Is your company’s data under surveillance by foreign spybots looking for any competitive advantages or weaknesses they can exploit? This might sound farfetched, but such electronic espionage is real.
It’s an insidious security threat that’s a lot more common than you probably realize.
As an IT or security executive, determining whether your organization is under attack via this seemingly undetectable threat — and putting in place adequate technology and procedural safeguards — should be a high priority. The stakes are too high to ignore the problem.
Security experts believe that a growing number of companies are being spied upon electronically by sources from other countries, most notably China. What makes these attacks so troublesome is that their techniques are often undetectable by the usual security tools. Electronic spies try to get into systems without causing disruptions, so they can quietly gather information over a period of time.
These types of threats are much harder to deal with than untargeted attacks because they never become widespread enough for security vendors to observe reliably. As a result, security software and other tools that detect known attacks don’t identify these threats. Also, an attack that’s aimed at a particular target can be designed to get around whatever combination of defenses is in place. And the people who launch electronic spying attacks go to great lengths to prevent the targets from detecting the threat.
Although the problem is largely hidden, it is real and serious. In this special report, we answer the key questions on who’s spying, what they’re looking for, and what you can do to protect yourself.
How common is e-spying?
Observers say electronic spying is becoming more common. Neil MacDonald, a vice president at research firm Gartner who covers computer security, maintains that as many as 75 percent of enterprises have been or are being infected with undetected, financially motivated, targeted attacks that evaded their traditional perimeter and host defenses.
“Any government or commercial organization with sensitive information is being targeted,” MacDonald says. The highly publicized attack on Google’s network, in which the company was a target of what it called a highly sophisticated and coordinated assault originating from China, was just the beginning. MacDonald says multiple Gartner clients have reported being attacked during the same timeframe via similar methods. InfoWorld’s editors have learned of repeated attacks at major companies, described in several off-the-record conversations.
Others say it’s hard to determine how widespread this type of activity is because the attacks are so difficult to identify and track.
“While we know it’s a serious problem, the secrecy of these kinds of attacks makes it impossible to know how common they are,” says Paul Kocher, the chief scientist at Cryptography Research, a security consultancy. Spying organizations consider any effort that gets detected by the victim to be a massive failure, so the only information available relates to attacks that failed, Kocher says.
“Because the whole point is for the espionage to be stealthy, there is truly no way to know the size and scope of the issue,” says Mark Lobel, advisory principal at PricewaterhouseCoopers. But don’t let that quiet nature fool you, he adds: “In conversations with people in the industry, they are confident that it is a larger problem than most people recognize or understand.”
Who’s doing the espionage?
Even when electronic spying is detected, it’s often impossible to know the real source of the attack. For example, if you trace an attack to an IP address in a given country, it’s likely the machine is simply a compromised computer that’s acting as a proxy or relay.
Today, most security vendors track threats such as viruses in a signature-based detection setup, looking for parts of known viruses. But for countries such as China that have the budget and expertise, it’s not hard to exploit advanced code and other zero-day attacks that security vendors don’t have on record to catch, says Brandon Gregg, a San Francisco-based corporate investigator who plans to teach a law-enforcement class on electronic espionage in the fall.
Although China is often cited as a source of electronic spying, it’s hardly the only place from which such attacks originate. “It’s human nature that you need one entity you can blame. But from the data I’ve seen and from what I’ve heard it’s a little more complex than that,” says Nils Puhlmann, CSO at online game producer Zynga Game Network and co-founder of the Cloud Security Alliance. While Puhlmann wouldn’t provide details, he indicates that electronic spies operate from multiple countries and are not necessarily state-sponsored.
Sites such as Hackerforum.com feature content about remote access tools that allow hackers to not only control a computer completely in a few steps, but to hear and see a user without the user knowing about it.
How do the cyber spies infiltrate your systems?
A typical targeted attack will exploit multiple weaknesses to achieve its ultimate goal: usually to steal information or compromise a specific account. A particular user in an organization might be targeted via a well-crafted, believable email (a technique called “spearphishing”) and might inadvertently help install spyware via his or her PC.
Some attacks can originate by hackers gaining access to publicly available information and correlating it. While not every piece of information posted on the Internet is sensitive, when combined with other data on the Web as well as additional information posted by other companies, a pattern can begin to emerge.
“You are able to put together pieces of nonsensitive information to figure out or to deduce sensitive information,” notes PricewaterhouseCoopers’ Lobel.
Perhaps an attacker might exploit a security or configuration weakness of an externally accessible system or application, with the aim of gaining user credentials or establishing a surveillance point.
Attackers can also exploit publicly known or nonpublicly known technology vulnerabilities. And to access truly sensitive information, they can resort to tactics such as bribery.
During a targeted attack, more than one system or application-level vulnerability could be directly exploited. Once a single system or account is compromised, virtually the entire environment can be gradually traversed until the ultimate goal of the attack is achieved.
Often, the attackers place monitoring software in out-of-the-way locations and systems, such as log servers, where traditional IT security methods aren’t looking for intrusions. They collect the data and send it out, such as via FTP, in small amounts over time, so they don’t rise over the noise of normal traffic and call attention to themselves.
Who are the data thieves targeting?
If you think your company is not a likely target of electronic spying, don’t be so sure. Although military systems and government contractors will always be major targets, services that carry information for many types of organizations are also extremely attractive because a single intrusion can provide information about a large range of targets, Kocher says. For example, Webmail services, telephone networks, shippers’ databases, and social networking sites are all likely targets.
Any company with advanced intellectual property or sensitive research and development data is of interest to spies, notes Paul Kurtz, COO of Good Harbor Consulting and a recognized cyber security and homeland security expert who has served in senior positions on the White House’s National Security and Homeland Security Councils.
“Adversaries will look up the supply chain too in order to gain access to more sensitive data, so those organizations supporting sensitive government and private sector groups should also monitor for espionage activity,” Kurtz says.
What risks do you face?
What’s at risk for your organization if it doesn’t at least look into whether it’s being spied upon electronically? Quite a bit.
“It’s the worst-case scenario at stake: the loss of competitive advantage,” says PricewaterhouseCooper’s Lobel. For instance, a government entity that’s doing the spying could hand over intellectual property to one of your biggest competitors. This could allow the competitor to avoid the research and development cost and time that your company has spent, or tip them off to future products in your pipeline.
Kurtz says private-sector firms have the most to lose today, as the federal government is doing little to help them and they are “hemorrhaging intellectual property, which will lead to loss in market share, investor confidence, and ultimately their ability to compete and survive as a company.”
Organizations need to not only fear the loss of propriety information, but the public backlash from lost personal data as well. The 2007 security breach suffered by retailer T.J. Maxx, in which data from millions of customer credit cards was stolen, “was a PR nightmare,” says corporate investigator Gregg.
What can you do to stop the cyber espionage?
There’s probably no way you can completely protect your organization against the increasingly sophisticated attacks by foreign and domestic spies. That’s especially true if the attacks are coming from foreign governments, because nations have resources that most companies do not possess.
But there are steps you can take to at least reduce the chances of an attack being successful or doing significant damage.
One strategy many experts agree on is to practice “defense in depth.” By having multiple layers of defense, the failure of one layer does not have to result in a compromise. This strategy includes not only deploying some of the latest technology but also educating employees about the risk and showing them how they can help prevent spying incidents.
If resources allow, consider hiring people who specialize in uncovering and defending against the methods electronic spies use to get into networks.
Gartner’s MacDonald recommends that companies get the basics right. For example, sharpen patch management discipline in both breadth and depth, establish and track configuration management standards, and train users about the threats from social engineering attacks.
Because most attacks come via email and the Web, it’s a good idea to beef up your email and Web security gateway capabilities to next-generation protection platforms that provide multiple styles of protection, including URL and Web reputation services.
Also, move from antivirus and antispyware to endpoint protection platforms that provide multiple styles of protection (such as antivirus, antispam, firewalls, and host-based intrusion prevention systems) in an integrated framework and management console.
“Assume you will be compromised,” MacDonald says. “Beef up your detection capabilities by performing detailed monitoring of system, network, application, and data transactions looking for behavior that falls outside normal parameters.” Most security event and information management products are adding these types of capabilities.
Cryptography Research’s Kocher says the most reliable defense is to run small, physically isolated networks. As networks grow, the likelihood of a malicious attack increases. “In my company, we manage a completely offline network with separate PCs, network cabling, and printers,” he says. Employees have laptops for email and Web browsing, but these don’t carry highly sensitive data. The systems with critical data have no Internet access whatsoever.
While it’s expensive and cumbersome to duplicate hardware and eliminate connectivity with the outside, it’s the only way the company can be confident that its data stays where it should, Kocher notes.
New and more powerful security tools, such as network forensic products, are emerging to help defend against electronic spying threats. For example, NetWitness Investigator is an interactive threat analysis application that can perform free-form contextual analysis of raw network data.
These tools don’t look for actual malicious code, but rather patterns of network traffic that resemble that of hackers lurking in your network and taking data, says corporate investigator Gregg. Once Social Security numbers, credit cards, or other file types are seen moving out of your network, alarms not only warn the user but help identify and track where the data is going.
If your company has the resources and the expertise, consider developing your own specialized tools to help thwart attacks. Some experts believe this will become more common as companies find that off-the-shelf software doesn’t account for their specific information, information movement, and other needs, nor the often custom-tailored threats against them. In other words, because the threats are often custom-made to get specific information from a specific company, your defenses may need to be customized as well.
Ignorance is not at all bliss
Unfortunately, most companies remain blissfully ignorant of the problem of electronic surveillance, says Gartner’s MacDonald, taking false comfort in antivirus software and network scans that continue to show zero infections. They’ll remain blissfully ignorant until they stumble upon the fact that they’ve been compromised and that it’s been going on for months.
“Denial works until it doesn’t,” he says.