E hi
l H
ki
d
Ethical Hacking and
Counterm easures
V i 6
Version 6
Mo d u le XLVIII
Mo d u le XLVIII
Corporate Espionage by
Insiders
News
Module Objective
This m odule will fam iliarize you with:
Corporate Espionage
Inform ation Corporate Spies Seekp p
Different Categories of Insider Threat
Driving Force behind Insider Attack Driving Force behind Insider Attack
Com m on Attacks carried out by Insiders
Techniques Used for Corporate Espionage
Module Flow
Corporate Espionage Com m on Attacks
carried out by Insiders
Inform ation Corporate Spies Seek
Techniques Used for Corporate Espionage
Different Categories of
Insider Threat Tools
Driving Force behin d
Introduction To Corporate
Espionage
Espionage
"Espionage is the use of illegal m eans
h
f
“
to gather inform ation“
Source: www.scip.org
Term ‘Corporate espionage’ is used to
describe espionage conducted for
Inform ation Corporate Spies Seek
Marketing and new product plans
Source code
Corporate strategies
Target m arkets and prospect inform ation
Usual business m ethods
Product designs, research, and costs
Alliance and contract arrangem ents: delivery, pricing, and term s
Custom er and supplier inform ation
Staffing, operations, and wage/ salary
Insider Threat
The
In s id e r Th re a t
to critical infrastructure is an
individual with the access and/ or inside knowledge of a
com pany, organization, or enterprise that would allow
them to exploit the vulnerabilities of that entity’s security,
p
y
y,
system s, services
,
products, or facilities with the intent to
cause harm
Different Categories of Insider
Threat
Threat
Pure Insider
• An em ployee with all the rights and access
associated with being em ployed by the com pany
Pure Insider
associated with being em ployed by the com pany • Elevated pure insider is an insider who has
additional privileged access such as, adm inistrator access
Insider Associate
• People with lim ited authorized access are called Insider Associate
Different Categories of Insider
Threat (cont’d)
Threat (cont d)
Insider Affiliate
• Insider affiliates do not have direct access to the organization but illegally use the em ployee’s
Insider Affiliate
organization but illegally use the em ployee s credentials to gain access
• An insider affiliate is a spouse, friend, or even client of an em ployee
Outside Affiliates
• They are non-trusted outsiders who use open access to gain access to an organization’s
resources
Privileged Access
Insiders enjoy two critical links
in security
Trust of the em ployer
p y
Driving Force behind Insider
Attack
Attack
Work related grievance
Financial gain
Financial gain
Challenge
Curiosity
Com m on Attacks carried out by
Insiders
Insiders
Sabotage of inform ation/ system s
Theft of inform ation/ com puting assets
Injecting bad code
Viruses
Viruses
Installation of unauthorized
software/ hardware
software/ hardware
Manipulation of Protocol/ OS Design Flaws
Techniques Used for Corporate
Espionage
Espionage
S o cia l En gin e e rin g
• Social engineering is defined as a non-technical kind of intrusion that relies heavily on hum an interaction and often in ol es tricking other people to break norm al often involves tricking other people to break norm al security procedures
D u m p s te r D ivin g
D t di i i l ki f t i l '
• Dum pster diving is looking for treasure in som eone else's trash. (A dum pster is a large trash container.) In the world of inform ation technology, dum pster diving is a technique used to retrieve inform ation that could be used to carry out an attack on a com puter network
Techniques Used for Corporate
Espionage (cont’d)
Espionage (cont d)
In fo rm a tio n e xtra ctio n
• The inform ation can be extracted through:
• Hidden files
• The network traffic that are allowed in an organization is Web and em ail
Techniques Used for Corporate
Espionage (cont’d)
Espionage (cont d)
Cryp to gra p h y
Cryp to gra p h y
• Cryptography garbles a m essage in such a way that its m eaning is concealed
• It starts off with a plaintext m essage and then an It starts off with a plaintext m essage and then an
encryption algorithm is used to garble a m essage which creates cipher text
S te ga n o gra p h y
• Steganography is data hiding and is m eant to conceal • Steganography is data hiding, and is m eant to conceal
the true m eaning of a m essage
Techniques Used for Corporate
Espionage (cont’d)
Espionage (cont d)
Ma licio u s a tta cks
Ma licio u s a tta cks
• Malicious attacks are used to gain additional access or elevated
privileges
Process of Hacking (cont’d)
N e tw o rk D e fe n s e Me ch a n is m s
Ta rge t Orga n iza tio n ’s In te rn a l N e tw o rk
In te rn e t
8
Case Study : Disgruntled System
Adm inistrator
Adm inistrator
A system adm inistrator, angered by his dim inished role in a thriving defense m anufacturing firm whose role in a thriving defense m anufacturing firm whose com puter network he alone had developed and m anaged, centralized the software that supported the com pany’s m anufacturing processes on a single
d th i ti id t d k i t i i
server, and then intim idated a coworker into giving him the only backup tapes for that software.
Following the system adm inistrator’s term ination for
inappropriate and abusive treatm ent of his
inappropriate and abusive treatm ent of his
Form er Forbes Em ployee Pleads
Guilty
Guilty
In 1997, George Parente was arrested for causing five network servers at the publishing com pany Forbes, Inc.,
to crash Parente was a form er Forbes com puter
to crash. Parente was a form er Forbes com puter technician who had been term inated from tem porary em ploym ent.
In what appears to have been a vengeful act against thepp o b g g com pany and his supervisors, Parente dialed into the Forbes com puter system from his residence and gained access through a co-worker's log-in and password. Once
li h d fi f th i ht F b t
online, he caused five of the eight Forbes com puter network servers to crash, and erased all of the server volum e on each of the affected servers. No data could be restored.
Parente's sabotage resulted in a two day shut down in Forbes' New York operations with losses exceeding $ 10 0 ,0 0 0 .
Parente pleaded guilty to one count of violating Com puter Fraud and Abuse Act, Title 18 U.S.C. 10 30
Source:
Form er Em ployees Abet Stealing
Trade Secrets
California Man Sentenced For
Hacking
Hacking
Federal Em ployee Sentenced for
Hacking
Hacking
Facts
I t
l b
h
Viruses/ Worm s outbreaks 21%
Internal breaches
included:
• Viruses/ Worm s outbreaks – 21% • Wireless network breach – 1% • Loss of custom er data/ privacy
issues – 12%
l f l f d l
• Internal financial fraud involving inform ation system s – 18 %
• Theft or leakage of intellectual property (e.g. custom er leakage) – 10 %
• Accidental instances – 18 % • Other form of internal breach –
12%
• Do not know – 5%
Key Findings from U.S Secret Service and
CERT Coordination Center/ SEI study on
Insider Threat
Insider Threat
A negative work-related event triggered m ost insiders’ actions A negative work related event triggered m ost insiders actions
The m ost frequently reported m otive was revenge The m ost frequently reported m otive was revenge
The m ajority of insiders planned their activities in advance The m ajority of insiders planned their activities in advance
R t d t t th j it f th tt k
Rem ote access was used to carry out the m ajority of the attacks
Key Findings from U.S Secret Service and
CERT Coordination Center/ SEI study on
Insider Threat (cont’d)
Insider Threat (cont’d)
The m ajority of insiders com prom ised com puter accounts, created
h i d b kd d h d i h i k
unauthorized backdoor accounts, or used shared accounts in their attacks
The m ajority of attacks took place outside norm al working hours The m ajority of attacks took place outside norm al working hours
The m ajority of the insider attacks were only detected once there was a noticeable irregularity in the inform ation system or a system becam e noticeable irregularity in the inform ation system or a system becam e unavailable
The m ajority of attacks were accom plished using com pany’s com puter j y p g p y p equipm ent
NetVizor
NetVizor is a powerful network surveillance tool that allows to
NetVizor is a powerful network surveillance tool, that allows to
m onitor the entire network from one centralized location
Privatefirewall w/ Pest Patrol
Privatefirewall is a Personal Firewall and Intrusion Detection
Privatefirewall is a Personal Firewall and Intrusion Detection
Application that elim inates unauthorized access to the PC
Privatefirewall w/ Pest Patrol:
Screenshot
Best Practices against Insider
Threat
Threat
Monitor em ployee’s behavior
Monitor com puter system s used by em ployees
Disable rem ote access
Make sure that unnecessary account privileges are not allotted to
norm al users
Disable USB drives in your network
Enforce a security policy which addresses all your concerns
Best Practices against Insider
Threat (cont’d)
Threat (cont d)
Verify the background of new em ployees
Cross-shred all paper docum ents before trashing them
Secure all dum psters and post ‘NO TRESPASSING’ signs
Conduct security awareness training program s for all em ployees
l l
regularly
Place locks on com puter cases to prevent hardware tam pering
Lock the wire closets, server room s, phone closets, and other sensitive
equipm ents
Counterm easures
Understanding and Prioritizing
Understanding and Prioritizing
Critical Assets
• Determ ine the criteria that is used to determ ine
the value as m onetary worth, future benefit to
the com pany, and com petitive advantage
• According to the criteria determ ined score all
• According to the criteria determ ined, score all
assets of the organization and prioritize them
• List all the critical assets across the organization
which needs to be properly protected
Counterm easures (cont’d)
Defining Acceptable Level of Loss
• The possibility for loss is all around and risk m anagem ent
will determ ine what efforts should be focused on by an
organization and what can be ignored
g
p
organization and what can be ignored
• Cost-benefit analysis is a typical m ethod of determ ining
acceptable level of risk
• The two m ethods to deal with potential loss are:
p
prevention and detection
Counterm easures (cont’d)
C
t
lli
A
• Controlling the access of the em ployees according to
Controlling Access
the requirem ent of their job
• The best way for securing an organization’s critical inform ation is by using Principle of Least Privilege • Principle states that you give som eone the least p y g
am ount of access they require for their job • Encrypt the m ost critical data
• Never store sensitive inform ation of the business on the networked com puter
the networked com puter
• Store confidential data on a stand alone com puter which has no connection to other com puters and the telephone line
Counterm easures (cont’d)
Bait: Honeypots and Honeytokens
• Catching the insiders when they are stealing
the inform ation is called honeypots and
honeytokens
yp
y
honeytokens
• Honeypots and Honeytokens are traps which
are set at the system level and file level
respectively
h
k l
k
• Honeypot on the network looks attractive to
attackers and lures them in
• It is used when som eone wanders around the
network looking for som ething of interest
network looking for som ething of interest
• Honeytoken is done at a directory or file level
instead of the entire system
• Display an attractive file on a legitim ate server
d
h i
id
Counterm easures (cont’d)
Mole detection
• In this, a piece of data is given to a person and if that inform ation m akes its way to the public
Mole detection
that inform ation m akes its way to the public dom ain, then there is a m ole
• It can be used to figure out who is leaking
inform ation to the public or to another entity
Profiling
• It controls and detects the insiders by understanding behavioral patterns
Counterm easures (cont’d)
Monitoring
• Watching the behavior by inspecting the inform ation
• It provides a starting point for profiling
Monitoring
• It provides a starting point for profiling
• The types of m onitoring that can be perform ed are:
Counterm easures (cont’d)
Si
t
A
l i
• It is an effective m easure for controlling insider threat or
li i
i i
Signature Analysis
any m alicious activity
• It is also called as pattern analysis because it looks for a
pattern that is indicative of a problem or issue
It t h
l
k
tt
k d
th tt
k hi h
• It catches only known attacks and the attacks which
Sum m ary
Term ‘Corporate espionage’ is used to describe espionage conducted for com m ercial purposes on com panies governm ents and to determ ine the com m ercial purposes on com panies, governm ents, and to determ ine the activities of com petitors
People with lim ited authorized access is called Insider Associate People with lim ited authorized access is called Insider Associate
Inside s can se Web and em ail to disclose the o gani ation’s info m ation Insiders can use Web and em ail to disclose the organization’s inform ation
C t h bl i h th t it i i l d
Cryptography garbles a m essage in such a way that its m eaning is concealed
M k th t t i il t ll tt d t l