade secrets for competitive advantage? Consider how you would identify a skilled insider with a specific purpose in mind from the date of hire? What about the unwitting insider that doesn’t take the prescribed security precautions, looks for shortcuts, or is simply careless or clueless? It’s not in their job descriptions to be constantly wary and overly vigilant. Social engineers and tricksters have been fooling the best of us for generations. These people know that information exists in many forms, and are trained to find and exploit all manner of vulnerabilities. An effective information security program must incorporate more than just traditional penetration tests and vulnerability assessments to be effective against this potential cast of characters.
Telus recently reported that Juneau-Katsuya, now CEO of security consulting firm The Northgate Group, told a Toronto media conference about a recent incident involving a Department of National Defence (DND) employee that sounded a lot like a plot from a Hollywood movie thriller. Except that it actually happened…
A National Defence employee returned to work one Monday and received an email from a fellow employee whose name he didn’t recognize. The author of the email was friendly, and said his daughter had played in a soccer game against the daughter of the DND staffer. “By the way”, the email read, “could you send me this specific document?”.
It turns out the document was classified top secret, not to be sent electronically. The DND employee alerted his superiors, who launched an investigation. The email was fake, and originated in China. It had been constructed and sent from a computer half-way round the world using photos the DND staffer posted on Facebook of his daughter’s weekend soccer match.
According to the article, security breaches in Canadian companies and government agencies are increasingly inside jobs that originate across national borders as mobile computing proliferates. Blame it on the current economic trend, the frequency of job changes, or even foreign governments seeking competitive trade secrets to increase their local businesses’ ability to compete globally.
Corporate espionage is real, and it is on the rise. In most cases, obtaining the means of production, the research and development notes, the “know-how”, is more valuable to a competitor than gaining access to the end-product. Why steal a warehouse full of Caramilk Bars, move them, fence them, launder the ill-gotten gains and face detection at every step, when you can just steal the file that contains the precious secret? This type of information cuts out research costs, development costs, testing costs, and speeds up the move to production by skipping over conceptual creation, thought promotion, failures and restarts, to prototype fabrication, and goes straight to mass production. First one to market often earns the initial rewards, but avoided development costs can equate to virtually pure profit, and put Company B into the black well before Company A who invested significantly in the original idea. Especially if the product has a long R&D cycle.
The techniques have changed over time, but the game remains the same. Espionage has happened, is happening, and will continue to happen. Many companies focus on the electronic dimension of information security because of advances in technology. These companies don’t fully understand the problem.
Information’s 4 Dimensions
It is broadly accepted that information exists in four dimensions: Oral, Visual, Electronic, and Written. Spies can steal information in any or all of these dimensions, and have a significant impact on costs and profits. An effective information security program must protect all four dimensions using physical, logical and operational security measures to protect information, detect and prevent unauthorized access, and respond to attacks.
As a criminal bent on attaining information assets, you are willing to work inside or outside of technology as long as you get the results that you are after. You can find many different ways to get at the information that you need. Get hired internally, leave malware laden USB keys at workers’ doorsteps, keep an eye on the print queue for interesting jobs, steal unattended notebooks or smartphones from targeted employees, start wearing glasses with hidden cameras, plant audio bugs, use Wi-Fi snooping and capture tools, surveillance technology, hardware key loggers, and even PC monitor scapers that look like simple extension cords, and systematically record complete snapshots of a user’s screen. A simple web search shows that these items are cheap and easily acquired.
A professional attacker can be hard to stop, and is usually:
- Well-educated and motivated.
- Opportunistic and master of evasive tactics.
- Understands business operations and the value of particular intellectual property.
- Resourceful, creative, persistent, and detail-oriented.
- Capable of using diverse skill sets and contacts.
- Uses the most effective skill or technology available.
- Sufficiently financed to pursue the target systematically.
- Trained in social engineering.
- Extremely difficult to secure against.
You might notice that technical skills are not high on this list. They can be outsourced or acquired. The flexibility to use the most effective methods available are more important to a professional attacker’s success. Ultimately, the attacker’s goal is to launch “precision strikes” against the company while avoiding detection at all cost. They will take the path of least resistance to get at what they want. They are trained opportunists skilled in taking advantage of whatever vulnerabilities appear.
Protect Against Corporate Espionage
In today’s regulatory environment, information security managers must comply with industry-specific, state, provincial and federal regulations, often focused on customer information and privacy. Your company is not secure just because you have checked off the items on the Privacy Compliance list. You need to identify the information that, if lost, would critically harm the company. You also need to understand the value of that information to your company, and to others. These are the “crown jewels” and should merit the best defenses that you can afford. Assess the risks posed to these assets.
Determine how to protect the jewels against high and low tech attack vectors. You will need to work with your employees to be effective here. Employees tend to respond better to carrots than they do to pointy sticks. One way to do this is through an effective, incentivized and targeted security awareness program, coupled with regular enterprise-wide security testing. If you properly train and incentivize security awareness, you will gain a strong defensive security culture. If you measure and enforce your policies, you will get results.
Simulate actual attacks, which often occurs as a “blended threat” rather than as single discrete events. Focus on all types of information, regardless of its form. Combine a network penetration test with physical and social engineering attempts. Those results will give you a better idea of your actual defenses.
Update and prepare your defenses:
- Provide a single point of contact for reporting suspicious events. Encourage people to contact this SPOC regardless of the issue or event in question.
- Tailor security awareness exercises and materials to the audience.
- Train physical security guards to understand information security risks as well.
- Train employees to identify home PC security, physical security, and travel risks.
- Train managers in what malicious and non-malicious insider threats look like.
- Make sure everyone understands what Social Engineering attacks “feel” like.
- Remain vigilant on physical security and invest in technologies that will allow you to find synergies between logical and physical security.
- Implement an information classification program that all users can understand. Keep it simple. Public, Internal, Confidential, Personal.
- Consider data leakage prevention, data fingerprinting & classification, identity-based encryption, and log monitoring.
- Consider implementing technologies that perform event correlation to aid in detection and to expedite investigations.
- Monitor public touch points (social networks, support forums, etc.) to detect at risk information.
- Engage legal counsel to identify which of your crown jewels are trade secrets that deserve perpetual protection as long as certain conditions are met.
- Avoid predictability and encourage “need-to-know” across the organization.
- Reduce the rush to promote new company developments too quickly.
- Provide clear, easy to follow incident response plans, regularly exercise specific incident response scenarios, and update the plans.
Some people believe that if you fail to protect your information, it should become public information. They view you as an easy and deserving target, not as a victim who suffered damage through espionage or attack. Today, there is no universally adopted legal definition for a “trade secret,” so countries treat theft of IP quite differently from one another.
To protect yourself, begin to view your organization from the standpoint of an attacker, and realize that no company is 100% secure. A determined, skilled and highly motivated attacker is almost impossible to stop. You can put measures in place that will make it as difficult and as noisy as possible to attack your company, making your company a less inviting target, and increasing the likelihood of attack detection before the company becomes a victim.