Related Topics: Cloud Security, Microservices Expo

Cloud Security: Article

Compliance vs. Security: The Multiple Dimensions of Corporate Espionage

How do you protect against a sophisticated, motivated criminal?

You've spent months fixing the red items on an internal audit report and just passed a regulatory exam. You've performed a network vulnerability assessment and network pen test within the last year and have fixes in place. You've tightened up your information security policy and recently invested in a security information and event management (SIEM) solution. You're secure, right?

Put yourself in the shoes of a criminal. He knows that most security programs focus on regulatory compliance. He knows that IT departments have limited budgets. He also knows that you must defend against an almost unlimited number of attack vectors, while he just has to find one way in.

How do you protect against a sophisticated, motivated criminal? A professional spy who has targeted your company's trade secrets? A skilled insider with a specific purpose in mind? These types of people know that information comes in many forms, not just electronic, and they are trained to exploit any vulnerability. An effective information security program must incorporate more than just traditional pen tests and vulnerability assessments.

Corporate espionage is on the rise for multiple reasons: the down economy, frequent job changes, and even governments that boost their economies through acquisition of trade secrets. In most cases, the end product is not as valuable as obtaining the means of production, the research and development, or the "know-how." This type of information will help to cut down on development costs and aid in the long-term production of a particular good. In the end, a company must get the best product to market first, at the best cost, through maneuvering around the competition.

Stealing information is one of the oldest forms of gaining a strategic and competitive advantage. For example, China enjoyed a monopoly on silk production for hundreds of years. At times, silk was more valuable than gold. The Chinese closely guarded the secret and punished theft by death. But around 300 A.D., Nestorian monks managed to smuggle the coveted silkworm eggs out of China in bamboo walking sticks. Simply, they found one attack vector that worked, and they broke the Chinese monopoly.

Espionage happened in the past, happens today and will happen tomorrow. The only things that change are the techniques that are applied. Because of technological advances, many companies predominantly focus on the electronic dimension of information security. However, this approach indicates that these companies don't understand the problem.

The Four Dimensions of Information
According to security expert Ira Winkler, information exists in four dimensions: paper, visual, oral and electronic. Professional spies can obtain information through any of these dimensions, so deploying security technologies alone will not sufficiently secure your company. An effective information security program must protect the four dimensions of information using physical, logical and operational security measures.

To see why, again put yourself in the shoes of a criminal. With your deviant mindset, you are willing to work inside or outside of technology and find different ways to get information.

Remember the old James Bond movies? Sean Connery as Bond would pull out gadgets whose simplicity is comical now - shoes with secret compartments, books with hidden tape recorders, and voice changers. In Goldfinger, Bond even wore a wetsuit with a rubber duck on top for camouflage. Don't underestimate the power of these low-tech devices that assist in collecting non-electronic information.

Besides the cutting-edge technology we often worry about exclusively, our companies are at risk from ties with hidden cameras, audio bugs, removable storage devices, USB gadgets, Wi-Fi tools, surveillance technology, hardware key loggers with built-in processors and Wi-Fi capabilities, and monitor loggers that look like simple extension cables and record complete snapshots of a user's screen. A simple web search reveals that most of these items are relatively inexpensive and can be acquired online. Also, don't overlook the copier, fax machines and other "old" technologies as a source of information leakage.

The Professional Attacker
A motivated professional attacker can be almost impossible to stop using traditional security measures. Such an attacker usually is:

  • Well educated and motivated
  • Knowledgeable of business operations and the worth of particular intellectual property
  • Trained in social engineering, including multicultural awareness, languages and the ability to take advantage of social traits to glean information
  • Resourceful, creative, persistent, and detail-oriented
  • Capable of using diverse skill sets and contacts
  • Able to use the most effective skill / technology coupled with the lowest risk of detection
  • Backed by sufficient finances to go after target in a systematic and methodological way
  • A true opportunist and master of evasive tactics
  • Extremely difficult to secure against

You may notice that tech skills are not prominent on this list, because they can be outsourced or acquired. Other factors, particularly the flexibility to use the most effective methods, James Bond-like as they may be, are more important to the professional attacker's success. Ultimately, the attacker's goal is to launch a "precision strike" against the company and avoid detection at all cost. For security professionals, it's critical to put yourself in the shoes of a criminal and think like they do. Sophisticated criminals often take the path of least resistance to get what they want. They are trained opportunists skilled to take advantage of whatever vulnerabilities appear. Doing this will allow you to see your exposures and determine the best countermeasures for your organization.

Problems with Traditional Assessments
Unfortunately, too many companies rely on their timely network vulnerability assessments and traditional pen tests to measure the effectiveness of their security programs. Although traditional vulnerability assessments and pen tests are integral parts of most security programs, they don't mimic what attackers actually do. From start to finish, here are some reasons why a pen test alone does not accurately assess your security program:

  1. Your company issues a pen test RFP. Your company takes the best bid.
  2. The salesperson presents your company with a contract that disclaims all warranties and stringently limits the tester's liabilities along with other written stipulations.
  3. Your company gives the tester an IP range and a critical blacklist of devices and servers out of scope to reduce the possibility of something going wrong with the scan. This information is never available to attackers, who thus have more attack vectors. Sure, it is trivial to obtain the network IP range once there is access to the network, but again, the attackers are not given that information up front. Nor do they "blacklist" or label certain devices out of scope. It's all up for grabs.
  4. Tester generally uses an automated scan and in many cases fails to verify the results with a manual test.
  5. Tester presents a draft report to the IT department, which has a certain amount of time to "fix" the issues.
  6. Tester rescans and gives a clean, formal pen test report to the IT department (making the company feel good about its security posture).
  7. Board of Directors gets the clean report and thinks the company is in good shape.

Reasons this system does not solve your company's problems include:

  1. The pen test parameters make it difficult to imitate a true electronic attack.
  2. Because the IT department has time to fix the issues brought up in the first pen test, the company fails to develop a formal change/patch management process.
  3. The lag time between the test and the formal report received by the board may invalidate the results and provide a false sense of security.
  4. Ultimately, the test fails to mimic an actual attack, which uses a combination of social engineering, physical and electronic methods, often orchestrated by a team of people involved in the attack.
  5. The company's board and other stakeholders won't care about a clean network pen test if an attacker enters the building and, through a combination of social engineering and other low-tech gadgets like the hidden camera tie, steals your protected information.

Protecting Against Corporate Espionage
In today's regulatory environment, information security managers must comply with industry-specific, state, province and federal regulations (regulations that often focus on customer information and privacy). As discussed previously, security programs that focus on privacy-related compliance requirements do not sufficiently protect your company's assets, i.e., shareholder value. Your company is not secure just because you have checked off the items on the compliance list.

Step 1
The first step to effective defense is to identify: 1) information that, if lost, would critically harm the company, and 2) the value of that information to your company and its competitors. These are your "crown jewels" and should merit the best defenses. Information security managers must be able to identify company intellectual property (IP), the location where the IP resides, and the value of the IP, so they can protect and control who has access to this information. Then perform a risk assessment to identify existing security vulnerabilities to those crown jewels.

As a side note, it's also important to establish a comprehensive list of data items your organization owns or processes, including an inventory of all IP that could affect revenue or reputation. Involve stakeholders from across the organization to identify the information.

Examples of such information may include copyrighted material, patents, trademarks, operating procedures, user manuals, policies, memos, reports, plans, contracts, source code, recipes, manufacturing plans, chemical formulas, design drawings and patent applications.

Step 2
Once you fit your crown jewels into your security program, you must determine how to protect against the low-tech attack vectors. One way to do this is through an effective, incentivized and targeted security awareness program coupled with regular enterprise-wide security testing. Realistically, employees respond better to carrots than sticks. If you properly train and incentivize security awareness, you will gain a strong defense.

Step 3
The third step is to simulate an actual attack, which often occurs as a "blended threat," in your enterprise security testing. This testing should focus on all types of information, regardless of its form. You should implement testing along several attack vectors in a holistic approach, for example, combining a network pen test with physical and social engineering assessments. Those results will give you a better idea of your attack defenses.

In some places of the world, people have the mindset that, if you fail to protect your information, it's up for grabs. They view you as an easy target that should have had better protection in place, not as a victim who suffered criminal damage through espionage. Today, there is no universally adopted legal definition for a "trade secret," so countries treat theft of IP very differently.

To protect yourself, you must begin to view your organization from an attacker standpoint and realize that no company is 100 percent secure. A determined, skilled and highly motivated attacker(s) is almost impossible to stop, but you can put measures in place that make your company less likely to be a victim.

Other Recommendations:

  • Tailor security awareness education to the appropriate audience. Train security guards to understand information security risks. Train employees on security considerations when traveling abroad and risks posed by hosting visitors onsite.
  • Remain vigilant on physical security and invest in technologies that will allow you to find synergies between logical and physical security.
  • Implement an information classification program that all users can understand. Keep it simple.
  • Consider data leakage prevention, data fingerprinting, identity-based encryption, and log monitoring.
  • Consider implementing technologies that perform information correlation checks. Merge and match information from all public touch points to deduce whether your trade secrets are at risk.
  • Engage legal counsel to identify which of your crown jewels are trade secrets that deserve perpetual protection as long as certain conditions are met.
  • Avoid predictability and limit need-to-know across the organization. Reduce the rush to promote new company developments too quickly.
  • Have a clear, easy to follow incident response plan and simulate incident response as a result of potential misappropriation of trade secrets.

More Stories By Michael Podszywalow

Michael Podszywalow, MBA, CISSP, CISM, CISA, CEH, is a member of ISACA and the founder and senior security consultant for SpyByte, LLC. He spoke at ISACA’s Information Security and Risk Management Conference (ISRM) (www.isaca.org/isrmeu), a three-day event, in Barcelona, Spain, from 14-16 November, that offers a fresh perspective on today’s challenges and future trends, including PCI Data Security Standard (DSS) compliance, cloud computing and data loss prevention. Michael will speak on Hidden Dangers of Low Tech Hacking in Corporate Espionage.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

Latest Stories
"As we've gone out into the public cloud we've seen that over time we may have lost a few things - we've lost control, we've given up cost to a certain extent, and then security, flexibility," explained Steve Conner, VP of Sales at Cloudistics,in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devic...
"The Striim platform is a full end-to-end streaming integration and analytics platform that is middleware that covers a lot of different use cases," explained Steve Wilkes, Founder and CTO at Striim, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We want to show that our solution is far less expensive with a much better total cost of ownership so we announced several key features. One is called geo-distributed erasure coding, another is support for KVM and we introduced a new capability called Multi-Part," explained Tim Desai, Senior Product Marketing Manager at Hitachi Data Systems, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We provide IoT solutions. We provide the most compatible solutions for many applications. Our solutions are industry agnostic and also protocol agnostic," explained Richard Han, Head of Sales and Marketing and Engineering at Systena America, in this SYS-CON.tv interview at @ThingsExpo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"With Digital Experience Monitoring what used to be a simple visit to a web page has exploded into app on phones, data from social media feeds, competitive benchmarking - these are all components that are only available because of some type of digital asset," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
SYS-CON Events announced today that Datera, that offers a radically new data management architecture, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datera is transforming the traditional datacenter model through modern cloud simplicity. The technology industry is at another major inflection point. The rise of mobile, the Internet of Things, data storage and Big...
SYS-CON Events announced today that DXWorldExpo has been named “Global Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Digital Transformation is the key issue driving the global enterprise IT business. Digital Transformation is most prominent among Global 2000 enterprises and government institutions.
Kubernetes is an open source system for automating deployment, scaling, and management of containerized applications. Kubernetes was originally built by Google, leveraging years of experience with managing container workloads, and is now a Cloud Native Compute Foundation (CNCF) project. Kubernetes has been widely adopted by the community, supported on all major public and private cloud providers, and is gaining rapid adoption in enterprises. However, Kubernetes may seem intimidating and complex ...
SYS-CON Events announced today that Calligo, an innovative cloud service provider offering mid-sized companies the highest levels of data privacy and security, has been named "Bronze Sponsor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Calligo offers unparalleled application performance guarantees, commercial flexibility and a personalised support service from its globally located cloud plat...
"We focus on SAP workloads because they are among the most powerful but somewhat challenging workloads out there to take into public cloud," explained Swen Conrad, CEO of Ocean9, Inc., in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"Outscale was founded in 2010, is based in France, is a strategic partner to Dassault Systémes and has done quite a bit of work with divisions of Dassault," explained Jackie Funk, Digital Marketing exec at Outscale, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I think DevOps is now a rambunctious teenager – it’s starting to get a mind of its own, wanting to get its own things but it still needs some adult supervision," explained Thomas Hooker, VP of marketing at CollabNet, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We are still a relatively small software house and we are focusing on certain industries like FinTech, med tech, energy and utilities. We help our customers with their digital transformation," noted Piotr Stawinski, Founder and CEO of EARP Integration, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.