The most costly loss of all

February 2011 Information Security

Advanced persistent threats (APTs) are now regarded as the most sophisticated and ­damaging form of corporate cyber crime.

In April 2010, Ernst & Young published Insights on IT risk. Countering cyber attacks, stating that: “APT attacks are focused on a single target, lasting until they are in, and are meant to collect information over a long period of time. They leave few signs of their success, wanting to stay hidden for as long as possible in order to acquire large amounts of sensitive information.”

According to the report, intellectual property is “the most sought after data type for attackers using techniques associated with APT, whether it is protected formulae, seismic research data, technology designs, unreleased movies or music, or proprietary engineering schematics and designs.”

The report goes on to say that, “The information targeted is specific. Attackers are not looking to grab just anything they come across – intellectual property and corporate secrets are their primary targets. Other types of data such as personal information or credit card data may be tempting if easily accessible, but in general, stealing that information is not the primary goal.”

The Value of Corporate Secrets, March 2010, by Forrester Consulting for RSA (EMC) and Microsoft, separates the information that companies seek to protect into two categories: secrets and custodial data.

It refers to secrets as information that confers long-term competitive advantage, such as product plans, earnings forecasts and trade secrets. The report says this information is vitally important because it generates revenue, increases profits and maintains competitive advantage.

Custodial data is defined as information that companies are compelled to protect by regulations – typically personal and identity information such as that relating to your credit card.

A key message from this report is that companies may be too focused on complying with regulations governing the protection of customers’ personal information and are not sufficiently protecting IP and secrets – the knowledge base. For example, financial services companies such as your bank, medical scheme and insurer will have lots of personal info about you and they are increasingly required by law to provide for its security.

But these companies also hold sensitive data – secrets – that does not relate directly to you: financial forecasts and earnings reports; product development plans; marketing strategies and associated research; pricing, margin and discounting policies; procurement and supplier information; and plans for expansion, mergers and acquisitions. Many companies hold little, if any, custodial data. A large mining, IT or pharmaceutical company is unlikely to keep custodial data simply because they do not deal with individual consumers – their markets are often only other companies. But they will certainly have sensitive information that underpins their competitive advantage.

Assessing the risks of data loss

In August 2010, the UK’s Financial Services Authority fined Zurich Insurance a record £2275 000 after a back-up tape containing personal details of 46 000 policy holders was lost by the South African branch of the company. The tape had personal information on general insurance customers, including identity details and some bank and credit card information. One implication of the fine is clear: lose that type of custodial data and it is going to cost you £50 per record in regulatory fines.

But, what would Zurich have suffered if a competitor acquired the data and then successfully sold its services to each and every one of the clients on the tape? The loss of 46 000 customers is far more significant than losing information about them.

In terms of data security, we really do need to be much more focused on consequences rather than content. Setting aside the fine, the Zurich example shows that simply leaking data is, by itself, not at all significant. Why? Well, the tape was missing for over a year before the UK head office even learnt of its loss, and, according to Zurich, no clients have been adversely affected by its disappearance – in other words, nobody is doing any damage with the data.

Sure, some people may feel that the company is not competent enough to retain them as customers and might switch providers. And, yes, the Zurich has been punitively fined – but only because the loss came to the attention of a regulatory body.

Focus on the consequences of losing data

The Zurich case illustrates how the significance of data can change according to who gets their hands on it and how they use it. This view is reinforced by Cyber crime: a clear and present danger, published by Deloitte in September 2010. It advocates a risk-based classification of data according to three categories: type, value and impact if it were to be compromised.

The third element of the ranking process – the ‘consequence of compromise’ – is perhaps the most significant but attracts the least consideration in terms of assessing risk and managing data accordingly.

Commenting on the issue of identifying and classifying data, Deloitte reckons that: “Relatively few organisations have developed categories based on value or risk. However, identifying which data is most and least valuable enables cyber security professionals to focus on the highest priorities. The most valuable data, such as product formulations and sensitive financial and legal information, can be tagged and monitored so that the organisation knows where it is, where it is going, where it has gone, and on whose authority.”

IP is where the money is

Conducted by the Verizon Business RISK team in cooperation with the United States Secret Service, the 2010 Verizon Data Breach Investigations Report is relevant because it touches on the importance of categorising information according to the consequences of its loss – of adopting a risk-based approach to data protection. The Verizon report also suggests that companies are overly focused on compliance with regard to custodial data and not nearly as protective of their IP – the very data that is now the principal target for the most sophisticated cyber criminals.

Bryan Sartin, director of the Verizon Business Investigative Response team, sees the market for stolen payment card data as being saturated, making this custodial data less lucrative, and therefore less attractive. Consequently, Sartin says, “Intellectual property is gaining more attention than payment cards.”

He also says that cyber criminals are becoming more interested in passwords and access privileges than in pure credit card data: “Some of it is sheer economics. The black market for credit card data is only so big. In the last year, we saw a drop in the market price from $9–$16 per record to as low as 10 or 20 cents per record. It is just not as profitable a business.”

In terms of IP theft, Verizon’s report states that, “While executives and upper management were not responsible for many (data) breaches, IP and other sensitive corporate information was usually the intended target when they were.”

This last statement highlights the fact that organisations are also highly vulnerable to theft of corporate secrets by insiders: Whether they are operating alone or in collusion with outsiders, the enemy within is always going to be a serious threat as long as IT ­security relies on passwords, cards and PINs.

Traditional IT access credentials create massive security risks

The Deloitte whitepaper says: “Authorised users can access and travel throughout a system, remove or change data in the system, and conduct transactions. When cyber criminals employ such users as unwitting accomplices … they can operate as if they were users. They can acquire the same, or even greater, ability to navigate pathways, copy data, execute transactions, and monitor keystrokes.

“In many cases cyber criminals have obtained credentials and accessed systems as if they were actual employees and customers. Thus, the integrity of the endpoint that is being granted access to the organisation’s systems and data must be a primary concern.”

The massive vulnerabilities caused by passwords are also highlighted by the Verizon report: “The use of stolen access credentials was the number one hacking type in the data breaches that were investigated by Verizon and the Secret Service. It might be hard to believe, but stolen IT access credentials were the commonest way attackers gained access to enterprise systems.”

But the credentials were rarely stolen using methods such as key logging, social engineering or phishing. According to Verizon’s Sartin, “Most of what we saw was simple exploitation of guessable passwords. These were not very sophisticated hacks at all. Stolen credentials offer an attacker many advantages, not the least of which is the ability to disguise himself as a legitimate user. Authenticated activity is much less likely to trigger IDS (intrusion detection systems) alerts or be noticed by other detection mechanisms.”

Ernst and Young’s Insight reinforces the Verizon findings regarding IT access credentials: “A common characteristic of APT malware is that it seeks to steal the credentials of valid users so that it can execute as a legitimate user and better evade detection.”

Passwords are the number one usual suspect in IT-based crime. They are so frequently abused by insiders and outsiders because they are so simple to abuse. Any IT access credential based on cards, PINs or passwords (CPPs) is inherently insecure because they are all routinely lost, forgotten, shared, stolen and cracked. CPPs are a fundamental flaw at the very core of IT security.

Minimise the risks of data loss

SA is a world-leader in biometric applications within the public and private sectors. Biometric authentication is commonplace throughout the local workplace, with over 60 000 fingerprint readers controlling physical access for some 2,5 million employees across southern Africa. For several years, organisations have been replacing CPPs with fingerprint-based identification to strengthen security and monitor people’s attendance and location.

Competent biometric technology and methodology have clearly demonstrated consistent effectiveness within physical access systems. Given the scale of the dangers created by unauthorised IT access, fingerprint-based authentication offers a giant leap forward in controlling and recording who did what, where and when within corporate IT systems.

One often hears that biometrics is not a panacea or a perfect solution. Well, electricity is not perfect, but it offers enormous advantages over steam power. For me, that is the magnitude of difference between biometrics and CPPs.”

Playing for very high stakes: industrial espionage for real

In early January 2011, Renault suspended three executives, including a member of its management committee, for consciously and deliberately endangering the company’s assets.

France’s industry minister, Eric Besson, said he believed the matter was related to electric vehicles: “It illustrates once again the risks our companies face in terms of industrial espionage and economic intelligence, as we call it today.”

In partnership with Nissan, Renault is investing 4 billion euros – R37 billion – in developing its electric vehicle project.

Renault’s general counsel and compliance officer, Christian Husson, said, “Renault decided to take action because these are serious acts concerning people with extremely strategic positions at the Group. Their acts justify this suspension, the first aim of which is to immediately protect the strategic, intellectual and technological assets of our company.”

Source: http://www.darkreading.com/insider-threat/167801100/security/security-management/229000271/renault-executives-suspended-in-intellectual-property-leak.html

Information contained in this overview by SuperVision Biometric Systems has been drawn from:


Insights on IT risk. April 2010. Ernst & Young

http://www.ey.com/Publication/vwLUAssets/Insights_on_IT_risk_-_04_2010_-_Countering_cyber_attacks/$FILE/EY_Insights_on_IT_risk_04_2010_-_Countering_cyber_attacks.pdf


Cyber crime: a clear and present danger. Sep 2010. Deloitte.

http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/AERS/us_aers_Deloitte%20Cyber%20Crime%20POV%20Jan252010.pdf


The Value of Corporate Secrets, March 2010. RSA (EMC), Microsoft, Forrester http://www.rsa.com/products/DLP/ar/10844_5415_The_Value_of_Corporate_Secrets.pdf


2010 Verizon Data Breach Investigations Report. Verizon

www.verizonbusiness.com/.../rp_2010-data-breach-report_en_xg.pdf

Mark Eardley
Mark Eardley

For more information contact Supervision Biometric Systems, +27 (0)82 463 3060, www.supervision.co.za





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Empower individuals to control their biometric data
Information Security Access Control & Identity Management Security Services & Risk Management
What if your biometrics, now embedded in devices, workplaces, and airports, promising seamless access and enhanced security, was your greatest vulnerability in a cyberattack? Cybercriminals are focusing on knowing where biometric data is stored.

Read more...
Strategies for combating insider threats
Information Security Security Services & Risk Management
In Africa, insider threats pose an increasingly significant risk to businesses, driven by economic uncertainty, labour disputes, and rapid digital transformation. These threats can arise from various sources, including disgruntled employees and compromised third-party service providers

Read more...
Five tech trends shaping business in 2025
Information Security Infrastructure
From runaway IT costs to the urgent need for comprehensive AI strategies that drive sustainable business impact, executives must be prepared to navigate a complex and evolving technology environment to extract maximum value from their investments.

Read more...
Kaspersky’s predictions for 2025 APT landscape
Information Security
The 2025 advanced persistent threat (APT) includes the rise of hacktivist alliances, increased use of AI-powered tools by state-affiliated actors – often with embedded backdoor – more supply chain attacks on open-source projects.

Read more...
SecurityHQ certified B-BBEE Level 1: Delivering global services from a local entity
SecurityHQ Information Security
SecurityHQ, a global managed security services provider (MSSP) with an office in South Africa, has announced it can now offer local companies a complete managed cybersecurity service from a Level-1 B-BBEE accredited and 51% black-owned service provider.

Read more...
2024, the year of Fraud-as-a-Service
Information Security
A report from AU10TIX outlines how ‘the industry’s dark engine’ offers user-friendly fraud kits that enable amateurs to execute complex attacks against thousands of accounts in minutes.

Read more...
The future of endpoint security
Information Security
Endpoint security is a critical pillar of cybersecurity, especially for South African businesses, which are becoming prime targets for cybercriminals. Endpoint security involves safeguarding devices connected to a network from a range of cyberthreats.

Read more...
Not enough businesses take cybercrime seriously
Information Security
Interpol recently revealed that cybercrime, specifically ransomware incidents, cost the South African economy up to 1% of the country’s GDP, while the Council for Scientific and Industrial Research estimated the loss at R2,2 billion a year.

Read more...
Navigating today’s cloud security challenges
Information Security Infrastructure
While the cloud certainly enables enterprises to quickly adapt to today’s evolving demands, it also introduces unique challenges that security teams must recognise and manage. Vincent Hwang offers insights from the 2025 State of Cloud Security Report.

Read more...