Advanced persistent threats (APTs) are now regarded as the most sophisticated and damaging form of corporate cyber crime.
In April 2010, Ernst & Young published Insights on IT risk. Countering cyber attacks, stating that: “APT attacks are focused on a single target, lasting until they are in, and are meant to collect information over a long period of time. They leave few signs of their success, wanting to stay hidden for as long as possible in order to acquire large amounts of sensitive information.”
According to the report, intellectual property is “the most sought after data type for attackers using techniques associated with APT, whether it is protected formulae, seismic research data, technology designs, unreleased movies or music, or proprietary engineering schematics and designs.”
The report goes on to say that, “The information targeted is specific. Attackers are not looking to grab just anything they come across – intellectual property and corporate secrets are their primary targets. Other types of data such as personal information or credit card data may be tempting if easily accessible, but in general, stealing that information is not the primary goal.”
The Value of Corporate Secrets, March 2010, by Forrester Consulting for RSA (EMC) and Microsoft, separates the information that companies seek to protect into two categories: secrets and custodial data.
It refers to secrets as information that confers long-term competitive advantage, such as product plans, earnings forecasts and trade secrets. The report says this information is vitally important because it generates revenue, increases profits and maintains competitive advantage.
Custodial data is defined as information that companies are compelled to protect by regulations – typically personal and identity information such as that relating to your credit card.
A key message from this report is that companies may be too focused on complying with regulations governing the protection of customers’ personal information and are not sufficiently protecting IP and secrets – the knowledge base. For example, financial services companies such as your bank, medical scheme and insurer will have lots of personal info about you and they are increasingly required by law to provide for its security.
But these companies also hold sensitive data – secrets – that does not relate directly to you: financial forecasts and earnings reports; product development plans; marketing strategies and associated research; pricing, margin and discounting policies; procurement and supplier information; and plans for expansion, mergers and acquisitions. Many companies hold little, if any, custodial data. A large mining, IT or pharmaceutical company is unlikely to keep custodial data simply because they do not deal with individual consumers – their markets are often only other companies. But they will certainly have sensitive information that underpins their competitive advantage.
Assessing the risks of data loss
In August 2010, the UK’s Financial Services Authority fined Zurich Insurance a record £2275 000 after a back-up tape containing personal details of 46 000 policy holders was lost by the South African branch of the company. The tape had personal information on general insurance customers, including identity details and some bank and credit card information. One implication of the fine is clear: lose that type of custodial data and it is going to cost you £50 per record in regulatory fines.
But, what would Zurich have suffered if a competitor acquired the data and then successfully sold its services to each and every one of the clients on the tape? The loss of 46 000 customers is far more significant than losing information about them.
In terms of data security, we really do need to be much more focused on consequences rather than content. Setting aside the fine, the Zurich example shows that simply leaking data is, by itself, not at all significant. Why? Well, the tape was missing for over a year before the UK head office even learnt of its loss, and, according to Zurich, no clients have been adversely affected by its disappearance – in other words, nobody is doing any damage with the data.
Sure, some people may feel that the company is not competent enough to retain them as customers and might switch providers. And, yes, the Zurich has been punitively fined – but only because the loss came to the attention of a regulatory body.
Focus on the consequences of losing data
The Zurich case illustrates how the significance of data can change according to who gets their hands on it and how they use it. This view is reinforced by Cyber crime: a clear and present danger, published by Deloitte in September 2010. It advocates a risk-based classification of data according to three categories: type, value and impact if it were to be compromised.
The third element of the ranking process – the ‘consequence of compromise’ – is perhaps the most significant but attracts the least consideration in terms of assessing risk and managing data accordingly.
Commenting on the issue of identifying and classifying data, Deloitte reckons that: “Relatively few organisations have developed categories based on value or risk. However, identifying which data is most and least valuable enables cyber security professionals to focus on the highest priorities. The most valuable data, such as product formulations and sensitive financial and legal information, can be tagged and monitored so that the organisation knows where it is, where it is going, where it has gone, and on whose authority.”
IP is where the money is
Conducted by the Verizon Business RISK team in cooperation with the United States Secret Service, the 2010 Verizon Data Breach Investigations Report is relevant because it touches on the importance of categorising information according to the consequences of its loss – of adopting a risk-based approach to data protection. The Verizon report also suggests that companies are overly focused on compliance with regard to custodial data and not nearly as protective of their IP – the very data that is now the principal target for the most sophisticated cyber criminals.
Bryan Sartin, director of the Verizon Business Investigative Response team, sees the market for stolen payment card data as being saturated, making this custodial data less lucrative, and therefore less attractive. Consequently, Sartin says, “Intellectual property is gaining more attention than payment cards.”
He also says that cyber criminals are becoming more interested in passwords and access privileges than in pure credit card data: “Some of it is sheer economics. The black market for credit card data is only so big. In the last year, we saw a drop in the market price from $9–$16 per record to as low as 10 or 20 cents per record. It is just not as profitable a business.”
In terms of IP theft, Verizon’s report states that, “While executives and upper management were not responsible for many (data) breaches, IP and other sensitive corporate information was usually the intended target when they were.”
This last statement highlights the fact that organisations are also highly vulnerable to theft of corporate secrets by insiders: Whether they are operating alone or in collusion with outsiders, the enemy within is always going to be a serious threat as long as IT security relies on passwords, cards and PINs.
Traditional IT access credentials create massive security risks
The Deloitte whitepaper says: “Authorised users can access and travel throughout a system, remove or change data in the system, and conduct transactions. When cyber criminals employ such users as unwitting accomplices … they can operate as if they were users. They can acquire the same, or even greater, ability to navigate pathways, copy data, execute transactions, and monitor keystrokes.
“In many cases cyber criminals have obtained credentials and accessed systems as if they were actual employees and customers. Thus, the integrity of the endpoint that is being granted access to the organisation’s systems and data must be a primary concern.”
The massive vulnerabilities caused by passwords are also highlighted by the Verizon report: “The use of stolen access credentials was the number one hacking type in the data breaches that were investigated by Verizon and the Secret Service. It might be hard to believe, but stolen IT access credentials were the commonest way attackers gained access to enterprise systems.”
But the credentials were rarely stolen using methods such as key logging, social engineering or phishing. According to Verizon’s Sartin, “Most of what we saw was simple exploitation of guessable passwords. These were not very sophisticated hacks at all. Stolen credentials offer an attacker many advantages, not the least of which is the ability to disguise himself as a legitimate user. Authenticated activity is much less likely to trigger IDS (intrusion detection systems) alerts or be noticed by other detection mechanisms.”
Ernst and Young’s Insight reinforces the Verizon findings regarding IT access credentials: “A common characteristic of APT malware is that it seeks to steal the credentials of valid users so that it can execute as a legitimate user and better evade detection.”
Passwords are the number one usual suspect in IT-based crime. They are so frequently abused by insiders and outsiders because they are so simple to abuse. Any IT access credential based on cards, PINs or passwords (CPPs) is inherently insecure because they are all routinely lost, forgotten, shared, stolen and cracked. CPPs are a fundamental flaw at the very core of IT security.
Minimise the risks of data loss
SA is a world-leader in biometric applications within the public and private sectors. Biometric authentication is commonplace throughout the local workplace, with over 60 000 fingerprint readers controlling physical access for some 2,5 million employees across southern Africa. For several years, organisations have been replacing CPPs with fingerprint-based identification to strengthen security and monitor people’s attendance and location.
Competent biometric technology and methodology have clearly demonstrated consistent effectiveness within physical access systems. Given the scale of the dangers created by unauthorised IT access, fingerprint-based authentication offers a giant leap forward in controlling and recording who did what, where and when within corporate IT systems.
One often hears that biometrics is not a panacea or a perfect solution. Well, electricity is not perfect, but it offers enormous advantages over steam power. For me, that is the magnitude of difference between biometrics and CPPs.”
Playing for very high stakes: industrial espionage for real
In early January 2011, Renault suspended three executives, including a member of its management committee, for consciously and deliberately endangering the company’s assets.
France’s industry minister, Eric Besson, said he believed the matter was related to electric vehicles: “It illustrates once again the risks our companies face in terms of industrial espionage and economic intelligence, as we call it today.”
In partnership with Nissan, Renault is investing 4 billion euros – R37 billion – in developing its electric vehicle project.
Renault’s general counsel and compliance officer, Christian Husson, said, “Renault decided to take action because these are serious acts concerning people with extremely strategic positions at the Group. Their acts justify this suspension, the first aim of which is to immediately protect the strategic, intellectual and technological assets of our company.”
Information contained in this overview by SuperVision Biometric Systems has been drawn from:
Insights on IT risk. April 2010. Ernst & Young
Cyber crime: a clear and present danger. Sep 2010. Deloitte.
The Value of Corporate Secrets, March 2010. RSA (EMC), Microsoft, Forrester http://www.rsa.com/products/DLP/ar/10844_5415_The_Value_of_Corporate_Secrets.pdf
2010 Verizon Data Breach Investigations Report. Verizon
For more information contact Supervision Biometric Systems, +27 (0)82 463 3060, www.supervision.co.za
© Technews Publishing (Pty) Ltd | All Rights Reserved