Are you prepared for this kind of targeted attack? I ask this because there is a big difference between the protections needed to ward off viruses and the random hacker and the types of things you have to do to avoid losing data to a direct competitor.
In all my years in cyber security the most common refrain I hear from senior executives is "Why would a hacker target me? All we do is X." Well times are changing and old security postures are proving vulnerable to new threats.
Sometimes It's Personal
Imagine this scenario (it derives from my early experience as an automotive engineer):
I was responsible for a power seat mechanism for a new Buick luxury seat design. We had a prototype shop out back and an expert machinist, Dag Broadbent. Dag was "old-school" and loved to tease the young engineers. He called me "Pilgrim" for some reason.
Anyway, Dag was making some very special drive nuts for the project that required a multi-start thread that needed a custom cutting tool. I got a call from the shop late on Friday. The tool had snapped so we needed a new one. This could put us behind schedule. "Not to worry," I told Dag, "I have had one on order from the supplier for three weeks. It should be ready Monday."
Come Monday I called the supplier to find out what time their truck would be delivering the new tool. The guy on the phone said "What do you mean? We gave it to an engineer from XYZ Company!"
I was floored. Apparently our competitor was using the same drive nuts on their prototype and they learned from the tool supplier that we had ordered the same tool they needed. So an engineer dropped by and told them I said it was OK to give him my tool!
Alright, fast forward to modern times. Have you hired anyone out of college in the last five years? Well, hacking in school has been elevated to a sport. The new kids you hire are well versed in common hacking techniques. It is not a huge leap from stealing machine tools to your competitor's employees taking a peek at your exposed Web application just to see what they can see.
Consider a few cases of recent attacks:
Lexis-Nexis succumbed recently to a concerted attack from hackers. Reinforcing once again the need for organizations to review all web-based processes for weaknesses that can be exploited by criminal minds.
In this case, fake accounts were created using the normal process and then the access to Lexus-Nexus' data base was used to pilfer over 200,000 identities.
In April DSW Warehouse it reported that 1.3 million identities had been stolen from their retail operations.
In June the FDIC announced that reports of false loan applications led them to the discovery that the identities of 6,000 employees had been stolen.
This is a disturbing shift in reported incidents. To date, most data loss reports are of the Bank of America type where the data was not necessarily stolen. In this and the CardSystems case the data was already being used by criminals when the loss was discovered.
Meanwhile in Israel a convoluted story erupted on May 30. In short, large businesses were hiring private investigators to spy on competitors. These PI's used modified Trojan's and social engineering techniques to steal documents from over twenty companies. It is worth reporting the further convolutions of this fiasco.
The story started when an Israeli author noticed that his unpublished works were being posted to the Internet. Suspecting his step-daughter's ex-husband, he called in the Israeli police. The police discovered the HotWar Trojan on his home computer. Files, emails, and everything the author typed were being sent to FTP servers in Germany, the U.K. and the U.S.
When those servers were seized by local authorities in each country they were found to contain internal documents from dozens of companies in Israel including the state owned telephone company, Bezeq, a car dealer, satellite TV company (Hot!), a cell phone company (Patner), a water company (Gal-Al), a defense contractor and more.
It turns out that at least a dozen companies in Israel had hired PIs to gather competitive intelligence on their counterparts. The PIs had purchased software from Michael Hephrati in the U.K. and sent it to the targets disguised as a legitimate email proposal.
While 22 people are under arrest, indictments have been filed against 12, and the investigation continues.
Concerted hacking attacks to gather information from competitors are going on in the U.S. as well, although nothing of this scale has been disclosed to date but it could be going on right now within your computer systems.
The lesson here? If there is just one overarching tenant of information security it is this: You cannot afford to stand still.
Richard Stiennon is vice president of Threat Research at Webroot Software. He is a holder of Gartner's Thought Leadership award for 2003 and was named "One of the 50 Most Powerful People in Networking" by Network World Magazine. You can read his blog at www.threatchaos.com.