E hi

l H

ki

d

Ethical Hacking and

Counterm easures

V i 6

Version 6

Mo d u le XLVIII

Mo d u le XLVIII

Corporate Espionage by

Insiders

News

Module Objective

This m odule will fam iliarize you with:

Corporate Espionage

Inform ation Corporate Spies Seekp p

Different Categories of Insider Threat

Driving Force behind Insider Attack Driving Force behind Insider Attack

Com m on Attacks carried out by Insiders

Techniques Used for Corporate Espionage

Module Flow

Corporate Espionage Com m on Attacks

carried out by Insiders

Inform ation Corporate Spies Seek

Techniques Used for Corporate Espionage

Different Categories of

Insider Threat Tools

Driving Force behin d

Introduction To Corporate

Espionage

Espionage

"Espionage is the use of illegal m eans

h

f

“

to gather inform ation“

Source: www.scip.org

Term ‘Corporate espionage’ is used to

describe espionage conducted for

Inform ation Corporate Spies Seek

Marketing and new product plans

Source code

Corporate strategies

Target m arkets and prospect inform ation

Usual business m ethods

Product designs, research, and costs

Alliance and contract arrangem ents: delivery, pricing, and term s

Custom er and supplier inform ation

Staffing, operations, and wage/ salary

Insider Threat

The

In s id e r Th re a t

to critical infrastructure is an

individual with the access and/ or inside knowledge of a

com pany, organization, or enterprise that would allow

them to exploit the vulnerabilities of that entity’s security,

p

y

y,

system s, services

,

products, or facilities with the intent to

cause harm

Different Categories of Insider

Threat

Threat

Pure Insider

• An em ployee with all the rights and access

associated with being em ployed by the com pany

Pure Insider

associated with being em ployed by the com pany • Elevated pure insider is an insider who has

additional privileged access such as, adm inistrator access

Insider Associate

• People with lim ited authorized access are called Insider Associate

Different Categories of Insider

Threat (cont’d)

Threat (cont d)

Insider Affiliate

• Insider affiliates do not have direct access to the organization but illegally use the em ployee’s

Insider Affiliate

organization but illegally use the em ployee s credentials to gain access

• An insider affiliate is a spouse, friend, or even client of an em ployee

Outside Affiliates

• They are non-trusted outsiders who use open access to gain access to an organization’s

resources

Privileged Access

Insiders enjoy two critical links

in security

Trust of the em ployer

p y

Driving Force behind Insider

Attack

Attack

Work related grievance

Financial gain

Financial gain

Challenge

Curiosity

Com m on Attacks carried out by

Insiders

Insiders

Sabotage of inform ation/ system s

Theft of inform ation/ com puting assets

Injecting bad code

Viruses

Viruses

Installation of unauthorized

software/ hardware

software/ hardware

Manipulation of Protocol/ OS Design Flaws

Techniques Used for Corporate

Espionage

Espionage

S o cia l En gin e e rin g

• Social engineering is defined as a non-technical kind of intrusion that relies heavily on hum an interaction and often in ol es tricking other people to break norm al often involves tricking other people to break norm al security procedures

D u m p s te r D ivin g

D t di i i l ki f t i l '

• Dum pster diving is looking for treasure in som eone else's trash. (A dum pster is a large trash container.) In the world of inform ation technology, dum pster diving is a technique used to retrieve inform ation that could be used to carry out an attack on a com puter network

Techniques Used for Corporate

Espionage (cont’d)

Espionage (cont d)

In fo rm a tio n e xtra ctio n

• The inform ation can be extracted through:

• Hidden files

• The network traffic that are allowed in an organization is Web and em ail

Techniques Used for Corporate

Espionage (cont’d)

Espionage (cont d)

Cryp to gra p h y

Cryp to gra p h y

• Cryptography garbles a m essage in such a way that its m eaning is concealed

• It starts off with a plaintext m essage and then an It starts off with a plaintext m essage and then an

encryption algorithm is used to garble a m essage which creates cipher text

S te ga n o gra p h y

• Steganography is data hiding and is m eant to conceal • Steganography is data hiding, and is m eant to conceal

the true m eaning of a m essage

Techniques Used for Corporate

Espionage (cont’d)

Espionage (cont d)

Ma licio u s a tta cks

Ma licio u s a tta cks

• Malicious attacks are used to gain additional access or elevated

privileges

Process of Hacking (cont’d)

N e tw o rk D e fe n s e Me ch a n is m s

Ta rge t Orga n iza tio n ’s In te rn a l N e tw o rk

In te rn e t

8

Case Study : Disgruntled System

Adm inistrator

Adm inistrator

A system adm inistrator, angered by his dim inished role in a thriving defense m anufacturing firm whose role in a thriving defense m anufacturing firm whose com puter network he alone had developed and m anaged, centralized the software that supported the com pany’s m anufacturing processes on a single

d th i ti id t d k i t i i

server, and then intim idated a coworker into giving him the only backup tapes for that software.

Following the system adm inistrator’s term ination for

inappropriate and abusive treatm ent of his

inappropriate and abusive treatm ent of his

Form er Forbes Em ployee Pleads

Guilty

Guilty

In 1997, George Parente was arrested for causing five network servers at the publishing com pany Forbes, Inc.,

to crash Parente was a form er Forbes com puter

to crash. Parente was a form er Forbes com puter technician who had been term inated from tem porary em ploym ent.

In what appears to have been a vengeful act against thepp o b g g com pany and his supervisors, Parente dialed into the Forbes com puter system from his residence and gained access through a co-worker's log-in and password. Once

li h d fi f th i ht F b t

online, he caused five of the eight Forbes com puter network servers to crash, and erased all of the server volum e on each of the affected servers. No data could be restored.

Parente's sabotage resulted in a two day shut down in Forbes' New York operations with losses exceeding $ 10 0 ,0 0 0 .

Parente pleaded guilty to one count of violating Com puter Fraud and Abuse Act, Title 18 U.S.C. 10 30

Source:

Form er Em ployees Abet Stealing

Trade Secrets

California Man Sentenced For

Hacking

Hacking

Federal Em ployee Sentenced for

Hacking

Hacking

Facts

I t

l b

h

Viruses/ Worm s outbreaks 21%

Internal breaches

included:

• Viruses/ Worm s outbreaks – 21% • Wireless network breach – 1% • Loss of custom er data/ privacy

issues – 12%

l f l f d l

• Internal financial fraud involving inform ation system s – 18 %

• Theft or leakage of intellectual property (e.g. custom er leakage) – 10 %

• Accidental instances – 18 % • Other form of internal breach –

12%

• Do not know – 5%

Key Findings from U.S Secret Service and

CERT Coordination Center/ SEI study on

Insider Threat

Insider Threat

A negative work-related event triggered m ost insiders’ actions A negative work related event triggered m ost insiders actions

The m ost frequently reported m otive was revenge The m ost frequently reported m otive was revenge

The m ajority of insiders planned their activities in advance The m ajority of insiders planned their activities in advance

R t d t t th j it f th tt k

Rem ote access was used to carry out the m ajority of the attacks

Key Findings from U.S Secret Service and

CERT Coordination Center/ SEI study on

Insider Threat (cont’d)

Insider Threat (cont’d)

The m ajority of insiders com prom ised com puter accounts, created

h i d b kd d h d i h i k

unauthorized backdoor accounts, or used shared accounts in their attacks

The m ajority of attacks took place outside norm al working hours The m ajority of attacks took place outside norm al working hours

The m ajority of the insider attacks were only detected once there was a noticeable irregularity in the inform ation system or a system becam e noticeable irregularity in the inform ation system or a system becam e unavailable

The m ajority of attacks were accom plished using com pany’s com puter j y p g p y p equipm ent

NetVizor

NetVizor is a powerful network surveillance tool that allows to

NetVizor is a powerful network surveillance tool, that allows to

m onitor the entire network from one centralized location

Privatefirewall w/ Pest Patrol

Privatefirewall is a Personal Firewall and Intrusion Detection

Privatefirewall is a Personal Firewall and Intrusion Detection

Application that elim inates unauthorized access to the PC

Privatefirewall w/ Pest Patrol:

Screenshot

Best Practices against Insider

Threat

Threat

Monitor em ployee’s behavior

Monitor com puter system s used by em ployees

Disable rem ote access

Make sure that unnecessary account privileges are not allotted to

norm al users

Disable USB drives in your network

Enforce a security policy which addresses all your concerns

Best Practices against Insider

Threat (cont’d)

Threat (cont d)

Verify the background of new em ployees

Cross-shred all paper docum ents before trashing them

Secure all dum psters and post ‘NO TRESPASSING’ signs

Conduct security awareness training program s for all em ployees

l l

regularly

Place locks on com puter cases to prevent hardware tam pering

Lock the wire closets, server room s, phone closets, and other sensitive

equipm ents

Counterm easures

Understanding and Prioritizing

Understanding and Prioritizing

Critical Assets

• Determ ine the criteria that is used to determ ine

the value as m onetary worth, future benefit to

the com pany, and com petitive advantage

• According to the criteria determ ined score all

• According to the criteria determ ined, score all

assets of the organization and prioritize them

• List all the critical assets across the organization

which needs to be properly protected

Counterm easures (cont’d)

Defining Acceptable Level of Loss

• The possibility for loss is all around and risk m anagem ent

will determ ine what efforts should be focused on by an

organization and what can be ignored

g

p

organization and what can be ignored

• Cost-benefit analysis is a typical m ethod of determ ining

acceptable level of risk

• The two m ethods to deal with potential loss are:

p

prevention and detection

Counterm easures (cont’d)

C

t

lli

A

• Controlling the access of the em ployees according to

Controlling Access

the requirem ent of their job

• The best way for securing an organization’s critical inform ation is by using Principle of Least Privilege • Principle states that you give som eone the least p y g

am ount of access they require for their job • Encrypt the m ost critical data

• Never store sensitive inform ation of the business on the networked com puter

the networked com puter

• Store confidential data on a stand alone com puter which has no connection to other com puters and the telephone line

Counterm easures (cont’d)

Bait: Honeypots and Honeytokens

• Catching the insiders when they are stealing

the inform ation is called honeypots and

honeytokens

yp

y

honeytokens

• Honeypots and Honeytokens are traps which

are set at the system level and file level

respectively

h

k l

k

• Honeypot on the network looks attractive to

attackers and lures them in

• It is used when som eone wanders around the

network looking for som ething of interest

network looking for som ething of interest

• Honeytoken is done at a directory or file level

instead of the entire system

• Display an attractive file on a legitim ate server

d

h i

id

Counterm easures (cont’d)

Mole detection

• In this, a piece of data is given to a person and if that inform ation m akes its way to the public

Mole detection

that inform ation m akes its way to the public dom ain, then there is a m ole

• It can be used to figure out who is leaking

inform ation to the public or to another entity

Profiling

• It controls and detects the insiders by understanding behavioral patterns

Counterm easures (cont’d)

Monitoring

• Watching the behavior by inspecting the inform ation

• It provides a starting point for profiling

Monitoring

• It provides a starting point for profiling

• The types of m onitoring that can be perform ed are:

Counterm easures (cont’d)

Si

t

A

l i

• It is an effective m easure for controlling insider threat or

li i

i i

Signature Analysis

any m alicious activity

• It is also called as pattern analysis because it looks for a

pattern that is indicative of a problem or issue

It t h

l

k

tt

k d

th tt

k hi h

• It catches only known attacks and the attacks which

Sum m ary

Term ‘Corporate espionage’ is used to describe espionage conducted for com m ercial purposes on com panies governm ents and to determ ine the com m ercial purposes on com panies, governm ents, and to determ ine the activities of com petitors

People with lim ited authorized access is called Insider Associate People with lim ited authorized access is called Insider Associate

Inside s can se Web and em ail to disclose the o gani ation’s info m ation Insiders can use Web and em ail to disclose the organization’s inform ation

C t h bl i h th t it i i l d

Cryptography garbles a m essage in such a way that its m eaning is concealed

M k th t t i il t ll tt d t l