chapter 8 Investigating Corporate Espionage After completing this chapter, you should be able to: ● Understand corporate espionage ● Describe the motives behind spying ● Understand the information that corporate spies seek ● Understand the causes of corporate espionage ● Describe spying techniques ● Defend against corporate spying ● Understand the tools used to fight against corporate espionage Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-202 199 200 Chapter 8 What If? Refer back to the What If? scenario in Chapter 7 about the biogenetics firm. ● Why would this case be considered industrial espionage? ● What steps could the firm have taken to prevent this type of corporate espionage? Introduction to Investigating Corporate Espionage This chapter focuses on the various aspects of corporate espionage and strategies to prevent and investigate such cases. Espionage is the use of spies to gather information about the activities of an organization. Information gathered through espionage is generally confidential information that the source does not want to divulge or make public. The term corporate espionage is used to describe espionage for commercial purposes. Corporate espionage targets a public or private organiza- tion to determine its activities and to obtain market-sensitive information such as client lists, supplier agreements, personnel records, research documents, and prototype plans for a new product or service. This information, if leaked to competitors, can adversely affect the business and market competitiveness of the organization. It is widely believed that corporate espionage is a high-tech crime committed by highly skilled persons. On the contrary, corporate penetration is accomplished with simple and preventable methods. Corporate spies do not depend on computer networks alone for information; they look for the easiest ways to gather information. Even trash bins and scrap bits of papers can be of great help in collecting sensitive information. Spies look for areas that are generally ignored. For example, they take advantage of people’s negligence, such as forgetting to close doors or leaving scrap or waste paper around that contains sensitive information. Market research and surveys show the severity of corporate espionage. According to the FBI and other similar market research organizations, U.S. companies lose anywhere from $24 billion to $100 billion annually due to industrial espionage and trade secret thefts, whereas technical vulnerabilities are responsible for just 20 percent or less of all losses. Motives Behind Spying The motives behind spying include the following: ● Financial gain: The main purpose of corporate espionage is financial gain. Any company’s trade secrets can be sold for millions of dollars. Competitors can use the stolen information to leverage their market position and obtain great financial benefits. ● Professional hostilities: Professional hostilities are also a result of market competition. Competitors often resort to negative publicity of an organization’s issues, which otherwise may have been kept secret and sorted out in time. There have been many instances when a rival company has disclosed secret information collected through Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-202 Investigating Corporate Espionage decrease in market capitalization. 201 corporate espionage of an organization, resulting in plummeting stocks and drastic ● Challenge and curiosity: People sometimes indulge in corporate espionage just for fun and to test their skills. Students of security programs and researchers often try to reenact corporate espionage. Though not disastrous, it compromises corporate infor- mation security. ● Personal relations: Many times, a corporate spy is motivated by personal or nonideo- logical hostility toward the country or organization. Personal hostilities of disgruntled employees and job seekers toward an organization play a major role in almost all corporate espionage cases. The offenders reveal important, sensitive information to others out of spite. Information That Corporate Spies Seek The following are some of the types of information that corporate spies seek: ●● ●●●● ●●●● Marketing and new product plans Source code of software applications: It can be used to develop a similar application by a competitor or to design a software attack to bring down the original application, thus causing financial losses to the original developer. Corporate strategies Target markets and prospect information Business methods Product designs, research, and costs: Huge investments will be in vain if the product design and related research is stolen, because the competitor can also develop the same product and offer it for less. Alliance and contract arrangements: delivery, pricing, and terms Customer and supplier information Staffing, operations, and wages or salaries Credit records or credit union account information All of tion leaks could have catastrophic effects on organizations. the above information is considered crucial for the success of an organization. InformaCorporate Espionage: Insider/Outsider Threat Corporate espionage threats can be classified into the following two basic categories: ● Insiders: Insiders such as IT personnel, contractors, and other disgruntled employees who can be lured by monetary benefits are the main targets of corporate spies. An insider threat is always considered more potent than an outsider threat because insiders have legitimate access to the facilities, information, computers, and networks. According to the available study reports, almost 85 percent of espionage cases Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-202 8 202 Chapter 8 originate from within an organization. Insiders can easily misuse their privileges to leak sensitive information, and they can collaborate with an outsider. There are sev- eral factors that may prompt an insider to sell information to a competitor or spy, such as the following: ‫ﰀ‬ Lack of loyalty ‫ ﰀ‬Job dissatisfaction ‫ ﰀ‬Boredom ‫ ﰀ‬Mischief ‫ ﰀ‬Money ● Outsiders: Outsiders include corporate spies and attackers who have been hired by a competing organization or are motivated by personal gain. These people try to intrude into an organization’s affairs for the purpose of stealing sensitive information. An outsider can enter a company through Internet connection lines, physical break-ins, or partner (vendor, customer, or reseller) networks of the organization. Corporate Espionage Threat Due to Aggregation of Information Espionage is a great threat to organizations that practice information aggregation, where all information concerning an organization is brought together and stored in one location. Both insiders and outsiders can easily access critical information because there is only one point of infiltration. In an insider attack, insiders with access privileges can tamper with, edit, overwrite, or send critical information to the organization’s competitors. In an outsider attack, an outsider who breaks into the private network of an organization can search, aggregate, and relate all the organization’s critical information. Techniques of Spying The following are some common spying techniques: ● Hacking computers and networks: This is an illegal technique for obtaining trade secrets and information. Hacking involves gaining unauthorized access to computers and networks. ● Social engineering: Social engineering is the use of influence and the art of manipulation to gain credentials. Individuals at any level of business or communicative interaction can make use of this method. All the security measures that organizations adopt are in vain when employees get socially engineered by strangers. Some examples of social engineering include unwittingly answering the questions of strangers, replying to spam e-mail, and bragging to coworkers. ● Dumpster diving: Dumpster diving is searching for sensitive information in the following places at a target organization: Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-202 Investigating Corporate Espionage 203 ‫ﰀ‬ Trash bins ‫ﰀ‬ Printer trash bins ‫ﰀ‬ ● Whacking: Whacking is wireless hacking that is used to capture information passing through a wireless network. ● Phone eavesdropping: Phone eavesdropping is overhearing phone conversations while being physically present. User desks ● Network leakage: Most organizations set up their network to block or limit inbound and outbound connections. Even organizations that are starting to filter outbound traffic still allow certain traffic out. Two types of traffic that are always allowed out of an organization are Web and e-mail traffic. ● Cryptography: Cryptography is a technique to garble a message in such a way that the meaning of the message is changed. Cryptography starts with a plaintext message, which is a message in its original form. An encryption algorithm garbles a message, which creates ciphertext. A decryption algorithm can later take the ciphertext and convert it back to a plaintext message. During the encryption and decryption process, what protects the ciphertext and stops someone from inadvertently decrypting it back to the plaintext message is the key. Therefore, the secrecy of the ciphertext is based on the secrecy of the key and not the secrecy of the algorithm. Thus, to use an encryption program, a user has to generate a key. The key is often tied to a username and e-mail address. No validation is performed, so an attacker can put in bogus information that could be used later to launch a man-in-themiddle attack where the attacker can trick someone into using a false key. If someone knows the public key for a user, he or she can encrypt a message; but he or she can only decrypt the message if he or she knows the user’s private key. The public key can be distributed via a trusted channel, but a user’s private key should never be given out. If someone can get access to a user’s private key, he or she can decrypt and read all that user’s messages. ● Steganography: Steganography is data hiding and is meant to conceal the true meaning of a message. With steganography, a user has no idea that someone is even sending a sensitive message because he or she is sending an overt message that completely conceals and hides the original covert message. Therefore, cryptography is often referred to as secret communication and steganography is referred to as covert communication. Insiders often use steganography to transmit credentials to other organizations. Defense Against Corporate Spying The following are some techniques that can secure the confidential data of a company from spies: ● Controlled access. ‫ﰀ‬ Encrypt the most critical data. ‫ﰀ‬ Never store sensitive information on a networked computer. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-202 8 204 Chapter 8 ‫ﰀ‬ Classify the sensitivity of the data and thus categorize personnel access rights to read/write the information. ‫ﰀ‬ Assign duties to personnel where their need-to-know controls should be defined. ‫ﰀ‬ Ensure authorization and authentication to critical data. ‫ﰀ‬ Install antivirus software and password-protect the secured system. ‫ﰀ‬ change the password of confidential files. Regularly ‫ﰀ‬ Separate duties. ● Background investigations of personnel. ● Verify the background of new employees. ● Do not ignore physical security checks. ● Monitor employee behavior. ● Monitor systems used by employees. ● Disable remote access. ● Make sure that unnecessary account privileges are not allotted to normal users. ● Disable USB drives on employees’ systems. ● Enforce a security policy that addresses all employee concerns. The following are the basic security measures to protect against corporate spying: ● trashing them. Secure all dumpsters and post Destroy all paper documents before “NO TRESPASSING” signs. ● Regularly conduct security awareness training programs for all employees. ● Place locks on computer cases to prevent hardware tampering. ● Lock the wire closets, server rooms, phone closets, and other sensitive equipment. ● Never leave a voice mail message or e-mail broadcast message that gives an exact business itinerary. ● Install electronic surveillance systems to detect physical intrusions. Steps to Prevent Corporate Espionage The following sections outline some steps that help in preventing corporate espionage. Understand and Prioritize Critical Assets An administrator needs to determine the criteria that are used to estimate value. Monetary worth, future benefit to the company, and competitive advantage are sample criteria that could be used. Whatever the criteria are, they need to be determined first. After all assets are scored, the administrator needs to prioritize them based on the criteria. When the administrator is done, he or she should have a list of all the critical assets across the organization. These assets represent the crown jewels of the organization and need to be properly protected. Once the list of assets has been determined, the critical assets need Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-202 Investigating Corporate Espionage how an attacker would compromise each asset. 205 to be protected. An administrator needs to understand the likely attack points and Define Acceptable Level of Loss The possibility for loss is all around, and risk management becomes a driving factor in deter- mining what an organization should focus its efforts on and what can be ignored. As difficult as it may seem for all critical assets, an adequate level of risk needs to be defined. This helps an organization to focus on what should or should not be done with regard to insider threats. Cost-benefit analysis is a typical method of determining the acceptable level of risk. The general premise behind cost-benefit analysis is determining what the cost is if the asset is lost in part or in whole, versus what the cost is to prevent that loss. While this is hard for some people to swallow, there are actually many situations where it is more cost effective to do nothing about the risk than to try to prevent or reduce the risk from occurring. Typically, there are two methods to deal with potential loss: prevention and detection. Pre- ventive measures are more expensive than detective measures. With a preventive measure, the organization stops the risk from occurring. With detective measures, the organization allows the loss to occur but detects it in a timely manner to reduce the time period in which the loss occurs. Defining an acceptable level of loss enables an organization to determine whether it should implement preventive or detective measures. If the organiza- tion’s acceptable level of loss is low, which means it has a low tolerance for a loss of a given asset, a preventive measure would be more appropriate to stop the loss. The organi- zation would have to be willing to spend the extra money on appropriate preventive mea- sures. If the organization’s acceptable level of loss is high, this means it has a higher toler- ance and would most likely spend less money on a solution and implement detective measures. Now, the organization is allowing the loss to occur, but it is controlling and bounding it. Therefore, performing calculations on acceptable level of loss plays a critical role in controlling insider threats. Control Access The best method for controlling insider threats is limiting and controlling access. In almost every situation in which an insider compromises, it is usually because someone had more access than he or she needed to do his or her job. There are usually other factors at play, but the number one factor is properly controlling access. For preventing insider attack, it is better to allocate someone the least amount of access that he or she needs to do his or her job. Encrypt the most critical data. Never store sensitive information on a networked com- puter; store confidential data on a stand-alone computer that has no connection to other computers and the telephone line. Regularly change the password of confidential files. Bait: Honeypots and Honeytokens A honeypot is a system that is put on a network that has no legitimate function. It is set up to look attractive to attackers and keep them out of critical network systems. The key thing about a honeypot is that there is no legitimate use for it, so no one should be accessing it. If someone accesses the honeypot in any way, that person is automatically suspicious because the only way he or she could have found it is if he or she was wandering around the network looking for something of interest. If the attacker was only doing what he or she was supposed to, he or she would have never found the system. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-202 8 206 Chapter 8 Note that there are some legal ramifications to using honeypots. If the honeypot is used to protect critical systems and to observe attack methods to be able to better protect network systems, it is simply enticement to provide the attacker with a more attractive target. If, on the other hand, the intent is to lure or trick the attacker into attacking the system so an administrator can catch and prosecute the attacker, it could be considered entrapment, which is illegal. A honeytoken works the same way as a honeypot, but instead of an entire system, it is done at the directory or file level. An administrator puts an attractive file on a legitimate server and if anyone accesses it, the administrator catches the attacker with his or her hand in the cookie jar. This usually has a higher payoff. Insiders are good at figuring out a certain system or even a certain directory that contains critical intellectual property for a company. If an administrator adds an additional file to the system or directory, there is a chance that some- one might stumble across it. Once again, since this is not a legitimate file, no one should be accessing it. There is no speculation involved if someone accesses the honeytoken file. That person is clearly up to no good since there is no reason anyone should be accessing it. There- fore, honeytokens can enable administrators to set up a virtual minefield on critical systems. If a person is a legitimate user and knows the files he or she is supposed to access, he or she can easily navigate the minefield and not set off any mines; however, if a user is an insider trying to cause harm, there is a good chance that he or she will be tempted by a honeytoken. Detect Moles With mole detection, an administrator gives a piece of data to a person and if that informa- tion makes it out to the public domain, the administrator knows the organization has a mole. If an administrator suspects that someone is a mole, he or she could “coincidentally” talk about something within earshot of the suspect. If the administrator hears the information being repeated somewhere else, he or she knows that person is the mole. Mole detection is not technically sophisticated, but it can be useful in trying to figure out who is leaking infor- mation to the public or to another entity. Perform Profiling An ideal way to control and detect insiders is by understanding behavioral patterns. There are two general types of profiling that can be performed: individual and group. Individual profiling is related to a specific person and how he or she behaves. Every person is unique, so individual profiling learns the pattern of normality for a given individual, and if any behavior falls outside of that norm, that person is flagged. The advantage of this method is that it closely matches to an individual and is more customized to how a single individual acts. The problem is that it changes with the person, so if the attacker knows that individual profiling is being performed and makes slow, minor adjustments to his or her behavior, he or she could slip through the system. Perform Monitoring Monitoring is easy to do and provides a starting point for profiling. With monitoring, an administrator is just watching behavior. In order to profile a given person and flag excep- tional behavior, the administrator has to establish a baseline. Therefore, in many cases, it is better to start with monitoring to see how bad the problem is and then move toward Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-202 Investigating Corporate Espionage 207 profiling if that is deemed necessary at a later point in time. Before an organization performs monitoring, it is critical that it does it in a legal and ethical manner. From a legality stand- point, it is critical that an organization determines whether information has an implied expec- tation of privacy. The following are some of the different types of monitoring that an organization can perform: ● Application specific ● Problem specific ● Full monitoring ● Trend analysis ● Probationary Analyze Signatures Signature analysis is a basic but effective measure for controlling insider threats or any mali- cious activity. Signature analysis is also called pattern analysis because the administrator is looking for a pattern that is indicative of a problem or issue. The problem with signatures is that an administrator must know about an attack in order to create a signature for it. The first time an attack occurs, it becomes successful because there is no signature. After it is successful and the administrator performs incident response and dam- age assessment, he or she can figure out how the attack occurred and can build an appropri- ate signature for the next time; however, if the next time the attacker attacks in a different manner, the signature might miss the attack again. This brings up two important points with regard to signatures. First, they will only catch known attacks; they will not catch zero- day attacks. A zero-day attack is a brand new attack that has not been publicized and is not well known. Second, signatures are rigid. If an administrator has a signature for an attack and it occurs exactly the same way each time, he or she can detect it and flag it. However, if it is morphed or changed, there is a good chance the signature will no longer be effective. The last problem with signatures is that they take a default allow stance on security. A default stance blocks what is malicious, and anything else that falls through is flagged as good. By itself, signature detection says if there is bad behavior but there is no signature match, then the behavior must be good. Key Findings from U.S. Secret Service and CERT Coordination Center/SEI Study on Insider Threats A U.S. Secret Service and CERT Coordination Center/SEI study revealed the following things concerning insider threats: ● A negative work-related event triggered most insiders’ actions. ● The most frequently reported motive was revenge. ● The majority of insiders planned their activities in advance. ● Remote access was used to carry out a majority of the attacks. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-202 8 208 Chapter 8 ● Insiders exploited systematic vulnerabilities in applications, processes, and/or proce- dures, but relatively sophisticated attack tools were also employed. ● The majority of insiders compromised computer accounts, created unauthorized backdoor accounts, or used shared accounts in their attacks. ● The majority of attacks took place outside normal working hours. ● The majority of the insider attacks were only detected once there was a noticeable irregularity in the information system or a system became unavailable. ● The majority of attacks were accomplished using the company’s computer equipment. ● The insiders harmed not only individuals but also the organizations. Netspionage Netspionage is network-enabled espionage, in which an attacker uses the Internet to perform corporate espionage. Corporate espionage is an old practice, but the advent of the Internet has made it easier, faster, and much more anonymous. Netspionage enables spies to steal sensitive corporate information without physically entering the company’s premises. Investigating Corporate Espionage Cases The following are some steps an investigator should take when investigating corporate espio- nage cases: 1. 2. 3. 4. 5. 6. Check the possible points of physical intrusion: Before starting an investigation into a corporate espionage case, an investigator should scan all possible points of physical intrusion carefully. These points may provide clues about how the information might have leaked and can also provide fingerprints if anybody passed through. This informa- tion may be helpful when presenting the case before a court of law. Check the CCTV records: An investigator should check all CCTV records for any unusual activity. This often leads to the real culprit. Check e-mails and attachments: An investigator should check all official e-mails and other e-mails with attachments used at the workplace. In many cases, the information is passed outside using e-mails. An investigator should thoroughly scan any suspicious e-mail and try to find out its destination. Check systems for backdoors and Trojans: Disgruntled employees install backdoors and Trojans in their systems using their privileges as employees before quitting their jobs. So an investigator should scan all the systems and check for backdoors and Trojans. If any backdoor or Trojan is discovered, an investigator should trace its connections. Check system, firewall, switch, and router logs: Logs show each and every event taking place in a network. An investigator should examine the logs of all network devices to detect suspicious activities, such as when and which data passed through the network and which kind of services and protocols were used. Screen the logs of network and employee monitoring tools, if any: If an administrator has installed any kind of employee monitoring tools on the organization’s systems, an Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-202 (EC-Council 199-208) EC-Council. Computer Forensics: Investigating Network Intrusions and Cybercrime (CHFI), 2nd Edition. Cengage Learning, 20160506. VitalBook file. ISSC457 Name: _________________________ Week 7 Lab 6 Date: _____________ Fill in your name above, put your full response below the question, save the file using the file naming convention: “ISSC457_Lab6_LastName_FirstName.doc” where LastName is your last name and FirstName is your first name, then return this document for grading. Hardware/Software Setup Required Track4Win v4.0.1130 Enterprise Edition (available at http://www.track4win.com/) Problem Description One way to prevent corporate espionage is to monitor all computer activities and Internet use in your network. Track4Win is a tool that allows you to track these activities. In this lab, you will work with a partner to become acquainted with the main features of Track4Win and how to use them. Estimated completion time: 60 minutes. Outcome Report the steps to perform the tasks Validation/Evaluation • How can you specify the programs to monitor on the client computer? • How can you specify the files to monitor on the client computer? • How can you password-protect the configuration of Track4Win on the client computer? • How can you analyze the activities of the client computer on the server computer? ISSC457 Week 7 Lab 6 Lab Solution 1. Go to http://www.track4win.com/ and download the Track4Win installer. 2. Install the Track4Win monitor on your partner’s computer (known as the client) and the Track4Win server on your computer (known as the server). 3. On the client run the Track4Win monitor. Check for the Track4Win icon on the system tray. 4. Open the Track4Win Monitor window by double clicking on the system tray icon. Next, click on the Options button. 5. On the Options window, write the server IP address and port number on the Networking section. In addition, mark the “Startup Monitor When Windows Startup” and “Enable Screen Capture” options on the Run section. 6. On the Security tab, the Monitor Filter section allows you to include and exclude programs (or types of programs) to monitor. ISSC457 Week 7 Lab 6 7. The Password section allows you to specify an administration password so a regular user cannot modify the monitoring options. 8. On the File Monitor tab, you can include and exclude files (or types of files) to monitor. ISSC457 Week 7 Lab 6 9. Click OK when you are done. 10. On the server computer, start Track4Win. Click Evaluate on the Registration window. ISSC457 Week 7 Lab 6 11. Click OK on the Tip of the Day window. 12. On the Track4Win Server window, check all active users that the server is monitoring. 13. Now, ask your partner to open a few documents, including a Word document and a PowerPoint presentation. Also open a few Web pages using any browser. 14. On the server computer, click on Analyzer to pop up the Track4Win Analyzer window. ISSC457 Week 7 Lab 6 In the top window, you see all the applications running on the client computer including the active and inactive time for each application. With this window, you can determine the most used application. In the bottom window, you see a Web detail log, listing all Web pages visited by the user and the active time. 15. In both windows, you can filter the displayed information by date, user, and file. 16. Now, click on the File Log button at the top toolbar to view all files opened by the user. ISSC457 Week 7 Lab 6 17. You can export your report to HTML or Excel using the options in the toolbar. ISSC457 Week 7 Lab 6 18. Finally, you can see a Tree List or Pie Chart report by selecting the appropriate option from the Report menu. ISSC457 Week 7 Lab 6 ISSC457 19. Close all windows. Week 7 Lab 6
Purchase answer to see full attachment