Corporates Caught Unaware - Tales From The Front Line Of Cyber Security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.managementtoday.co.uk/features/1212659/mt-expert-corporates-caught-unaware-tales-front-line-cyber-security/

Ever thought your company is a potential target of state-sponsored hackers,
eager to lay their hands on sensitive commercial information or use your IT
infrastructure as a springboard to others’ systems? It sounds unlikely, but
it isn't as far-fetched as it may seem. News media and governments in
several countries have reported foreign states are showing a greater
interest in commercial hacking and corporate espionage.

At the front line, companies are now regularly having to tackle data
breaches. Take for example the manufacturing company that discovered
hackers had gained access to its systems. The hackers, in the pay of a
nation state, had accessed and copied detailed plans for future products.
These plans were of significant value in the hands of a third-party. We
worked with the company to scan its network for viruses and establish
whether data had been copied. It was a time-consuming and complex process
which, in this case, meant we had to reverse engineer and analyse the code
of the viruses. This eventually allowed the team to ensure the hacking had
stopped and to identify and confirm which secrets were stolen.

A similar scenario arose for a business involved in an auction to sell
mineral rights worth several billion dollars. Halfway through the auction,
it was found that the email system had been penetrated. This had allowed
the system to be reprogrammed, with every incoming and outgoing email
copied and sent to the hackers. The subsequent investigation suggested that
the hacking had been carried out by one the companies involved in the
auction in a move to gain an unfair advantage in the bidding process.

Knowing your enemy can play a key part in defining your next steps. A
lesson learned by several well-known brands, which have come under fire
from online hacktivists. Having threatened to attack these companies as a
result of a real or perceived insult hacktivists have published logins and
passwords for users of the companies’ sites and even published emails from
the CEOs.



Even the most advanced security may prove inadequate against the onslaught
of hackers intent on targeting the weakest link: people. Most computer
users have been recipients of poorly worded ‘phishing’ emails one time or
another, requesting online banking password resets or offering ‘lucrative,’
never to be missed deals. While the vast majority would hit the Delete
button, it only takes one unwitting member of staff to fall for the scam
before security has been breached. When the email appears to come from the
CEO, alongside a plausible explanation ('I’ve sent this email from my
private email address as I have not been able to access the office
network'), the number of individuals clicking on the offending link could
be even greater.

This predicament was faced by several dozen associates at a London law
firm. The email, sent after-hours from the ‘private’ email address of the
‘managing partner’, asked each recipient to review an attached document,
the content of which would be discussed at a meeting the next morning.

The document contained a virus. Once opened, the virus was deposited on the
laptop or home computer of the unfortunate associate and from there onto
the law firm’s network.

Such examples of ‘spear phishing’, or highly targeted fraudulent emails
that may introduce a virus, activate malware to log keystrokes, copy
emails, or even record phone conversations, are pretty common.

The challenge is to stop staff from clicking on innocent-looking links and
using the same easy-to-guess password for multiple devices and online
accounts. Therefore the development of an information security policy and
standards of conduct that instils security into the company’s culture is as
important as ensuring that firewalls, anti-virus detection software is up
to date.

Of course, the threat that your staff inadvertently introduce a virus into
your network is not the only – or even primary way – they can cause a data
breach.

And when thinking of your staff, spare a thought for the threat of insider
data theft. Dropbox, Google Drive and Apple iCloud, as well the ubiquitous
nature of social media, have all contributed to breaking down the barriers
between personal and work data. Add to this the growth of private
smartphones and tablets in the workplace, and employers are facing an
uphill struggle to prevent disgruntled or departing staff from siphoning
off a veritable treasure throve of sensitive data.

In one such case, a defence contractor won a multimillion-dollar judgment
against a group of former employees who used stolen company data to set up
a competing business. The conspiracy by these former employees, the data
stolen and its intended use were all revealed as a result of detailed
computer forensic analysis, which ultimately proved their undoing.

Hacking and data theft is one of the greatest business and technology
threats of the digital age. We are well past the point where any
organisation can responsibly ignore this risk.

There are different lessons to be learned from each and every incident but
two critical factors regularly stand out. First, staff must be trained in
how to prevent and respond to such attacks. Second, incident response
cannot be done on the fly. An initial security audit, followed by a
regularly updated incident response plan, will significantly enhance the
prospects of successfully tackling an incident, irrespective of whether the
adversary wears the cloak of a nation state, an opportunistic hacker or
someone closer to home.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.