Ethical Hacking and E hi l H ki d Counterm easures Version 6 V i

  6 Mo d u le XLVIII Mo d u le XLVIII Corporate Espionage by Insiders Insiders News Source: http:/ / business.tim esonline.co.uk/

News Source: http:/ / blogs.barrons.com /

Module Objective

This m odule will fam iliarize you with:

  Corporate Espionage Inform ation Corporate Spies Seek p p Different Categories of Insider Threat Driving Force behind Insider Attack Driving Force behind Insider Attack Com m on Attacks carried out by Insiders Techniques Used for Corporate Espionage Tools Counterm easures

Module Flow

  Com m on Attacks Corporate Espionage carried out by Insiders Inform ation Techniques Used for

  Corporate Spies Seek Corporate Espionage Different Categories of Tools Insider Threat

  Driving Force behin d Counterm easures Insider Attack

  Introduction To Corporate Espionage Espionage "Espionage is the use of illegal m eans to gather inform ation“ h f “ Source: www.scip.org Term ‘Corporate espionage’ is used to describe espionage conducted for com m ercial purposes on com panies, com m ercial purposes on com panies governm ents, and to determ ine the activities of com petitors

Inform ation Corporate Spies Seek

  Marketing and new product plans Source code Corporate strategies Target m arkets and prospect inform ation Usual business m ethods Product designs, research, and costs Alliance and contract arrangem ents: delivery, pricing, and term s Custom er and supplier inform ation Staffing, operations, and wage/ salary Credit records or credit union account inform ation

Insider Threat

  

The In s id e r Th re a t to critical infrastructure is an

individual with the access and/ or inside knowledge of a

com pany, organization, or enterprise that would allow

them to exploit the vulnerabilities of that entity’s security, p y y,

system s, services, products, or facilities with the intent to

cause harm

• _{- N ational Infrastructure Adv isory Council (N IAC)}

  Different Categories of Insider Threat Threat Pure Insider Pure Insider

• An em ployee with all the rights and access associated with being em ployed by the com pany associated with being em ployed by the com pany
• Elevated pure insider is an insider who has additional privileged access such as, adm inistrator access

Insider Associate

• People with lim ited authorized access are called

  Insider Associate

• Contractors, guards, and cleaning and plant services , g , g p all com es under this category

  Different Categories of Insider Threat (cont d) Threat (cont’d) Insider Affiliate Insider Affiliate

• Insider affiliates do not have direct access to the organization but illegally use the em ployee s organization but illegally use the em ployee’s credentials to gain access
• An insider affiliate is a spouse, friend, or even client of an em ployee

Outside Affiliates

• They are non-trusted outsiders who use open access to gain access to an organization’s resources
• The best way of outside affiliate is accessing • The best way of outside affiliate is accessing unprotected wireless points

  Privileged Access Insiders enjoy two critical links in security

  Trust of the em ployer p y Access to Facilities

Driving Force behind Insider Attack Attack

  Work related grievance Financial gain Financial gain Challenge Curiosity Spy ( Corporate Espionage)

Com m on Attacks carried out by Insiders Insiders

  Sabotage of inform ation/ system s Theft of inform ation/ com puting assets Injecting bad code Viruses Viruses Installation of unauthorized software/ hardware software/ hardware Manipulation of Protocol/ OS Design Flaws Social engineering

  Techniques Used for Corporate Espionage Espionage

S o cia l En gin e e rin g

• Social engineering is defined as a non-technical kind of intrusion that relies heavily on hum an interaction and often involves tricking other people to break norm al often in ol es tricking other people to break norm al security procedures

  D u m p s te r D ivin g

• Dum pster diving is looking for treasure in som eone else's D t di i i l ki f t i l ' trash. (A dum pster is a large trash container.) In the world of inform ation technology, dum pster diving is a technique used to retrieve inform ation that could be used to carry out an attack on a com puter network out an attack on a com puter network
Techniques Used for Corporate Espionage (cont d) Espionage (cont’d)

In fo rm a tio n e xtra ctio n

• The inform ation can be extracted thro
• Hidden files
• Rem ovable m edia
• Wireless exfiltration Wi l filt ti
• Laptops • PDAs/ Blackberrys

N e tw o rk le a ka ge

• The network traffic that are allowed in an organization is

  Web and em ail

• Insiders can use these techniques to disclose the organization’s inform ation g
Techniques Used for Corporate Espionage (cont d) Espionage (cont’d)

Cryp to gra p h y Cryp to gra p h y

• Cryptography garbles a m essage in such a way that its m eaning is concealed
• It starts off with a plaintext m essage and then an It starts off with a plaintext m essage and then an encryption algorithm is used to garble a m essage which creates cipher text

S te ga n o gra p h y

• Steganography is data hiding, and is m eant to conceal • Steganography is data hiding and is m eant to conceal the true m eaning of a m essage
• It is referred to as a secret com m unication and covert com m unication
Techniques Used for Corporate Espionage (cont d) Espionage (cont’d)

Ma licio u s a tta cks Ma licio u s a tta cks

• Malicious attacks are used to gain additional access or elevated privileges
• These attacks usually involve running exploit code against a system • These attacks usually involve running exploit code against a system

  Process of Hacking Ga th e rs In fo rm a tio n _{o f Ta rge t Orga n iza tio n} ^{S ca n s th e ta rge t} _{n e tw o rk fo r Vu ln e ra bilitie s} ^{Exp lo its Kn o w n} _{Vu ln e ra bilitie s to bre a ch d e fe n s e}

  1

  2

  3 H a cke r fo llo w in g th e 7 h a bits to a tta ck th e ^{m e ch a n is m s} a tta ck th e ta rge t o rga n iza tio n

  B re a ks N e tw o rk _{E l i S}

  ^{Exp lo its S ys te m} 4 ^{B re a ks N e tw o rk} _{D e fe n s e u s in g e xp lo its fo r kn o w n vu ln e ra bilitie s Re s o u rce s}

  5

  6 _{Ma licio u s p ro gra m s fo r b a ckd o o r a cce s s} Cle a rs _{Evid e n ce by e ra s in g tra cks}

  7 Process of Hacking (cont’d) N e tw o rk D e fe n s e Me ch a n is m s Ta rge t Orga n iza tio n ’s In te rn a l N e tw o rk In te rn e t

  8 La u n ch e s a n a tta ck

  fro m th e Orga n iza tio n ’s

Case Study : Disgruntled System Adm inistrator Adm inistrator

  A system adm inistrator, angered by his dim inished role in a thriving defense m anufacturing firm whose role in a thriving defense m anufacturing firm whose com puter network he alone had developed and m anaged, centralized the software that supported the com pany’s m anufacturing processes on a single server, and then intim idated a coworker into giving d th i ti id t d k i t i i him the only backup tapes for that software. Following the system adm inistrator’s term ination for inappropriate inappropriate and and abusive abusive treatm ent treatm ent of of his his coworkers, a logic bom b previously planted by the insider detonated, deleting the only rem aining copy of the critical software from the com pany’s server. The com pany estim ated the cost of dam age in excess of $ 10 m illion, which led to the layoff of som e 8 0 em ployees. _{Insider Threat Study: Com puter System Sabotage in Critical In frastructure Sectors Source: U.S Secret Service and CERT Coordination Center/ SEI}

Form er Forbes Em ployee Pleads Guilty Guilty

  In 1997, George Parente was arrested for causing five network servers at the publishing com pany Forbes, Inc., to crash. Parente was a form er Forbes com puter to crash Parente was a form er Forbes com puter technician who had been term inated from tem porary em ploym ent.

  In what appears to have been a vengeful act against the pp o b g g com pany and his supervisors, Parente dialed into the Forbes com puter system from his residence and gained access through a co-worker's log-in and password. Once online, he caused five of the eight Forbes com puter li h d fi f th i ht F b t network servers to crash, and erased all of the server volum e on each of the affected servers. No data could be restored.

  Parente's sabotage resulted in a two day shut down in Forbes' New York operations with losses exceeding $ 10 0 ,0 0 0 .

  Parente pleaded guilty to one count of violating Source: _{http:/ / w w w .usdoj.gov / crim in al/ cy bercrim e/ v} Com puter Fraud and Abuse Act, Title 18 U.S.C. 10 30 atis.htm

  Form er Em ployees Abet Stealing Trade Secrets Trade Secrets Source: http:/ / w w w .usdoj.gov/

  California Man Sentenced For Hacking Hacking Source: http:/ / w w w .usdoj.gov/

  Federal Em ployee Sentenced for Hacking Hacking Source: http:/ / w w w .usdoj.gov/

  Facts

I t Internal breaches l b h included:

• Viruses/ Worm s outbreaks – 21% Viruses/ Worm s outbreaks 21%
• Wireless network breach – 1%
• Loss of custom er data/ privacy issues – 12%
• Internal financial fraud involving l f l f d l inform ation system s – 18 %
• Theft or leakage of intellectual property (e.g. custom er leakage)
• – 10 %
• Accidental instances – 18 %
• Other form of internal breach –

  12%

• Do not know – 5% _{Source: Deloitte, 20 0 7 Global Security Survey}

  Key Findings from U.S Secret Service and CERT Coordination Center/ SEI study on

Insider Threat Insider Threat

  A negative work related event triggered m ost insiders actions A negative work-related event triggered m ost insiders’ actions The m ost frequently reported m otive was revenge The m ost frequently reported m otive was revenge The m ajority of insiders planned their activities in advance The m ajority of insiders planned their activities in advance R Rem ote access was used to carry out the m ajority of the attacks t d t t th j it f th tt k Insiders exploited system ic vulnerabilities in applications, processes, and/ or Insiders exploited system ic vulnerabilities in applications processes and/ or procedures, but relatively sophisticated attack tools were also em ployed

  Key Findings from U.S Secret Service and CERT Coordination Center/ SEI study on

Insider Threat (cont’d) Insider Threat (cont’d)

  The m ajority of insiders com prom ised com puter accounts, created unauthorized backdoor accounts, or used shared accounts in their attacks h i d b kd d h d i h i k The m ajority of attacks took place outside norm al working hours The m ajority of attacks took place outside norm al working hours The m ajority of the insider attacks were only detected once there was a noticeable irregularity in the inform ation system or a system becam e noticeable irregularity in the inform ation system or a system becam e unavailable The m ajority of attacks were accom plished using com pany’s com puter j y p g p y p equipm ent In addition to harm ing the organizations, the insiders caused harm to specific In addition to harm ing the organizations, the insiders caused harm to specific individuals

  

Tools Tools

NetVizor

  NetVizor is a powerful network surveillance tool, that allows to NetVizor is a powerful network surveillance tool that allows to m onitor the entire network from one centralized location

It enables to track workstations and individual users who m ay use

m ultiple PCs on a network

  NetVizor: Screenshot

Privatefirewall w/ Pest Patrol

  Privatefirewall is a Personal Firewall and Intrusion Detection Privatefirewall is a Personal Firewall and Intrusion Detection Application that elim inates unauthorized access to the PC It provides solid protection "out of the box" while allowing advanced users to create custom configurations

  Privatefirewall w/ Pest Patrol: Screenshot Screenshot

  Counterm easures

Best Practices against Insider Threat Threat

  Monitor em ployee’s behavior Monitor com puter system s used by em ployees Disable rem ote access Make sure that unnecessary account privileges are not allotted to norm al users Disable USB drives in your network Enforce a security policy which addresses all your concerns Physical security check should not be ignored

Best Practices against Insider Threat (cont d) Threat (cont’d)

  Verify the background of new em ployees Cross-shred all paper docum ents before trashing them Secure all dum psters and post ‘NO TRESPASSING’ signs Conduct security awareness training program s for all em ployees regularly l l Place locks on com puter cases to prevent hardware tam pering Lock the wire closets, server room s, phone closets, and other sensitive equipm ents Never leave a voice m ail m essage or e-m ail broadcast m essage that gives g g g an exact business itinerary

  Counterm easures

Understanding and Prioritizing Understanding and Prioritizing Critical Assets

• Determ ine the criteria that is used to determ ine the value as m onetary worth, future benefit to the com pany, and com petitive advantage
• According to the criteria determ ined score all • According to the criteria determ ined, score all assets of the organization and prioritize them
• List all the critical assets across the organization which needs to be properly protected
• Understand the likely attack points by analyzing the threats to the organization

  

Counterm easures (cont’d)

Defining Acceptable Level of Loss g p
• The possibility for loss is all around and risk m anagem ent

  will determ ine what efforts should be focused on by an

  organization and what can be ignored organization and what can be ignored

• • Cost-benefit analysis is a typical m ethod of determ ining

  acceptable level of risk
• The two m ethods to deal with potential loss are: p prevention and detection

  Loss

  

Counterm easures (cont’d)

C t lli A

Controlling Access

• Controlling the access of the em ployees according to

  the requirem ent of their job

• The best way for securing an organization’s critical inform ation is by using Principle of Least Privilege • Principle states that you give som eone the least p y g am ount of access they require for their job
• Encrypt the m ost critical data
• Never store sensitive inform ation of the business on the networked com puter the networked com puter
• Store confidential data on a stand alone com puter which has no connection to other com puters and the telephone line
• Regularly change the password of confidential files • Regularly change the password of confidential files

  

Counterm easures (cont’d)

Bait: Honeypots and Honeytokens yp y

• Catching the insiders when they are stealing the inform ation is called honeypots and honeytokens honeytokens
• Honeypots and Honeytokens are traps which are set at the system level and file level respectively
• Honeypot on the network looks attractive to h k l k attackers and lures them in
• It is used when som eone wanders around the network looking for som ething of interest network looking for som ething of interest
• Honeytoken is done at a directory or file level instead of the entire system
• Display an attractive file on a legitim ate server used to trap the insider d h i id

  

Counterm easures (cont’d)

Mole detection

  Mole detection

• In this, a piece of data is given to a person and if that inform ation m akes its way to the public

  that inform ation m akes its way to the public dom ain, then there is a m ole

• It can be used to figure out who is leaking

  inform ation to the public or to another entity Profiling

• It controls and detects the insiders by understanding behavioral patterns
• The two types of profiling are individual and group • The two types of profiling are individual and group profiling

  

Counterm easures (cont’d)

Monitoring Monitoring
• Watching the behavior by inspecting the inform ation
• It provides a starting point for profiling • It provides a starting point for profiling
• The types of m onitoring that can be perform ed >Application-specific
• Problem -specific • Problem specific
• Full m onitoring
• Trend analysis
• Probationary y

  

Counterm easures (cont’d)

Si Signature Analysis t A l i

• • It is an effective m easure for controlling insider threat or

  any m alicious activity li i i i
• It is also called as pattern analysis because it looks for a pattern that is indicative of a problem or issue
• It catches only known attacks and the attacks which It t h l k tt k d th tt k hi h occurs sam e way all the tim e

Sum m ary

  Term ‘Corporate espionage’ is used to describe espionage conducted for com m ercial purposes on com panies, governm ents, and to determ ine the com m ercial purposes on com panies governm ents and to determ ine the activities of com petitors People with lim ited authorized access is called Insider Associate People with lim ited authorized access is called Insider Associate Insiders can use Web and em ail to disclose the organization’s inform ation Inside s can se Web and em ail to disclose the o gani ation’s info m ation C Cryptography garbles a m essage in such a way that its m eaning is concealed t h bl i h th t it i i l d Make sure that unnecessary account privileges are not allotted to norm al users M k th t t i il t ll tt d t l