In the 21st century, cyber criminals will be destined to prove that crime pays by launching successful cyber espionage campaigns against the world’s top corporations. During economic downturns, companies tend to cut information security budgets, leaving themselves more vulnerable to internal and external cyber attacks; however, by employing a few proven strategies, these same companies can enhance their defenses against cyber espionage.
Recent crime statistics have shown that during the last three economic downturns in the U.S., the early 1980s, 1990s, and 2000s, theft and robbery crimes were at their highest rate. Among these statistics were crimes committed against corporations and businesses around the world by the way of corporate espionage. Although the exact economic impact is not known at this time, it is projected that a great percentage of these crimes were committed by covert electronic techniques better known as cyber espionage.
The term “cyber espionage” was first coined by the Department of Defense to characterize methods used by opposing countries such as China and Russia to breach its top secret networks for the purpose of stealing U.S. military or government secrets. However, due to recent evidence regarding the emergence of a number of breaches at U.S. research labs and targeted phishing campaigns against corporations located in the U.S. and abroad, cyber espionage is breaking new ground at an alarming pace.
Today, economic gain appears to be the number one motivating factor for new and seasoned cyber criminals, followed by companies seeking to gain a competitive advantage, and a variety of amateur hackers targeting large companies looking to establish a reputation and bragging rights. According to PricewaterhouseCoopers, corporate espionage costs the world’s 1,000 largest companies in excess of $45 billion every year and the SANS Institute ranks cyber espionage number 3 on it’s “Top Ten Cyber Menaces for 2008”. If fifty percent of corporate espionage was indeed perfected by utilizing covert electronic techniques for stealing information, that would yield a $22.5 billion a year market for cyber espionage, based on PricewaterhouseCoopers estimates. During an economic recession, it would be very hard to find someone who would not want a piece of this market; especially if they could be convinced that their electronic criminal activities could not be traced.
In addition to financial gain, a new wave of cyber espionage is being launched by disgruntled employees who attempt to leverage the confidential data they obtained through network looting as a bargaining chip or for vindication against their own company or co-workers. Ironically, companies that have been victimized by cyber espionage are usually the ones with more than adequate resources and expertise to protect against the attacks.
In 2000, hackers broke into Microsoft’s systems and accessed Windows and Office source code. They had access to the source code for approximately three months before being discovered.
In 2001, Fortune magazine reported that Proctor and Gamble had been involved in illegal corporate espionage against its archrival Unilever. The article alleged agents appointed by P&G misrepresented themselves as market researchers and used other electronic methods to collect information about Unilever.
In 2006, the UK extradited two hackers to Israel because they developed and sold spyware that was used to spy on rival companies in Israel. Several private investigation companies in Israel sent e-mails with Trojan horse viruses that were designed to evade anti-virus applications.
In 2007, members of AirTran Airways’ executive management team in Orlando, Florida were targeted by phishing e-mails that sought to trick them into divulging confidential corporate information and placed bot-like malware on their computers to capture sensitive information.
The details of these cases were made public most likely due to regulatory reporting requirements; however, there are hundreds of cyber espionage incidents that are not publicized, even though regulatory requirements for reporting these types of incidents exist for the majority of companies affected. Publicly traded companies and companies operating in the healthcare, financial, and government contracting sectors all have regulatory reporting requirements as it pertains to information security incidents. However, most companies don’t report cyber security incidents for fear of damaging their reputation and potential revenue loss. Some companies report information security incidents as required, but not until well after the incidents have been mitigated and prevention measures have been implemented.
In most cases, if companies were to adopt an “an ounce of prevention, beats a pound of cure” philosophy regarding cyber security, rather than an “if it isn’t broke, don’t fix it” philosophy, the risk of cyber espionage could be reduced significantly. Unfortunately, most companies’ approach to cyber security is reactionary, which can prove to be detrimental to their reputation and bottom-line when a breach occurs. Additionally, since cyber espionage often goes undetected, it is usually too late to effectively mitigate the breach before significant loss when it is actually detected.
Just as other crimes seeking financial gain tend to escalate during economic recessions, it is very logical to assume cyber espionage is among these crimes. However, pouring money into the latest security solutions without a defined strategy will simply lead to more widgets eventually being left on the shelf collecting dust. To make sure your company is prepared to defend against targeted cyber espionage, I recommend the following strategies:
Increase the Information Security Organization’s Visibility
Most companies make the mistake of burying their information security organization under their information technology organization, which often limits the scope of information security to technological solutions only. Not to mention the intradepartmental political screening in an effort to conceal the vulnerabilities caused by IT solutions from executive management. To achieve optimal effect, the information security organization must be strategically aligned with Legal, Risk Management, Human Resources, Regulatory, and executive management. Depending on the corporate culture, industry, and or the degree in which executive management values or understands the mission of information security, attaining appropriate visibility for the information security organization may be very challenging. Regardless of the challenge, information security leaders must strive to attain this goal because visibility can be an effective deterrent.
Implement a Best Fit Information Security Program
Reliance on point solutions to protect your company’s information assets is an ineffective strategy with little to no return on investment. To become more effective in protecting the corporate environment from cyber espionage, information security leaders must take a holistic approach to information security by implementing a corporate-wide information security program to encompass all personnel, processes, and technology. Using security best practices as defined with the ISO 27001 certification process, information security leaders can use this as a framework for implementing a best fit information security program for their company. An effective information security program should include components such as a security policy, training and awareness program, asset management strategy, compliance, personnel and physical security, access control, application/systems development, change management, business continuity strategy, governance, and the most important component, buy-in from executive management and or the board of directors.
Layered Security Approach
The days of just relying on firewalls to protect enterprise perimeter networks and information assets are long gone; firewall manufacturers realized this years ago when they began integrating intrusion detection and prevention functionality in their products. Although, the added firewall functionality is a significant improvement, it doesn’t address virus and malware on mobile devices, data leakage and compliance issues, role-based and need-to-know access control, or security vulnerabilities that exist on converged networks such as data, voice, and video. Information security leaders can better minimize the risk of cyber espionage by implementing technologies that will provide protection, monitoring, and enforcement at the perimeter as well as within the defined security zones behind the perimeter such as at the desktop/laptop and data centers.
Technologies to consider for a layered approach are enterprise-class anti-virus and malware solutions for the desktop, email filtering solutions, web filtering solutions with dynamic URL verification and filtering, security information management systems with intrusion prevention and robust notification capabilities, data leakage protection solutions, and firewall technology for the perimeter network protection and laptop protection.
Other Articles:
October 25th, 2008 at 11:52 am
Enjoyed the article and cited for two speeches I have prepared for upcoming ESET http://www.eset.com events. Articles are posted at blog http://darinandersen.blogspot.com/