Wednesday, November 24, 2010

A Mole in the Closet! Steps CEOs can take to protect their firms

MHA Mole sought  Cash, Sex as Bribe’. It did not strike me as unusual when I saw  this morning’s headline in the Times of India.  The mole in the Ministry of Home Affairs, in a responsible position in the dept of internal security was alleged to have leaked information on the progress and methods to obtain security clearance in sensitive areas like telecom and mining, (mis)using  his position to pass on favorable information to facilitate clearance of such applications. The reward was sex and money. Code words used were software for women, hardware for hotels & venues and laddu (an Indian sweet) for money.
But, obviously, this is not the only closet. Every corporate organisation has them. In fact, most employees may be tempted to get converted into moles through three primary ways. First, by exploiting their lack of security awareness to download malware on to their computers, second through sexual blackmail, exploitation of their need for a job or taking advantage of their disgruntlement and third by buying them using money or sex. These moles can have a damaging impact on business by leaking out crucial information such as business plans or product designs to competitors or even through deliberate sabotage. So do not find it unusual if you find out that a tender was lost due to a 5% price difference, or that a competitor launched a similar-looking product a few weeks earlier or that the organisation lost money because crucial billing records were deleted.  Corporate espionage can also take place through the use of professional agencies which deploy spying devices through compromised house-cleaning staff and hackers  this however is the subject of another blog post.
Employees who become moles have typically been in service for several years and have built personal equations & trust  in the organisation. Moles are also likely to be employees who have access to information of damaging value to the corporate. Less that 10% of the employees may fall in these categories though they may vary in grade from the CEO down to the office boy who handles business proposal documents.
Detecting corporate espionage is extremely difficult. Bear in mind that we all like to work for organisations which trust their employees. However, there are a few key measures that can be put in place, as listed below:
Top Management should keep their eyes open: - Instances such as bids lost by thin margins or leaked product designs are early-warning signals that no top management should ignore. To pick up these signals, it is important that the top management accepts the fact that corporate espionage is a reality.
Know what information is valuable: - Identifying valuable information and employees that have access to it is the first step in executing a proper corporate anti-espionage policy.
Establish a policy and a corporate anti-espionage team: - A formal corporate anti-espionage policy, processes and team should be put in place to develop controls, implement and monitor as mitigation to these types of threats.
Regular background checks and peer surveillance is a vital ingredient in preventing corporate espionage:- Team workers are best able to detect early signs of corporate espionage, in the form of an individual’s change in emotional behavior, interest in matters which do not concern the employee,  unusual browsing of files or even out-of-workplace signals such as gambling habits, excessive debt or even spending more money than would be expected. Most organisations conduct a background check during the joining process as a formality and do not repeat the process regularly.  This compromises its sanctity since employees can get converted into moles only once they occupy positions of trust.
Technology may not be the solution:- Corporate espionage results in the exposure of unstructured data such as proposals, business plans, product designs and prices. Information of this nature is difficult to monitor electronically. Checks like monitoring emails, restricting access to portable media and technologies like DLP may help but they can all be subverted with the help of a simple mobile phone camera.
People remain our best defense: - Employees should be trained on the role they need to play in the defense against moles.  Obviously the mole will attend your training program too.  Money could be a key factor in motivating moles. Building loyalty and paying key employees well can go a long way in reducing the probability of their conversion.
Set up a Confidential Reporting Channel:-There should be a system for employees to report if they are propositioned, an attempt is made to coerce them or to report the suspicious behavior of fellow employees, akin to a Whistleblower policy. This should be backed up by clear processes to give employees the confidence that their reporting will be treated in the right manner.
Industry Feedback: - What the market place says about an employee may provide an early warning signal. Several times rumors float on an employee’s integrity or, as in the case of the MHA mole, a complaint was raised by a customer due to a demand for a bribe. There should be a system to receive, examine and act on these feedbacks in a prompt & effective manner.

Wednesday, November 17, 2010

Employee welfare must be sacrificed for organizational data protection

An organization has two primary types of data within its premises, structured and unstructured. Structured data is stored in databases and primarily used through applications. Existing security mechanisms are well able to take care of data security threats to structured data, with penal legal provisions and strong enforcement through standards like PCI.

Unstructured data resides on employee desktops, laptops, mobile phones, portable drives, and pen drives. Unstructured data comprises of documents created by employees or are extracts in the form of reports or XL sheet from structured data repositories. Securing this data is far from easy, as the only mechanisms that can be applied are endpoint security mechanisms such as antivirus, personal firewalls and new technologies like DLP. DLP is template driven and has its own limitations.

Relying on employees to be security aware is not a situation that one can rely on. 70% of organizations only provide generic security awareness training and only 40% provide updates on new threats. The employee becomes a conduit for bringing BOT’s into the organization capable of stealing user data and becoming staging points for further attacks.

Bots usually use social engineering to draw users to malicious websites which then installs bots on the end users devices. The problem is quite acute. The McAfee Threat Report: Third Quarter 2010, has uncovered that average daily malware growth has reached its highest levels, with an average of 60,000 new pieces of malware identified per day, almost quadrupling since 2007. McAfee identified 14 million unique pieces of malware. The most dangerous were Zeus, Stuxnet and Cutwail.

Social trends like online shopping for Christmas are used to create fake online shopping sites to steal user identities and install BOT's (trojans).

The 2010 ISACA Shopping on the Job Survey: Online Holiday Shopping and Workplace Internet Safety—UK released in October clearly showed that organizations failed to consider the three most important tools available to protect against this threat due to concerns on employee welfare. In the report 58% of organizations do not prohibit employees from using a work email for online shopping. 43% allow the use of laptops for online shopping and 9% actually prohibited access to online shopping sites from the workplace.

I am of the opinion that employee welfare must be sacrificed until technology measures have been created to defend against all BOTs. There are also new technologies for disk encryption, application whitelisting, and operating system lockdown from security product companies like McAfee which are useful in mitigating these threats.

Thursday, November 11, 2010

Computer Hackers and We

The movies helped us conjure an image of a computer hacker as a shabbily dressed, nerdy, bespectacled individual surrounded by gizmos, perpetually looking into a computer screen surrounded by half eaten pizza and bottles of beer. Most hackers are in reality, passionate, well dressed, highly informed and delightful to talk too.
I have been fortunate to meet several hackers and found among them, a remarkable similarity in their desire to break into things and find out how to exploit them. Let me recount an incident, with a hacker colleague of mine who purchased an expensive newly launched smart phone.  Within two months he purchased a new phone as he broke the earlier phone when he tried modifying the operating system and firmware. I did not ask him why!
This thought brought me back to my childhood. I still remember the toys my father brought me and the urge I had to open them up to see how they worked. I always believed I could put them back together which unfortunately, was never the case. It however did not deter me from breaking the next toy that came my way.
I believe this to be a childhood event common to most of us. As we moved on in life we did not pursue this curiosity as a hacker did. In the past hackers were motivated by fun, fame, a form of protest, to save money or simply because they felt firms charged too much for goods and services such as telephone calls. Today, it’s for money, profit, a form of protest, or to become professional security consultants.

Saturday, November 6, 2010

Porn Surfing & Social Networking a Cyber Risk

The outer page of the Times of India Nov 6, 2010, in a sensational headline boldly proclaimed “Porn Surfing a cyber risk, babus told”. The article further went on to allege that several officials used official desktops to surf objectionable sites on the Internet and download material on to their desktops. Downloaded material may include harmful malware which is able to export key data from these desktops to foreign agencies thereby compromising government policy and national security.
In a similar incident, on 21 Jun 2010 the Washington times broke the story of the fictitious female nicknamed the cyber mata hari who created a fictional facebook page.  Robin Sage, according to her profiles on Facebook and other social-networking websites, was an attractive, flirtatious 25-year-old woman working as a "cyber threat analyst" at the U.S. Navy's Network Warfare Command. Within less than a month, she amassed nearly 300 social-network connections among security specialists, military personnel and staff at intelligence agencies and defense contractors. Robin did not exist. Her profile was a ruse set up by security consultant Thomas Ryan as part of an effort to expose weaknesses in the nation's defense and intelligence communities - what Mr. Ryan calls "an independent 'red team' exercise."
Both these examples highlight the susceptibility of senior officials to social engineering techniques due to their lack of security awareness, weak or inexistent corporate security policies, poor enforcement and the adequate investment in technical controls to prevent and monitor access to objectionable internet sites and download. Although the focus on the articles was on government and defense, the same holds true in the corporate world.