printer friendly version

Securing IT systems

In comparison to the losses that organisations are suffering through IT-based crime, the financial losses from unauthorised physical access are a drop in the ocean.

For example, in June 2011 Sony reported that they had allocated $171 million for their response to the cyber theft of over 100 million customer records. That is about R1,2 billion. And it is not only the scale of the losses caused by unauthorised IT access and activity that is rising. The nature of IT-based crime is also changing and growing. This evolution means that cybercrime is spreading into more and more areas of operation and is affecting different types of assets.

Fraudulent EFT payments might be a high-profile form of corporate cybercrime – because of the coverage they receive in our news media – but they are just the visible tip of the iceberg. The bulk of the losses is hidden beneath the surface and has the potential to be far more damaging: increasingly, organisations are being threatened with the cyber theft of intellectual assets, undermining their competitive advantage and potentially threatening their continued existence.

Corporate secrets are now the jackpot

Regulatory compliance may have compelled many organisations to consider – and counter – the consequences of having customer data stolen. But this may have created a dangerous blind spot when it comes to recognising the more damaging consequences caused by cyber thefts of corporate secrets.

The theft of custodial data (the personal data that companies hold on their individual customers) attracts far more attention than the cyber theft of intellectual capital or secrets. It is newsworthy because it potentially affects so many individuals – the people whose data has been stolen and who may be consequently vulnerable to identity-based fraud. This heightened awareness perhaps creates even more pressure to protect custodial data, shifting the focus even further away from protecting secrets.

Commenting on the findings of Verizon’s 2011 Data Breach Investigations Report, (DBIR) Dave Ostertag, global investigations manager at Verizon Business, said, “I think what we are seeing is that there is a big change in the type of data that criminals are going after.

“There is a glut of personal data out there now, and there really is not a great market for it. The value of intellectual property, on the other hand, is much higher – criminals are finding that they can make as much money from stealing a smaller number of highly sensitive records as they can from stealing a big database of customer information.”

Ostertag’s comments carry significant authority: now in its seventh year, the DBIR’s findings are based on investigations into over 1700 data breaches and the report is probably the world’s leading examination of corporate cybercrime. The last two annual reports have combined research into real cybercrimes by both Verizon and the US Secret Service – an agency that is tasked with protecting America’s financial infrastructure and payment systems as well as guarding the President.

The growing threat to corporate secrets was also emphasised by a March 2011 report from McAfee, which stated that, “While it remains a profitable enterprise to buy and sell stolen credit cards, lately, intellectual capital has become the new source of large and easy pay-outs.”

Secrets represent value – because knowledge is power

Ocean Tomo, a US merchant bank, estimated that in 2009 the implied intangible asset value of the S&P 500 reached 81%, an all-time high since the firm began charting such values in 1975. James E. Malackowski, Ocean Tomo’s chairperson, explained that: “Within the last quarter century, the market value of the S&P 500 companies has deviated greatly from their book value. This ‘value gap’ indicates that physical and financial accountable assets reflected on a company’s balance sheet comprises less than 20% of the true value of the average firm.”

But intellectual assets such as those that can be patented or similarly protected represent only part of the information that organisations need to hold securely. The overall ‘knowledge base’ of confidential information is multi-faceted and might include production processes; R&D findings; source code; formulae; M&A activity; partnerships and alliances; marketing plans and product roll-outs; financing arrangements; contract bids and deal negotiations; pricing structures; legal activities; financial forecasts and results; and strategic plans.

Fuelled by the loss of access control in IT security

It may be an inconvenient truth, but the abuse of traditional IT access credentials like cards, PINs and passwords lies at the heart of most corporate cybercrime. The term ‘advanced persistent threat’ – or APT – is increasingly used to categorise cyber theft that is sophisticated, organised and determined. The other defining characteristic of an APT is its specific purpose: stealing corporate secrets.

In 2010, Ernst & Young and Deloitte published commentaries on the increasing cyber threat to corporate secrets caused by APTs and emphasised the vulnerabilities created by traditional credentials.

Deloitte said: “In many cases cyber criminals have obtained credentials and accessed systems as if they were actual employees and customers. Thus, the integrity of the endpoint that is being granted access to the organisation’s systems and data must be a primary concern.

“Authorised users can access and travel throughout a system, remove or change data in the system, and conduct transactions. When cyber criminals employ such users as unwitting accomplices … they can operate as if they were users. They can acquire the same, or even greater, ability to navigate pathways, copy data, execute transactions and monitor keystrokes.”

Ernst and Young’s comments support this opinion concerning the risks created by IT access credentials: “A common characteristic of APT malware is that it seeks to steal the credentials of valid users so that it can execute as a legitimate user and better evade detection.”

The vulnerabilities caused by traditional credentials were also highlighted by Verizon’s 2010 DBIR: “The use of stolen access credentials was the number one hacking type in the data breaches that were investigated by Verizon and the Secret Service. It might be hard to believe, but stolen IT access credentials were the commonest way attackers gained access to enterprise systems.”

But the credentials were rarely stolen using methods such as key logging, social engineering or phishing. According to Bryan Sartin, Verizon’s director of investigative response, “Most of what we saw was simple exploitation of guessable passwords. These were not very sophisticated hacks at all.

“Stolen credentials offer an attacker many advantages, not the least of which is the ability to disguise himself as a legitimate user. Authenticated activity is much less likely to trigger IDS (intrusion detection systems) alerts or be noticed by other detection mechanisms.”

Aside from being repeatedly lost, shared and forgotten, IT access credentials are increasingly being stolen. In April 2011, Sartin said that with prices reaching $30 000 per account, usernames and passwords are the most common type of records traded on the cyber black market and have the highest per-record value.

The realities of Sartin’s comments regarding stolen access credentials were underlined by the cyber theft at RSA, the security solutions division of IT-giant EMC. In March 2011, RSA announced that cyber villains had stolen secrets about SecurID, a two-factor authentication product based on ‘static’ and one-time-PINs that manages IT access for some 40 million employees at over 30 000 companies worldwide.

If not immediately obvious, the reasons why cyber villains would want to steal secrets about SecurID became clear a few months later. The incident at RSA appears to have led directly to an attempted cyber theft at Lockheed Martin. Describing the attack as ‘significant and tenacious’, Lockheed said it was instructing employees to change their passwords and would be replacing all of its SecurID tokens. As the world’s largest defence contractor, it is obvious that Lockheed was not targeted for its custodial data.

And incredible as it may seem, the cyber theft at RSA was based on the exploitation of employees’ access credentials. RSA says that the cyber theft began with a spear phishing attack on targeted employees that led to one of them opening a malware-loaded Excel file entitled ‘2011Recruitment plan xls’. The malware opened a backdoor on the target’s computer, enabling the villains to control it remotely.

Using the target’s access rights, the villains then climbed RSA’s internal authorisations ladder, stealing more credentials and increasing the privileges associated with them in user, domain admin and service accounts.

But what were these access credentials? Were employees not using RSA’s own SecurID to authorise themselves within their own systems? Maybe not. Perhaps good old usernames and passwords were yet again at the very heart of yet another collapse in IT security.

Once the villains had the privileges they wanted, they shipped data out of RSA in a staged process, first to internal servers and then via FTP to an external server. From here the files were transferred again and vanished into cyber space.

Personalised attacks

A June 2011 report by Cisco Systems on the evolving nature of cybercrime says that the volume of spray-and-pray malicious spam declined by more than half in the past year. At the same time, highly-personalised, focused e-mail based attacks have tripled – because they offer far better ROI to the cyber villains.

The report divides these focused e-mail campaigns into two categories: spear phishing and targeted attacks. Spear phishing covers activities that are aimed at groups of potential victims who share a common feature – for example, corporate customers of a specific bank.

Cisco estimates a spear phishing attack costs five times that of a mass attack. The villains’ investment might include list acquisition; leasing a botnet; e-mail generation tools; malware purchases; website creation; campaign administration tools; order processing and fulfilment infrastructure; and background research on targets. The report says that the return on such an investment for a single spear phishing campaign can be more than 10 times that of a mass attack.

Should governance alarm bells be ringing loudly in the boardroom?

At the highest executive level, the losses caused by cybercrime should certainly serve to highlight the routinely damaging consequences of lax IT access control. What should add to alarm in the boardroom is the fact that most losses are caused by elementary exploits – an underlying feature of most corporate cybercrime.

Perhaps we need to recognise that data governance – statutory or not – should be receiving the same diligence as, say, corporate brand management and financial reporting.

Speaking at the launch of the UK cybercrime study, the minister for security said that many companies do not know what the normal functioning of their IT systems looks like because they do not actually know enough about their own systems. In other words, organisations are not doing enough to protect themselves from the cyber threat and the villains are running rings round IT security.

Protecting sensitive data means winning back far more control over who can access that data. The evidence is overwhelming that the status quo in user authentication just is not working. If cards, PINs and passwords are no longer an effective barrier to the cyber-theft of secrets, is it perhaps time for us to break our reliance on them? As an advocate of biometric-based security solutions, I am bound to point out that the world of physical security decided long ago that cards, PINs and passwords are no longer an effective way to identify people with legitimate access rights.

The business case for such widespread and extensive use of the technology is disarmingly simple: competent biometrics pay for themselves by cutting the recurring losses caused by unauthorised access and activity. Is that not what IT needs?

Mark Eardley

Share this article:

Further reading: