Network Security - Dangers of dormant IP theft attacks in companies

Posted by Ronan Kavanagh on Tue, Oct 30th, 2012

Some companies may overlook their network security and the possibility of an impending IP theft attack lying dormant in their networks for years for them to then emerge and rampage their way through the organisation.  This is mainly due to the fact that intellectual property theft is among the most difficult attacks to detect.  An interesting article that uncovers who is stealing the data and how to prevent it from happening to your company has come to the surface.

Verizon’s annual Data Breach Investigations Report (DBIR) analyzes forensic evidence to uncover how sensitive data is stolen from organizations, who’s stealing it, why they’re doing it, how the victims responded, and what might have been done to prevent it. Continue to full Verizon Report.

VICTIM DEMOGRAPHICS

Intellectual property (IP) refers to creations of the mind for which exclusive rights are recognized in law.  Under intellectual property law, owners are granted certain exclusive rights to a variety of intangible assets.  Common types of intellectual property rights include copyright, trademarks, patents, industrial design rights and in some jurisdictions, trade secrets.

Organizations in the financial services and public administration sectors are the primary targets of sophisticated attacks aimed at stealing intellectual property, with attacks involving both external and internal agents and lasting for months or years.  Since organizations of all types produce and use IP, it is correct to assume that IP theft would stretch across industry lines. Verizon’s investigations encompassed a wide range of victims suffering such losses.  The financial services and public administration verticals account for two thirds of the breaches in the dataset, while information/technology services and manufacturing split the remainder.  These organisations were spread across North America, Asia and Europe.  In particular these findings support the notion that adversaries target specific IP as a shortcut to attaining some manner of strategic, financial, technological or any related advantage.

THREAT AGENTS

Entities that cause or contribute to an incident are referred to as threat agents. Verizon recognizes three main categories of agents, those originating outside the victim organization (external), those inside the victim organization (internal), and those involving any third party sharing a business relationship with the victim (partner).

However you slice it, the DBIR data set consistently shows that most breaches are the work of external threat agents, such as professional criminal rings, activist groups, cybercriminals, competitors, and state-sponsored actors.  These groups targeting IP are typically in a different class (in resources, skills, and determination) than the run of the mill mainline hackers and fraudsters operating out of their basements.  While  intellectual property often resides deep within a company's network on a protected system  due to the fact that these larger companies have more sophisticated security at their disposal, makes external parties rely more on internal agents.   Verizon found evidence of internal "threat agents" in 46% of the IP theft-related attacks, compared with just 4% of all data breach incidents in 2011.

TIMELINE OF EVENTS

Response time is a good indicator of the maturity of an organization’s security program.  No one wants to be the victim of a breach, but if that unfortunate event arises, it’s certainly better to know sooner rather than later, to limit exposure and take proper corrective measures.  Among the major phases the report considered in an event scenario are:

• Initial Attack to Initial Compromise. The time spanning from the first malicious action taken against the victim until an information asset is negatively affected.

• Initial Compromise to Discovery. The time spanning from when the first asset is negatively affected until the victim learns of the incident.

• Discovery to Containment/Restoration. The time spanning from when the victim learns of the incident until data is no longer actively exposed.

 

RECOMMENDATIONS FOR PREVENTING INTELLECTUAL PROPERTY THEFT

Due to the fact that these findings evolve over time and encompass victims of various different types, sizes and geographic locations, creating a single list of recommendations that work effectively and efficiently for all organisations is unrealistic. The basic advice seems to be, beyond covering the security essentials, is to adopt a common sense, evidence-based approach to managing security. Learn what threats and failures most often affect organizations like yours, and then make sure your security posture puts you in a position to thwart them.

Privileged Users

Trust but verify.  Use pre-employment screening to eliminate the problem before it starts.  Don’t give users more privileges than they need and use separation of duties.  Make sure they have direction (they know policies and expectations) and supervision (to make sure they adhere to them). Privileged use should be logged and generate messages to management. Unplanned privileged use should generate alarms and be investigated.

Training and Awareness

Increase awareness of social engineering: educate employees about different methods of social engineering and the vectors from which these attacks could arise. In many of our cases, we see users clicking on links they shouldn’t and opening attachments received from unidentified persons. Reward users for reporting suspicious people, interactions, e-mail, or websites and create the incentives necessary for vigilance.