Cyber Risks To Intellectual Property

Cyber Risks To Intellectual Property

How It Happens,

Why It Happens,

And How To Protect Yourself.

1

Agenda

1. Inside A Hacking Community. 1. Inside A Hacking Community.

2. The Threat Landscape.2. The Threat Landscape.

3. SMEs Are The Target Of Choice. 3. SMEs Are The Target Of Choice.

4. A Solution? 4. A Solution?

2

The Hacking Community

“Citadel” is a popular suite of hacking software applications.

It works just like “normal” software.

You go online (invitation only), buy a license (all major credit cards accepted) and you get support, updates and regular bug fixes from the developers.

Automated updates come out about once a week.

New versions appear about every 2 months or so.

3


“Citadel” is a popular suite of hacking software tools.

4


5


6


7


8


9


10

The Threat Landscape

• The end result is that Advanced Persistent Threats are relatively easy to launch and difficult to defend against.

• There is an entire, cyber crime ecosystem operating almost as a parallel economy.

• Their focus is using APTs to steal Intellectual Property with supply chain SMEs the vector of choice.

As an attack doctrine APTs do have a number of common characteristics. • First APTs start by researching their target organisation.• Typically they will start by using social networking sites to identify “suspects”

within the target organisation especially those in IT.• They might look at how “career opportunities” are worded to infer the targets

network architecture or even specific systems and enterprise software.• The next stage is to use social engineering and other techniques derived from

internet grooming to zero in on any likely, vulnerable employees or areas that they can begin to exploit.

11


Once they have identified a vulnerable target, APTs will often adapt custom malware such as keystroke loggers to make it specific to that target.

These will then be attached to an email or embedded inside a document with a plausible sounding name to a highly targeted shortlist of key employees.

This is exactly what happened in some of the most notorious, recent APTs.One in particular was an attack on a well know defence electronics company in which a malicious PDF attachment entitled “redundancy program for 2012” was sent to some key employees. The attachment contained an attack and the company suffered a serious data breach.

The recently revealed attack on Symantec was an instance of an intrusion via the supply chain (a Symantec reseller) the theft of intellectual property (The source code to a number of their security products) and an attempt (unsuccessful) to extract a ransom for the safe return of the source code.


However if the first attack does not work as planned then they will try and try again, working through a menu of automated attacks until they find one which works and which delivers control of a legitimate users PC.

And that objective, gaining control of a legitimate users PC, is the first phase of the attack.

Being armed with a legitimate users login credentials they are free to probe around, undetected, inside the network of the target organisation, appearing as if they were a perfectly legitimate user and belong there.

13


• Installing Keystroke loggers• Spear Fishing via social networking sites• Looking for manufacturers default passwords• Password re-use across multiple accounts• Using brute force dictionary attacks• Sniffing wireless LANS• Eavesdropping All these techniques are utilised, often in combination, to achieve the objective of

stealing legitimate user credentials in order to then move onto the next phase of the attack.

14


Phase Two

The second phase of the attack is to escalate their user account privilege until they have domain admin control level. At that point they have the keys to the Kingdom.

They can steal any IP, data or customer account information they require.

Have a look at this video

15


The question “Who was responsible?” asked in that video wasn’t answered.

In my view the answer is that everyone in the business has to be made responsible for protecting the organisations I.P. and sensitive data.

It’s not just IT or HR or Marketing…every employee has to be “deputised” to keep data secure.

It’s no longer possible, in such a dynamic and hostile environment, to block the wide and rapidly changing range of threats at the perimeter…wherever that is! It’s much more practical to protect the data, whether in use or at rest using encryption and deploy strong, multifactor authentication, preventing most current and future attack methods and specifically preventing attacker privilege escalation which is integral to phase two of an APT directed at your intellectual property.

16


Insecure password reuse is a significant problem.

Users have multiple work, home and leisure digital identities and accounts that are impossible to manage, so what they end up doing is standardising on a small number (in some cases just one) of easily remembered username and password combinations and using them on multiple accounts. Corporations can’t effectively control if users are reusing passwords but what they can do, in-house, is deploy strong, multi-factor authentication and access controls so that only strong, ideally three factor authentication, is all that will work to legitimately log someone into company systems.

17


18

This image is from the FBI.

The malware they are warning about the “DNSChanger Trojan,” alters the target computer’s Internet settings preventing victims from visiting anti virus security sites for updates to the virus signatures that could clean up the infections. DNSChanger is integrated into Citadel and other attack tools, meaning that systems infected with this Trojan often also host other, more serious malware.


19

Internet Identity, a Washington based cyber security company found evidence of DNSChanger infections in computers at half of all Fortune 500 firms, and 27 out of 55 major U.S. government agencies.

http://www.internetidentity.com/


So…with large corporates, (including some of the biggest security software vendors!) government and law enforcement agencies succumbing to attacks what currently available technology will help to prevent APTs? It’s worth remembering that APTs have been developed in an environment where over 95% of organisations have up to date anti-virus protection, firewalls and anti-spam software. Yet they still get hacked because APTs are really good at getting around these primarily reactive solutions. In another survey by CSO magazine 61% of respondents said that encryption and multi-factor authentication would be very effective in preventing APTs.The respondent felt that if an attacker finds that user credentials cannot be compromised and/or the data is encrypted anyway then they will not persist with their attack and will focus on easier targets.

20


Whilst SMEs are particularly vulnerable Government, Utilities, Professional Services firms, Academia and large corporates (particularly Aerospace and Defence) are being specifically targeted and sometimes those attacks are state sponsored!

This is an excerpt from an interview with Admiral Lord West the former head of CSOC the UKs Cyber Security Operations Centre.

21


Not all the threats are purely external in origin.

Recession induced lay offs also place data and Intellectual Property at risk.

Remaining, often overstretched staff, begin to make security mistakes, putting company reputations on the line.

Because we live in a world where everyone, everything, everywhere is connected, data has to flow to wherever it is needed; an organisations actual perimeter is no longer its physical or legal boundary.

The security focus is moving away from hardware on the network edge and onto the data user with the spotlight firmly on verifiable encryption as the only workable solution.

22


The reason cyber criminals target SMEs is that small businesses do not have the same high-level security that their enterprise counterparts have deployed.

SMEs are under the same regulatory and contractually imposed data security pressure as their corporate partners but their needs are different.

SMEs need an incremental, tactical, level of protection with greater choice and maximum flexibility for protecting the information that drives their businesses.

Although the majority of small or mid-sized businesses have some form of data protection solution in place, these solutions are often time-consuming to operate or are inconsistently used. This causes "workflow friction" resulting in time pressed employees finding work-arounds which ultimately compromise security.

In addition SMEs are often faced with other problems such as lack of staff time, limited in-house skills and expertise, and restricted budgets.

23

Encryption Address Three Issues

Text

Text

Encryption addresses three main business issues from the SMEs point of view.

•It reduces the risk of intellectual property or data loss.

•It helps companies comply with legal, supply chain and professional regulatory requirements.

•Encryption builds trust by demonstrating a company’s commitment to supply chain data and I.P. security.

24

Policies Are Already In Place

Text

Text

Most small businesses will have data security policies already in place ranging from:

•Acceptable Use Policies,

•Information Protection Policies,

•HR Policies and Employment Contracts.

Many will also have contractually imposed Information and IP protection safeguards imposed on them by upstream suppliers and which the SME, in turn, impose on their downstream customers.

25

User Behavior Is An Issue

Text

Text

However a significant number of information security breaches come about, either directly or indirectly, as a result of employees’ failure to comply with existing, well documented, security practices and policies.

Many organisations, large and small, have tried to sustainably modify their users behavior towards IP protection, data security and encryption.

Almost all have found it difficult if not impossible.

Research has shown that a large number of data security breaches are caused by security mechanisms which are either technically complex or have become an impediment to the user completing their work in a timely fashion.(workflow friction)

http://gaudior.net/alma/johnny.pdf (Why Johnny Can’t Encrypt)

26

Software Usability Is An Issue

Text

Text

Even technically competent users such as systems administrators and software developers often struggle to keep up with todays sophisticated and tenacious and fast moving cyber threats.

On top of the cyber threats sys admins have to cope with the ever increasing complexity and administrative workload created by Governance Regulation and Compliance, Data Loss Prevention and security and encryption processes.

Yee, K P. (2005) User Interaction Design for Secure Systems. In L. Faith Cranor & S. Garfinkel [Eds.]: Security and Usability: Designing secure systems that people can use 2005. pp 13-30. O'Reilly Books.

27

The Goal Is Practical Security

Text

Text

The goal for SMEs has to be to provide “practical security” e.g.•the right level of security •for the right reasons •at the right cost •at the right time.

By using encryption tools which non technical end users: •Can operate correctly with little or no training.•Which have minimal impact on existing network infrastructure and working practices.•Which work within irregular, unstructured relationships where the ultimate data owner and the current data user probably have dissimilar IT systems.

Zurko, M. E. & Simon, R. T. User Centric Security. New Security Paradigms Workshop 1997

28

It’s Networkers Not Networks

Text

Text

It’s mainly individuals who compromise IP and cause data loss

It’s individual end user behaviour which has to be sustainably modified and it’s individuals who choose whether to comply or not with the security policies governing their immediate work context.

Individuals choose whether or not to comply with security guidelines based on risk and reward or cost and benefit.

There is a natural limit to the amount of effort users will expend on compliance unless there is a corresponding benefit to them.

29

Why It’s The Way It Is

Text

Text

Modern digital encryption came out of the US military in the 1970s and 1980s.

The inflexible, top-down, command-and-control structure of its original development environment created the encryption structures and landscape we see today.

Within a fully integrated public or private organisation, with a standardized IT structure, encryption offers nearly unbreakable information security.

Every single legal jurisdiction across the world which has data security legislation in place advocates encryption as the solution of choice.

30

Ships In The Night?

Text

Text

However across extended supply chains, everyday practical issues in the deployment, maintenance and use of encryption technology have limited the business benefits and impaired overall supply chain efficiency.

Misapplied encryption increases risk, decreases security, incurs unnecessary costs and reduces efficiency. Until recently it has been difficult for unrelated organisations, with conflicting IT systems, differing skill sets and inconsistent attitudes to data protection to consistently and securely exchange confidential corporate or personal data.

This was especially the case where data was only likely to be exchanged very infrequently or even on a one-off basis. The investment in infrastructure, training and skills outweighed the benefit of deploying compatible encryption technologies, especially across multiple legal jurisdictions.

31

Summary

Text

Text

Organisations of all sizes need easy-to-learn-and-use security solutions which deliver the security options they need, when they need it, for only as long as they need it at a price they can afford, with fair, transparent, flexible licensing and without disrupting established workflow practices or impacting on current network architecture.

Modern data security solutions should be designed with these needs and with “newly deputised” non technical data users in mind. Flexible licensing should provide maximum freedom for users to “just get on with the day job” whilst maintaining a high degree of data security whether they are using, sharing, storing, recovering or deleting sensitive corporate information.

For more information about protecting your intellectual property from cyber crime please visit:www.safetok.comYou can email me at [email protected] pick up a leaflet from our display.

32

Thank You

Text

Text

33

Styskin's Solutions Limited B1 Business Center, Suite 206, Davyfield Road, Blackburn, Lancashire, BB1 2QY, [email protected]

Documents

Cyber Risks To Intellectual Property