Related Topics: Cloud Security, Microservices Expo

Cloud Security: Article

Compliance vs. Security: The Multiple Dimensions of Corporate Espionage

How do you protect against a sophisticated, motivated criminal?

You've spent months fixing the red items on an internal audit report and just passed a regulatory exam. You've performed a network vulnerability assessment and network pen test within the last year and have fixes in place. You've tightened up your information security policy and recently invested in a security information and event management (SIEM) solution. You're secure, right?

Put yourself in the shoes of a criminal. He knows that most security programs focus on regulatory compliance. He knows that IT departments have limited budgets. He also knows that you must defend against an almost unlimited number of attack vectors, while he just has to find one way in.

How do you protect against a sophisticated, motivated criminal? A professional spy who has targeted your company's trade secrets? A skilled insider with a specific purpose in mind? These types of people know that information comes in many forms, not just electronic, and they are trained to exploit any vulnerability. An effective information security program must incorporate more than just traditional pen tests and vulnerability assessments.

Corporate espionage is on the rise for multiple reasons: the down economy, frequent job changes, and even governments that boost their economies through acquisition of trade secrets. In most cases, the end product is not as valuable as obtaining the means of production, the research and development, or the "know-how." This type of information will help to cut down on development costs and aid in the long-term production of a particular good. In the end, a company must get the best product to market first, at the best cost, through maneuvering around the competition.

Stealing information is one of the oldest forms of gaining a strategic and competitive advantage. For example, China enjoyed a monopoly on silk production for hundreds of years. At times, silk was more valuable than gold. The Chinese closely guarded the secret and punished theft by death. But around 300 A.D., Nestorian monks managed to smuggle the coveted silkworm eggs out of China in bamboo walking sticks. Simply, they found one attack vector that worked, and they broke the Chinese monopoly.

Espionage happened in the past, happens today and will happen tomorrow. The only things that change are the techniques that are applied. Because of technological advances, many companies predominantly focus on the electronic dimension of information security. However, this approach indicates that these companies don't understand the problem.

The Four Dimensions of Information
According to security expert Ira Winkler, information exists in four dimensions: paper, visual, oral and electronic. Professional spies can obtain information through any of these dimensions, so deploying security technologies alone will not sufficiently secure your company. An effective information security program must protect the four dimensions of information using physical, logical and operational security measures.

To see why, again put yourself in the shoes of a criminal. With your deviant mindset, you are willing to work inside or outside of technology and find different ways to get information.

Remember the old James Bond movies? Sean Connery as Bond would pull out gadgets whose simplicity is comical now - shoes with secret compartments, books with hidden tape recorders, and voice changers. In Goldfinger, Bond even wore a wetsuit with a rubber duck on top for camouflage. Don't underestimate the power of these low-tech devices that assist in collecting non-electronic information.

Besides the cutting-edge technology we often worry about exclusively, our companies are at risk from ties with hidden cameras, audio bugs, removable storage devices, USB gadgets, Wi-Fi tools, surveillance technology, hardware key loggers with built-in processors and Wi-Fi capabilities, and monitor loggers that look like simple extension cables and record complete snapshots of a user's screen. A simple web search reveals that most of these items are relatively inexpensive and can be acquired online. Also, don't overlook the copier, fax machines and other "old" technologies as a source of information leakage.

The Professional Attacker
A motivated professional attacker can be almost impossible to stop using traditional security measures. Such an attacker usually is:

  • Well educated and motivated
  • Knowledgeable of business operations and the worth of particular intellectual property
  • Trained in social engineering, including multicultural awareness, languages and the ability to take advantage of social traits to glean information
  • Resourceful, creative, persistent, and detail-oriented
  • Capable of using diverse skill sets and contacts
  • Able to use the most effective skill / technology coupled with the lowest risk of detection
  • Backed by sufficient finances to go after target in a systematic and methodological way
  • A true opportunist and master of evasive tactics
  • Extremely difficult to secure against

You may notice that tech skills are not prominent on this list, because they can be outsourced or acquired. Other factors, particularly the flexibility to use the most effective methods, James Bond-like as they may be, are more important to the professional attacker's success. Ultimately, the attacker's goal is to launch a "precision strike" against the company and avoid detection at all cost. For security professionals, it's critical to put yourself in the shoes of a criminal and think like they do. Sophisticated criminals often take the path of least resistance to get what they want. They are trained opportunists skilled to take advantage of whatever vulnerabilities appear. Doing this will allow you to see your exposures and determine the best countermeasures for your organization.

Problems with Traditional Assessments
Unfortunately, too many companies rely on their timely network vulnerability assessments and traditional pen tests to measure the effectiveness of their security programs. Although traditional vulnerability assessments and pen tests are integral parts of most security programs, they don't mimic what attackers actually do. From start to finish, here are some reasons why a pen test alone does not accurately assess your security program:

  1. Your company issues a pen test RFP. Your company takes the best bid.
  2. The salesperson presents your company with a contract that disclaims all warranties and stringently limits the tester's liabilities along with other written stipulations.
  3. Your company gives the tester an IP range and a critical blacklist of devices and servers out of scope to reduce the possibility of something going wrong with the scan. This information is never available to attackers, who thus have more attack vectors. Sure, it is trivial to obtain the network IP range once there is access to the network, but again, the attackers are not given that information up front. Nor do they "blacklist" or label certain devices out of scope. It's all up for grabs.
  4. Tester generally uses an automated scan and in many cases fails to verify the results with a manual test.
  5. Tester presents a draft report to the IT department, which has a certain amount of time to "fix" the issues.
  6. Tester rescans and gives a clean, formal pen test report to the IT department (making the company feel good about its security posture).
  7. Board of Directors gets the clean report and thinks the company is in good shape.

Reasons this system does not solve your company's problems include:

  1. The pen test parameters make it difficult to imitate a true electronic attack.
  2. Because the IT department has time to fix the issues brought up in the first pen test, the company fails to develop a formal change/patch management process.
  3. The lag time between the test and the formal report received by the board may invalidate the results and provide a false sense of security.
  4. Ultimately, the test fails to mimic an actual attack, which uses a combination of social engineering, physical and electronic methods, often orchestrated by a team of people involved in the attack.
  5. The company's board and other stakeholders won't care about a clean network pen test if an attacker enters the building and, through a combination of social engineering and other low-tech gadgets like the hidden camera tie, steals your protected information.

Protecting Against Corporate Espionage
In today's regulatory environment, information security managers must comply with industry-specific, state, province and federal regulations (regulations that often focus on customer information and privacy). As discussed previously, security programs that focus on privacy-related compliance requirements do not sufficiently protect your company's assets, i.e., shareholder value. Your company is not secure just because you have checked off the items on the compliance list.

Step 1
The first step to effective defense is to identify: 1) information that, if lost, would critically harm the company, and 2) the value of that information to your company and its competitors. These are your "crown jewels" and should merit the best defenses. Information security managers must be able to identify company intellectual property (IP), the location where the IP resides, and the value of the IP, so they can protect and control who has access to this information. Then perform a risk assessment to identify existing security vulnerabilities to those crown jewels.

As a side note, it's also important to establish a comprehensive list of data items your organization owns or processes, including an inventory of all IP that could affect revenue or reputation. Involve stakeholders from across the organization to identify the information.

Examples of such information may include copyrighted material, patents, trademarks, operating procedures, user manuals, policies, memos, reports, plans, contracts, source code, recipes, manufacturing plans, chemical formulas, design drawings and patent applications.

Step 2
Once you fit your crown jewels into your security program, you must determine how to protect against the low-tech attack vectors. One way to do this is through an effective, incentivized and targeted security awareness program coupled with regular enterprise-wide security testing. Realistically, employees respond better to carrots than sticks. If you properly train and incentivize security awareness, you will gain a strong defense.

Step 3
The third step is to simulate an actual attack, which often occurs as a "blended threat," in your enterprise security testing. This testing should focus on all types of information, regardless of its form. You should implement testing along several attack vectors in a holistic approach, for example, combining a network pen test with physical and social engineering assessments. Those results will give you a better idea of your attack defenses.

In some places of the world, people have the mindset that, if you fail to protect your information, it's up for grabs. They view you as an easy target that should have had better protection in place, not as a victim who suffered criminal damage through espionage. Today, there is no universally adopted legal definition for a "trade secret," so countries treat theft of IP very differently.

To protect yourself, you must begin to view your organization from an attacker standpoint and realize that no company is 100 percent secure. A determined, skilled and highly motivated attacker(s) is almost impossible to stop, but you can put measures in place that make your company less likely to be a victim.

Other Recommendations:

  • Tailor security awareness education to the appropriate audience. Train security guards to understand information security risks. Train employees on security considerations when traveling abroad and risks posed by hosting visitors onsite.
  • Remain vigilant on physical security and invest in technologies that will allow you to find synergies between logical and physical security.
  • Implement an information classification program that all users can understand. Keep it simple.
  • Consider data leakage prevention, data fingerprinting, identity-based encryption, and log monitoring.
  • Consider implementing technologies that perform information correlation checks. Merge and match information from all public touch points to deduce whether your trade secrets are at risk.
  • Engage legal counsel to identify which of your crown jewels are trade secrets that deserve perpetual protection as long as certain conditions are met.
  • Avoid predictability and limit need-to-know across the organization. Reduce the rush to promote new company developments too quickly.
  • Have a clear, easy to follow incident response plan and simulate incident response as a result of potential misappropriation of trade secrets.

More Stories By Michael Podszywalow

Michael Podszywalow, MBA, CISSP, CISM, CISA, CEH, is a member of ISACA and the founder and senior security consultant for SpyByte, LLC. He spoke at ISACA’s Information Security and Risk Management Conference (ISRM) (www.isaca.org/isrmeu), a three-day event, in Barcelona, Spain, from 14-16 November, that offers a fresh perspective on today’s challenges and future trends, including PCI Data Security Standard (DSS) compliance, cloud computing and data loss prevention. Michael will speak on Hidden Dangers of Low Tech Hacking in Corporate Espionage.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

Latest Stories
DX World EXPO, LLC, a Lighthouse Point, Florida-based startup trade show producer and the creator of "DXWorldEXPO® - Digital Transformation Conference & Expo" has announced its executive management team. The team is headed by Levent Selamoglu, who has been named CEO. "Now is the time for a truly global DX event, to bring together the leading minds from the technology world in a conversation about Digital Transformation," he said in making the announcement.
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that Conference Guru has been named “Media Sponsor” of the 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organizers to pass great deals to gre...
DevOps is under attack because developers don’t want to mess with infrastructure. They will happily own their code into production, but want to use platforms instead of raw automation. That’s changing the landscape that we understand as DevOps with both architecture concepts (CloudNative) and process redefinition (SRE). Rob Hirschfeld’s recent work in Kubernetes operations has led to the conclusion that containers and related platforms have changed the way we should be thinking about DevOps and...
The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform. In his session at @ThingsExpo, Craig Sproule, CEO of Metavine, demonstrated how to move beyond today's coding paradigm and shared the must-have mindsets for removing complexity from the develop...
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
The next XaaS is CICDaaS. Why? Because CICD saves developers a huge amount of time. CD is an especially great option for projects that require multiple and frequent contributions to be integrated. But… securing CICD best practices is an emerging, essential, yet little understood practice for DevOps teams and their Cloud Service Providers. The only way to get CICD to work in a highly secure environment takes collaboration, patience and persistence. Building CICD in the cloud requires rigorous ar...
Companies are harnessing data in ways we once associated with science fiction. Analysts have access to a plethora of visualization and reporting tools, but considering the vast amount of data businesses collect and limitations of CPUs, end users are forced to design their structures and systems with limitations. Until now. As the cloud toolkit to analyze data has evolved, GPUs have stepped in to massively parallel SQL, visualization and machine learning.
"Evatronix provides design services to companies that need to integrate the IoT technology in their products but they don't necessarily have the expertise, knowledge and design team to do so," explained Adam Morawiec, VP of Business Development at Evatronix, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
Widespread fragmentation is stalling the growth of the IIoT and making it difficult for partners to work together. The number of software platforms, apps, hardware and connectivity standards is creating paralysis among businesses that are afraid of being locked into a solution. EdgeX Foundry is unifying the community around a common IoT edge framework and an ecosystem of interoperable components.
"ZeroStack is a startup in Silicon Valley. We're solving a very interesting problem around bringing public cloud convenience with private cloud control for enterprises and mid-size companies," explained Kamesh Pemmaraju, VP of Product Management at ZeroStack, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Large industrial manufacturing organizations are adopting the agile principles of cloud software companies. The industrial manufacturing development process has not scaled over time. Now that design CAD teams are geographically distributed, centralizing their work is key. With large multi-gigabyte projects, outdated tools have stifled industrial team agility, time-to-market milestones, and impacted P&L stakeholders.
"Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Enterprises are adopting Kubernetes to accelerate the development and the delivery of cloud-native applications. However, sharing a Kubernetes cluster between members of the same team can be challenging. And, sharing clusters across multiple teams is even harder. Kubernetes offers several constructs to help implement segmentation and isolation. However, these primitives can be complex to understand and apply. As a result, it’s becoming common for enterprises to end up with several clusters. Thi...