You’ve spent months fixing the red items on an internal audit report and just passed a regulatory exam. You’ve performed a network vulnerability assessment and network pen test within the last year and have fixes in place. You’ve tightened up your information security policy and recently invested in a security information and event management (SIEM) solution. You’re secure, right?
Put yourself in the shoes of a criminal. He knows that most security programs focus on regulatory compliance. He knows that IT departments have limited budgets. He also knows that you must defend against an almost unlimited amount of attack vectors, while he just has to find one way in.
How do you protect against a sophisticated, motivated criminal? A professional spy who has targeted your company’s trade secrets? A skilled insider with a specific purpose in mind? These types of people know that information comes in many forms, not just electronic, and they are trained to exploit any vulnerability. An effective information security program must incorporate more than just traditional pen tests and vulnerability assessments.
Corporate espionage is on the rise for multiple reasons: the down economy, frequent job changes, and even governments that boost their economies through acquisition of trade secrets. In most cases, the end product is not as valuable as obtaining the means of production, the research and development, or the “know-how.” This type of information will help to cut down on development costs and aid in the long-term production of a particular good. In the end, a company must get the best product to market first, at the best cost, through maneuvering around the competition.
Stealing information is one of the oldest forms of gaining a strategic and competitive advantage. For example, China enjoyed a monopoly on silk production for hundreds of years. At times, silk was more valuable than gold. The Chinese closely guarded the secret and punished theft by death. But around 300 A.D., Nestorian monks managed to smuggle the coveted silkworm eggs out of China in bamboo walking sticks. Simply, they found one attack vector that worked, and they broke the Chinese monopoly.
Espionage happened in the past, happens today and will happen tomorrow. The only things that change are the techniques that are applied. Because of technological advances, many companies predominantly focus on the electronic dimension of information security. However, this approach indicates that these companies don’t understand the problem.
The four dimensions of information
According to security expert Ira Winkler, information exists in four dimensions: paper, visual, oral and electronic. Professional spies can obtain information through any of these dimensions, so deploying security technologies alone will not sufficiently secure your company. An effective information security program must protect the four dimensions of information using physical, logical and operational security measures.
To see why, again put yourself in the shoes of a criminal. With your deviant mindset, you are willing to work inside or outside of technology and find different ways to get information.
Remember the old James Bond movies? Sean Connery as Bond would pull out gadgets whose simplicity is comical now. Shoes with secret compartments, books with hidden tape recorders and voice changers. In Goldfinger, Bond even wore a wetsuit with rubber duck on top for camouflage. Don’t underestimate the power of these low-tech devices that assist in collecting non-electronic information.
Besides the cutting-edge technology we often worry about exclusively, our companies are at risk from ties with hidden cameras, audio bugs, removable storage devices, USB gadgets, Wi-Fi tools, surveillance technology, hardware key loggers with built-in processors and Wi-Fi capabilities, and monitor loggers that look like simple extension cables and record complete snapshots of a user’s screen. A simple web search reveals that most of these items are relatively inexpensive and can be acquired online. Also, don’t overlook the copier, fax machines and other “old” technologies as a source of information leakage.
The professional attacker
A motivated professional attacker can be almost impossible to stop using traditional security measures. Such an attacker usually is:
- Well-educated and motivated
- Knowledgeable of business operations and the worth of particular intellectual property
- Trained in social engineering, including multicultural awareness, languages and the ability to take advantage of social traits to glean information
- Resourceful, creative, persistent, and detail-oriented
- Capable of using diverse skill sets and contacts
- Able to use the most effective skill / technology coupled with lowest risk of detection
- Backed by sufficient finances to go after target in a systematic and methodological way.
- A true opportunist and master of evasive tactics
- Extremely difficult to secure against.
You may notice that tech skills are not prominent on this list, because they can be outsourced or acquired. Other factors, particularly the flexibility to use the most effective methods, James Bond-like as they may be, are more important to the professional attacker’s success. Ultimately, the attacker’s goal is to launch a “precision strike” against the company and avoid detection at all cost. For security professionals, it is critical to put yourself in the shoes of a criminal and think like they do. Sophisticated criminals often take the path of least resistance to get what they want. They are trained opportunists skilled to take advantage of whatever vulnerabilities appear. Doing this will allow you to see your exposures and determine the best countermeasures for your organization.
Problems with traditional assessments
Unfortunately, too many companies rely on their timely network vulnerability assessments and traditional pen tests to measure the effectiveness of their security programs. Although traditional vulnerability assessments and pen tests are integral parts of most security programs, they do not mimic what attackers actually do. From start to finish, here are some reasons why a pen test alone does not accurately assess your security program:
1) Your company issues a pen test RFP. Your company takes the best bid.
2) The salesperson presents your company with a contract that disclaims all warranties and stringently limits the tester’s liabilities along with other written stipulations.
3) Your company gives the tester an IP range and a critical blacklist of devices and servers out of scope to reduce the possibility of something going wrong with the scan. This information is never available to attackers, who thus have more attack vectors. Sure, it is trivial to obtain the network IP range once there is access to the network, but again, the attackers are not given that information up front. Nor do they “blacklist” or label certain devices out of scope. It’s all up for grabs.
4) Tester generally uses an automated scan and in many cases fails to verify the results with a manual test.
5) Tester presents draft report to the IT department, which has a certain amount of time to “fix” the issues.
6) Tester rescans and gives a clean, formal pen test report to the IT department (making the company feel good about its security posture).
7) Board of Directors gets the clean report and thinks the company is in good shape.
Reasons this system does not solve your company’s problems include:
1) The pen test parameters make it difficult to imitate a true electronic attack.
2) Because the IT department has time to fix the issues brought up in the first pen test, the company fails to develop a formal change/patch management process.
3) The lag time between the test and the formal report received by the board may invalidate the results and provide a false sense of security.
4) Ultimately, the test fails to mimic an actual attack, which uses a combination of social engineering, physical and electronic methods, often orchestrated by a team of people involved in the attack.
5) The company’s board and other stakeholders will not care about a clean network pen test if an attacker enters the building and, through a combination of social engineering and other low-tech gadgets like the hidden camera tie, steals your protected information.
Protecting against corporate espionage
In today’s regulatory environment, information security managers must comply with industry-specific, state, province and federal regulations (regulations that often focus on customer information and privacy). As discussed previously, security programs that focus on privacy-related compliance requirements do not sufficiently protect your company’s assets, i.e., shareholder value. Your company is not secure just because you have checked off the items on the compliance list.
The first step to effective defense is to identify: 1) information that, if lost, would critically harm the company, and 2) the value of that information to your company and its competitors. These are your “crown jewels” and should merit the best defenses. Information security managers must be able to identify company intellectual property (IP), the location where the IP resides, and the value of the IP, so they can protect and control who has access to this information. Then perform a risk assessment to identify existing security vulnerabilities to those crown jewels.
As a side note, it is also important to establish a comprehensive list of data items your organization owns or processes, including an inventory of all IP that could affect revenue or reputation. Involve stakeholders from across the organization to identify the information.
Examples of such information may include: copyrighted material, patents, trademarks, operating procedures, user manuals, policies, memos, reports, plans, contracts, source code, recipes, manufacturing plans, chemical formulas, design drawings and patent applications.
Once you fit your crown jewels into your security program, you must determine how to protect against the low-tech attack vectors. One way to do this is through an effective, incentivized and targeted security awareness program coupled with regular enterprise-wide security testing. Realistically, employees respond better to carrots than sticks. If you properly train and incentivize security awareness, you will gain a strong defense.
The third step is to simulate an actual attack, which often occurs as a “blended threat,” in your enterprise security testing. This testing should focus on all types of information, regardless of its form. You should implement testing along several attack vectors in a holistic approach, for example, combining a network pen test with physical and social engineering assessments. Those results will give you a better idea of your attack defenses.
In some places of the world, people have the mindset that, if you fail to protect your information, it is up for grabs. They view you as an easy target that should have had better protection in place, not as a victim who suffered criminal damage through espionage. Today, there is no universally adopted legal definition for a “trade secret,” so countries treat theft of IP very differently.
To protect yourself, you must begin to view your organization from an attacker standpoint and realize that no company is 100 percent secure. A determined, skilled and highly motivated attacker(s) is almost impossible to stop, but you can put measures in place that make your company less likely to be a victim.
- Tailor security awareness education to the appropriate audience. Train security guards to understand information security risks. Train employees on security considerations when traveling abroad and risks posed by hosting visitors onsite.
- Remain vigilant on physical security and invest in technologies that will allow you to find synergies between logical and physical security.
- Implement an information classification program that all users can understand. Keep it simple.
- Consider data leakage prevention, data fingerprinting, identity-based encryption, and log monitoring.
- Consider implementing technologies that perform information correlation checks. Merge and match information from all public touch points to deduce whether your trade secrets are at risk.
- Engage legal counsel to identify which of your crown jewels are trade secrets that deserve perpetual protection as long as certain conditions are met.
- Avoid predictability and limit need-to-know across the organization. Reduce the rush to promote new company developments too quickly.
- Have a clear, easy to follow incident response plan and simulate incident response as a result of potential misappropriation of trade secrets.