ISMI-BoGP-Unit-11-Protection-of-Information PDF
Document Details
Uploaded by OverjoyedLucchesiite
Tags
Summary
This document provides an overview of information security challenges and risks, focusing on protecting intellectual property and sensitive data. It examines various threat vectors including espionage, competitive intelligence, and cyber sabotage. Key concepts like confidentiality, integrity, and availability (CIA) are also covered, highlighting the importance of security measures.
Full Transcript
Unit 11 – Protection of Information Part I – The Challenges 11 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) ...
Unit 11 – Protection of Information Part I – The Challenges 11 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information Introduction Overview Knowledge, know-how and information are the Most organisations believe their crown jewels of many organisations. Calder and information systems are secure; the Watkins (2012) emphasise that information and brutal reality is that they’re not. intellectual capital is often worth more to an enterprise than its physical assets. Referred to collectively as intellectual property, Wilding (2006) notes that although vital to the wellbeing of commercial organisations, IP is often poorly protected. This is a view echoed by Calder and Watkins (2012), who note that most organisations believe their information systems are secure; the brutal reality is that they’re not. The purpose of this module is to set out some of the myriad of risks to information and to present a range of means to manage these risks. Information security can only be achieved through a layered approach, taking into account the many dimensions for exploitation. The module will examine information risks and information security in general. An in-depth study of information systems security is, however, beyond the scope of this reference. Unlike physical assets, information assets are present in many different forms and require multiple and overlapping means of protection. A fundamental principle of the protection of tangible assets is protection in depth, employing concentric rings of protection. With physical (tangible) assets this can be represented in a two-dimensional diagram. Information security, however, requires a multi-dimensional approach as the threat sources (adversaries) and the methods used are very diverse. Threats to Information Information is of significant value to adversaries, who wage a relentless, usually unseen and undetected, campaign to obtain your most sensitive data. Methods can include plain theft, solicitation, inadvertent disclosure and hostile interception. The Internet, one of the most valuable tools in allowing businesses to efficiently and economically communicate with their markets, is also a primary means of attack and espionage, and the ambiguity of national borders and legal jurisdictions pose an almost insurmountable challenge. Some commentators have described the threats to information residing on the Internet as an epidemic http://www.bbc.co.uk/news/technology-13626104. Espionage by foreign government agencies seeking to give their domestic companies economic advantage in the global market is carried out on an unimaginable scale. Aside from the well- publicised stories about telephone and computer communications intercept, a number of foreign governments collect information about targets via a multitude of means, including front companies, which may engage in joint ventures or become a supplier to the target. 12 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information Government-level espionage is not confined to traditional adversaries. There have been many instances of accusations of industrial espionage between European and US companies, or between US and Asian companies. The intelligence services of countries that may appear ostensibly to be allies have long “waged war” in cyberspace in an effort to steal each other’s economic and industrial secrets so that they can be put to domestic economic advantage. History shows us that superpowers wax and wane, and there can be no doubt that information and know- how will be a key determinant in maintaining – or achieving – global economic dominance. Moreover, computers and their associated technology make it simple for employees and ex- employees to walk away with trade secrets. And there is almost no limit to what can be stolen. What might have required an employee to exit through security with many boxes of documents twenty years ago (For a case study see http://www.nytimes.com/1997/01/10/business/vw- agrees-to-pay-gm-100-million-in-espionage-suit.html ) can now be taken in an instant by flash drives or uploaded to a personal Cloud from the workstation desktop. The simple fact is that the speed of innovations in information technology is outdistancing our capacity to provide effective safeguards – and the risks of information theft by flash drives is fast being overtaken by risks of staff copying sensitive data to personal Cloud accounts. Nasheri (2005) highlights the problem that today’s information What Is Cyberspace? age requires businesses to compete on a worldwide basis, sharing sensitive information with appropriate Clemente (2013) observes that although parties yet protecting that information against cyberspace is sometimes categorised as a competitors, vandals, suppliers, customers and discrete sector, in practice it is so deeply foreign governments. embedded into sectors such as energy and transport as to make any separation meaningless. Cyberspace can be visualised Information thieves are able to operate in cyberspace instead as a thin layer or nervous system with a degree of anonymity, privacy, impunity and running through all other sectors, enabling global access. Unlike a traditional them to communicate and function. crime, no physical presence is necessary and there may be no evidence of the theft. It is likely that the greater part of economic espionage falls into one of the following categories: Employees stealing information from their employers. Companies stealing information from competitors. Foreign governments stealing information about companies. OSAC, the US Government’s Overseas Advisory Council, (1994) notes that the majority of competitive information theft cases which occur in the United States involve a company's own employees. You should not overlook, also, the significant threat posed by organised criminal gangs seeking to steal information – especially that stored in IT systems – for the purpose of identity theft. 13 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information Competitive Intelligence It is easy to confuse espionage with competitive intelligence (CI), especially since espionage is so weakly defined in law. The majority of large companies have CI departments. CI, according to Nasheri (2005) takes a broad view of the market and how a particular company hopes to position itself. It relies on techniques such as recruitment, strategic and tactical surveillance, product sampling and profiling of target company personnel. It also examines the strengths and weaknesses of competitors. However, there is often a fine line between the legitimate and ethical collection of competitive information and the covert acquisition of proprietary business information. Cyber Sabotage Threats to information are not limited solely to information theft. Corruption of data, or denying access to data can provide as much, if not greater, impact on the operational continuity of a business than the theft of information. The UK Government’s Cyber Security Breaches Survey 2017 found that 46% of companies surveyed had experienced at least one breach in the previous twelve months. It also found that the most common outcomes of a breach are a temporary loss of access to files or networks (23%), and software or systems becoming corrupt or damaged (20%). This is demonstrated most clearly by the 2017 “WannaCry” global cyber security incident, in which ransomware software infected more than 230,000 computers in over 150 countries, encrypted the contents of those machines, and demanded a ransom be paid before the computer was made operational again. In this breach no data was stolen, yet scores of companies had their business operations interrupted, in some cases for months afterwards. A multi-billion dollar criminal economy exists in which the skills and capabilities for computer hacking can be bought and sold. Through these commoditised tools criminals can quickly identify vulnerable systems, gain access to them, and use them for their own criminal purposes. Typically, the cybercriminal will seek to make financial gain from their compromised systems, either by using this system to send spam emails, or to install malicious software either to generate cryptocurrency or to encrypt the data on the system and demand a ransom from the system owner. As the use of “smart” technologies, and computer based systems for industrial control continues to proliferate and become increasingly connected threats to information bring with them real- world consequences. In 2014 the German Federal Office for Information Security (BSI) reported that a blast furnace at a German steel mill had suffered “massive damage” after the systems controlling it were breached. Power outages were experienced in Ukraine in December of 2015 after three power distribution companies were compromised by malicious software. Collectively the three qualities of information known as the Confidentiality, Integrity and Availability (CIA) form the foundation of information security and this triad is discussed throughout this module. 14 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information The CIA Triad The main requirements for information protection can be summarised with the abbreviation CIA, as follows: Confidentiality The characteristic whereby only those with sufficient privileges and a demonstrated need may access certain information. When unauthorised individuals or systems can view information, confidentiality is breached. Information could be accidentally disclosed by computer misrouting, inadequate protection, viruses and Trojans, lost flash drives, poor destruction of old equipment, etc. Here, access control and encryption are fundamental. To protect the confidentiality of information, a number of measures are used, including: Information classification Secure document storage Application of general security policies Education of information custodians and end users Cryptography (encryption) Confidential information may include business sensitive information such as trade secrets and personal private data relating to living persons. Integrity Ensuring that information is not altered, modified or manipulated in any unauthorised way. The integrity of information is threatened when it is exposed to corruption, damage, destruction, alteration, substitution, or other disruption of its authentic state. This can occur inadvertently, or deliberately (direct or indirect), when data is being entered, stored or transmitted. Data can be modified by fraudsters, SCADA processes can be modified by hackers or pathogens (for example “Duqu”, the intelligence-gathering Trojan designed to harvest information about SCADA vulnerabilities for subsequent analysis and exploitation, discussed in Module 10). Many computer viruses and worms are designed to corrupt data. This damage may be undetected. Even after the malware has been removed, the corruption can remain, often unnoticed. To manage inadvertent threats to integrity, systems employ a variety of automated error control, intrusion detection/protection, access control, automated integrity checking and malware protection techniques. But deliberate manipulation or alteration of data, such as by a manager changing figures to conceal a fraud, or by a security guard replacing digitised CCTV images to conceal a crime, may be 15 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information more difficult to detect. Automated fraud red flagging software may be useful. Availability Ensuring the continued and uninterrupted accessibility to information to those who require it. Authorised users need to be able to access data in a usable format on demand. A user may be a person or another computer or resource. Threats to availability include (but are not limited to) natural disasters, fires and explosions, poor back-up protocols, malware, which can corrupt or destroy files, DDoS attacks, file or media corruption, exploits, hacking and failure to back up data to a protected central fileserver (or the Cloud). Availability may also be denied by the theft of hardware, especially laptops. Are You Sufficiently Prepared to Meet the Threat? An essential precursor to protecting against information leakage is recognising that the problem exists, and this is a stumbling point for many boards, which may not appreciate the scope and methods of information targeting. Thus, when a new product fails to meet expectations (see product life cycle diagram, right), fingers are pointed at Marketing, Distribution, Quality, R&D etc. Rarely is consideration given to the possibility that information may have leaked to an adversary, perhaps giving that adversary a competitive pricing edge by obviating its need to carry out its own expensive R&D. ONCIX, the US Office of the National Counterintelligence Executive (www.ncix.gov), publishes regular updates on the extent of corporate espionage against the United States and provides a number of good practice publications for free download. Ten years ago, ONCIX published the following findings in its annual report: The greatest losses and threats involve information about manufacturing processes, ICT (information communications and technology), scarce natural resources, aerospace, clean energy projects, and pharmaceuticals. The Internet and information systems have significantly increased the risks to corporate proprietary information. 16 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information From the insider perspective, on-site contract employees and joint-venture (JV) partners may pose the greatest threat to proprietary information. The majority of companies do not effectively safeguard proprietary information. The majority of companies do not effectively safeguard proprietary Most companies lack a mechanism and information. process by which to assess the value of proprietary information. It is likely that many of the above observations continue remain ineffectively mitigated to this day and that developments in the way we use technology and increased sophistication of attackers has further shifted the balance in favour of the adversary. Furthermore: Cyberspace offers greater security to the perpetrator in cases involving insiders. Workers increasingly draw few distinctions between their home and work lives, and will expect free access to any information they want, anytime, from anywhere. Chris Davy CB, a former leading UK investigator into industrial espionage who has worked with major UK companies makes the following observations in regard to information protection and vulnerabilities: “In many British companies the security of “In many cases where leaks have information rests precariously on the honesty, occurred and I have been called in to integrity and care of the staff, and nothing else.” investigate, I would have to describe the level of information protection as “In many cases where leaks have occurred and I have been called in to investigate, I would have reckless”. to describe the level of information protection as reckless”. At the information systems level, the picture is no better. Ponemon (2012) finds that employees exacerbate existing and create new vulnerabilities by routinely engage in the following top-ten risky practices: 1. Connecting computers to the Internet through an insecure wireless network. 2. Not deleting information on their computer when no longer necessary. 3. Sharing passwords with others. 4. Reusing the same password and username on different websites. 5. Using generic USB drives not encrypted or safeguarded by other means. 6. Leaving computers unattended when outside the workplace. 7. Losing a USB drive containing confidential data and not immediately notifying their organisation. 8. Working on a laptop when traveling and not using a privacy screen. 9. Carrying unnecessary sensitive information on a laptop when traveling. 10. Using personally-owned mobile devices that connect to their organisation’s network. 17 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information The Threat Tempo In his report on Emerging Cyber Threats to the United States before the US House of Representatives, Frank J. Cilluffo (2016) observes that: “The threat tempo is magnified by the speed at which technologies continue to evolve and by the fact that our adversaries continue to adapt their tactics, techniques and procedures in order to evade and defeat our prevention and response measures.” The continual increase in performance and decrease in size of computing devices leads to new technologies and novel uses for technology. This brings with it smart watches, health tracking devices, network connected thermostats and household appliances that can be controlled from a smartphone. Each new innovation introduces different ways in which information can be stored, processed and breached. While the use of mobile phones within a secure area may be prohibited, does this policy apply to smart watches? Similarly, adversaries rapidly find means to exploit new technologies, and new ways to exploit existing technologies. This trend will continue. As the pace of Internet-connected devices and systems continues, attacks and attack methods will become ever more audacious and attack consequences ever more severe. The security industry will be perpetually playing “catch-up”. Due to the rapidly changing nature of this aspect of information systems security you may wish to carry out your own research as it will surely impact on the security of any physical protection system (e.g. CCTV, access management, IDS) that you decide to migrate to an IP-based system. To help you understand this further, it is recommended you read the following Online Library articles: How hackers will exploit the Internet of Things in 2017. The “secure” Wi-Fi standard has a huge dangerous flaw. 175,000 IoT cameras can be remotely hacked thanks to flaw, says security researcher. [intentionally blank] 18 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information Specific Idiosyncrasies of Information as an Asset Overview Sensitive information takes many forms, from the spoken word, through hardcopy to computer data. Some information, such as hardcopy, is relatively easy to protect, given the will to do so. Other forms of information, such as knowledge, know-how, computer data and communications present significant protection challenges. The intangible nature of much information means that it is virtually impossible for an organisation to take stock of all its information assets. Even if all of the files on a computer network could be checked and classified, nobody in the owning organisation knows how much sensitive information and of what nature is in peoples’ heads, or has been passed on to other parties. Valuing Information You have learned from the security risk analysis module that there are two approaches to valuing regular assets. The first, and simplest, is the book value – the cost of replacement. This, however, is inadequate for the purpose of a risk analysis. A better method is to assess the criticality of an asset and its relative value to the operation in relation to how it fits into an asset cluster. Does it have redundancy? Is the mission critically dependent on its presence? In this way you will see that even relatively low value components such as copper wire can have value to the enterprise multiple times that of the replacement value. In practice, determining the relative value of regular assets can be quite challenging. But these challenges seem very basic when trying to determine the value of information. One of the unique aspects of this kind of asset is that even when it is stolen it usually remains in the possession of the owner as “theft” usually involves some form of copying, sharing or disclosure. This makes it very difficult to detect and prosecute for information theft. Common, but not wholly satisfactory, approaches to valuing information include: The time it took to create the information, or the time it would take to recreate it. This can be applied to information which has been destroyed, accidentally or maliciously. The damage to an organisation in terms of reputation damage, loss of clients, fines from regulatory bodies etc. Fines are sometimes a concern where personal data has been compromised. The clean-up costs during and following an incident should also not be underestimated. This could include notifying customers that their data has been breached, hiring expensive data forensics specialists and lost revenue caused by IT system downtime. The loss to the organisation of essential know-how that has been removed, computer files corrupted, or key personnel have left. The organisation may have impaired capacity to continue. The value to the party who benefits from your loss. This may be a competitor, former employee, supplier etc. 19 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information A common view is that the best way of assessing the value of an asset is by considering the damage and consequences that are likely to occur in the event of its compromise. This is frequently referred to as “business impact assessment.” All three aspects of the CIA triad should be taken into consideration, and a loss of information security may impact one or multiple aspects at the same time. For example, consider a patient's medical notes in a hospital, which could be either in hard or soft copy: Confidentiality can be breached if these notes are viewed by an unauthorised person, copied inappropriately or emailed to the wrong person. In this case, the business impact could be a breach of data privacy laws, leading to fines and censure from a regulator. Integrity can be breached if the notes are illegible, or if the notes of one patient are mistakenly included within the folio of another patient. In this case, the business impact could be severe – the patient could be given incorrect medication or treatment. Availability can be breached if the notes are not accessible to the doctor when required. It could be that the IT system is unavailable, or that paper records have been mislaid. In this case, the business impact could be a delay to the patient’s treatment. Related to the above is the temporal value of information, which is addressed in the section below on the information lifecycle. The Information Lifecycle Information may take various forms throughout its lifecycle. When creating information, it is important to envisage this. For example: Notes from a sensitive meeting may initially be in handwriting. What ultimately happens to the notebook? Is it accounted for? Is it properly disposed of? From the notebook, it may then be converted into a computer note, stored on a network, or on a personally-owned device. Who ensures that the note is encrypted? Do users have access to encryption or are they aware that such a facility exists within Microsoft Office and do they use it? Are their laptops encrypted? What happens to the computer’s hard drive when it is disposed of? Are there accounting procedures and records of hard drive disposal? Is there a means to know whether sensitive information has ever been transferred onto a thumb drive? How secure is the thumb drive1? Meeting attendees may discuss the points of the meeting with other parties, who may, themselves, share on the information. Is every party subject to a non-disclosure agreement (NDA)? Information may be sent to another party. What controls do they have in place to protect it? What options for redress do you have in place if these controls are not applied or not 1 Note that the module uses the terms thumb drives, flash drives, data sticks etc. interchangeably. 20 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information effective? Is it sent in encrypted form? On how many computers does it now reside? Has it been sent outside the organisation to another domain? Does it now reside on smartphones? Information Theft and the Law In the UK theft of personal data may be prosecuted as an offence under the Data Protection Act 1998, and if an individual is offered money to steal personal data, bribery offences may also be applicable. However, there is no effective law relating to industrial espionage. This makes it very difficult to prosecute for information theft. Most legal approaches in the UK focus on civil law to prevent employees using information obtained during the course of their employment for other purposes. And even if there were criminal recourse, how would an organisation go about convincing a court that it owns the information when it probably has no inventory of what information it owns and where all of the information is? In the US, there are laws on economic espionage, but fundamental to proving the case is the defendant being able to demonstrate that it took reasonable steps to secure the lost or compromised trade secret. In reality, many companies’ appreciation of “reasonable” may not meet the litmus test for courts or law. The fact is that in many companies, information is not comprehensively protected. Another way of looking at the information lifecycle is in temporal terms – its dynamic value at any particular time. For example, product launch information will often be highly sensitive in the period leading up to the launch, but once the product is launched it may have no value. The same may be true of unique designs in the pre-patent phase of development. Civil law protection is addressed in the following section. Proactive Legal Approaches to Intellectual Property Protection In some instances it is necessary to put intellectual property (IP) or information into the public domain in order to do business. And in some cases information is the organisation’s product. In such cases there are legal approaches (under civil law) that can be employed. Primarily, these are patents, trademarks and copyrights. These terms have slightly different parameters depending on the legal jurisdiction in which they are used. For example, patents may need to be registered in every market country. Most companies employ or retain teams of IP legal experts to advise on this. Patents – A patent is a means of protection that can apply to inventions, formulations, unique physical designs etc. Granting of a patent excludes other parties copying that invention or design. A patent typically has a life of 20 years, and is non-renewable. As an illustrative example http://www.ipo.gov.uk/types/patent.htm provides a good perspective on the UK approach to patents. Trademarks – A trademark is a word, phrase or logo, or other graphic symbol used by a manufacturer to distinguish their products from others (ASIS, 2007). The UK Intellectual Property Office (2012) notes 21 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information that if you have a registered mark, you have the right to use your mark on the goods and services in the classes for which it is registered. You also have the legal right to take action against anyone who uses your mark or a similar mark on the same, or similar goods and services to those that are set out in the registration. Copyrights – A copyright is a means of protecting creative works. For balance, we will illustrate copyright by presenting a Canadian perspective. According to the Canadian Intellectual Property Office (2013) copyright applies to all original literary, dramatic, musical and artistic works provided the conditions set out in law have been met. Each of these general categories covers a wide range of creations, including: Literary works: books (for example, the CSMP training materials) pamphlets, computer programs and other works consisting of text; Dramatic works: motion picture films, plays, screenplays, scripts, etc.; Musical works: musical compositions with or without words; and Artistic works: paintings, drawings, maps, photographs, sculptures, plans, etc. For a detailed explanation of copyright refer to http://www.cipo.ic.gc.ca/eic/site/cipointernet- internetopic.nsf/eng/h_wr02281.html Determining What Is Sensitive Information Overview Information is part of the broader family of intellectual property (IP), a mix of tangible and intangible assets that may or may not be in the public domain. As discussed, IP that is in the public domain is usually protected by legal means; unique designs are protected by patents, slogans and symbols may be protected by trademarks, while printed, artistic and recorded product may be protected by copyright. Sensitive information which an organisation seeks to keep confidential may be broken down into two groups: Proprietary information. Personal data. Proprietary Information and Trade Secrets Proprietary information is sensitive information that is not public knowledge and over which the possessor asserts ownership. In the business community, proprietary information relates to the structure, products, financial data, test results, business methods etc. of the organisation and which gives the organisation certain competitive advantages. It is usually protected in some way against casual or general disclosure and the person to whom the information is entrusted is generally duty-bound to refrain from making unauthorised use of the information. 22 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information There is some blurring of the boundaries between what constitutes proprietary information and what is a trade secret. For example, some definitions of proprietary information include that which is protected by legal means (copyrights, patents, trademarks), while the World Intellectual Property Organization’s (WIPO - http://www.wipo.int) definition of trade secret is very close to the definition of proprietary information above: Confidential business information which provides an enterprise a competitive edge may be considered a trade secret. Trade secrets encompass manufacturing or industrial secrets and commercial secrets. The unauthorised use of such information by persons other than the holder is regarded as an unfair practice and a violation of the trade secret. The subject matter of trade secrets is usually defined in broad terms and includes sales methods, distribution methods, consumer profiles, advertising strategies, lists of suppliers and clients, and manufacturing processes. In the United States trade secrets are defined as: All forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processed, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if (a) the owner thereof has taken reasonable measures to keep such information secret; and (b) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public. It is argued that corporate trade secrets and proprietary information represent the most valuable economic and business resource for gaining competitive advantage and market share in a free market, global economy. In an effort to protect US trade secrets, especially against foreign exploitation, the US introduced the The Economic Espionage Act 1996, which criminalises the theft or misappropriation of trade secrets, providing exceptionally heavy penalties for violators. The primary impact of loss of proprietary information is potential damage to the business’ competitive edge and benefit to another party. 23 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information A particular type of valuable proprietary information that is frequently overlooked is the technical “As with any operation, every attack has a information describing IT systems and the business budget; making organisations significantly hard targets will often drive attackers information describing the organisation itself. This elsewhere or cause them to reconsider information may be published inadvertently within job their priorities.” adverts for technical staff, or within employee’s online profiles. Guidance should be given to employees to CPNI 2016 PIANOS Report ensure such information does not leak. The UK’s Centre for the Protection of National Infrastructure elaborates on this concept in their report, Protecting Information About Networks, the Organisation and its Systems (PIANOS) (CPNI 2016): “In order to achieve their objectives attackers must understand the environment they are attacking, which means that regardless of the organisation targeted much of the information sought is the same. Attackers target information about the systems and networks they are attacking, and by defending this information organisations can hinder the actions of attackers.” Personal Data Personal data refers to any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, from the information, which may include names, residences, email addresses, occupations, bank details, telephone numbers etc. The definition is also technology neutral. It does not matter how the personal data is stored – on paper, on an IT system, on a CCTV system etc. Many organisations store – and assert ownership over – such data stored in employee or client databases. In this regard there can be some crossover with the definition of proprietary information, however it is important to recognise that in many jurisdictions the “data subject” is regarded as the owner of the data, and the company processing the personal data is merely a custodian of it and must respect the rights conferred to the data subject by legislation. The EU General Data Protection Regulation (GDPR) replaces previous EU data privacy legislation and is hugely significant. It sets out detailed rights of data subjects and is extra-territorial in its reach. This means that any company providing goods and services (irrespective of whether payment is required), or which monitors the behaviour of data subjects within the EU, even if that company is not based in the EU, is required to comply with the requirements of the GDPR. It brings with it substantial fines for improper handling of personal data; up to €20million or 4% of a corporation’s annual global turnover. The regulation was adopted in 2016 and becomes enforceable from 25 May 2018. A detailed analysis of data protection law is beyond this scope of this module; however, some reference documents are provided in the ISMI® Online Library. As a quick reference guide, the law firm DLA Piper provides a useful website summarising and comparing data protection laws around the world: https://www.dlapiperdataprotection.com 24 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information A key differentiator between proprietary information and personal data is the impact on the organisation if personal data is lost or compromised. At very least this could be loss of customer confidence, but in some sectors, especially finance where such loss has to be disclosed, this could be a multi-million dollar fine and public humiliation. All it takes is for a thumb drive to be lost or for an unencrypted laptop to be stolen. Moreover, there are Internet sites such as http://datalossdb.org/ to which registered users can upload their own reports of organisations losing personal data. Reports on the site indicate the company, the nature and extent of the loss, and the media. Typical media losses include stolen PCs and laptops, stolen or lost external drives, hacking, carelessly disposed-of documents, malicious email, exposure on a website, stolen documents etc. Organised criminal gangs seeking to carry out identity theft pose a significant risk to personal data. In specific regard to the targeting of personal data, the 2012 Trustwave Global Security Report drew the following conclusions: The food and beverage industries were top targets. The majority of cybercriminal attacks are against personal data (89%). Attacks have a high success rate. Weak passwords are a problem. The most common password used is Password1. The most likely time to receive an email with a malicious attachment is 0800-0900 EST (1300-1400 GMT). Only 16% of investigated companies self-detected attacks. Remaining 84% were alerted by information from an external entity: regulatory, law enforcement or public. Malware resided for an average of 173.5 days within the victim's environment before detection occurred. Types of Data at Risk It is difficult to state categorically which types of data are at risk in your organisation. Much will depend on the objectives and sophistication of the adversary and the nature of your business. Some common categories to which you should consider providing enhanced protection include: Customer lists Unique methodologies or techniques Research and development details Processes Marketing plans Codes Product launches Sensitive quality information Staff records Ways to improve or streamline business Future expansion or downsizing plans Negotiating positions Financial and pricing details that are not Executive travel plans for public release Marketing / strategic plans Product formulation or designs Scientific information (eg. seismology) Prototypes Contracts 25 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information Pricing plans and agreements Staff and customer personal information Agreements with distributors Tenders Client information Forecasts Complaints or known product Payroll shortcomings Customer secrets Specific technology details Research has shown pricing information to be one of the most commonly-targeted categories by competitors. Where Information Is Held Personnel Knowledge and Know-How Considerable sensitive information and know-how is in employees’ brains. It should be appreciated that such employees may also be of value to competitors, and key to protecting information in this domain is to ensure that employees are content. The business environment is very dynamic and many employees will not stay with the same employer for more than five years. Wilding (2006) draws attention to the difficulty in protecting knowledge under such circumstances, emphasising the particular problems in controlling or preventing the transfer of knowledge between employees and other parties. People may leave an organisation but retain significant knowledge about its methods, operations, processes and relationships. Such knowledge may not only be proffered to third parties but also be misused to defraud the organisation, to blackmail, sue or embarrass it. Nasheri (2005) notes the changing relationship between employer and employee and draws attention to the dramatic increase of employees departing with their employers’ trade secrets. Therefore, there need to be measures in place to protect the knowledge gained by employees from unauthorised use or disclosure. This is addressed beginning on Page 55. 26 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information In Hardcopy Computerisation means that the percentage of sensitive information held in hardcopy is ever reducing, but overall increases in the amount of information held by organisations means that the volume of hardcopy stored will continue to be significant. Hardcopy can be in many forms, ranging from ledgers and files, through desk diaries to personal notebooks. The latter may be a particular concern, especially if used in a research and development or laboratory test context. While there may be measures to protect sensitive hardcopy contained in files, there is often less control over what is sent for disposal. It is not uncommon for sensitive misprints, drafts and print overruns to inadvertently get into the regular waste bin, nor is it uncommon to find sacks of sensitive waste waiting around to be shredded. Hardcopy security is addressed beginning on Page 56. In IT Systems IT systems have brought unimaginable benefits to organisations. Most organisations couldn’t function economically and competitively without the benefits of IT. However, IT systems have the major disadvantage that they are capable of allowing the loss of theft of enormous quantities of sensitive information in a single action – literally in a one-second keystroke, and the interconnectivity of systems means that today’s employees often have access to vast amounts of sensitive data at their fingertips. Despite there being many and varied solutions to data theft or data loss from IT systems, remarkably few organisations put into effect adequate safeguards. These are addressed beginning on Page 57. Industrial control system is a term used generally to describe control systems and associated instrumentation used in industrial production environments (Wikipedia). These systems may contain trade secret information relating to recipes, the product process itself or sensitive information pertaining to the safety and security in some CNI environments. In this environment, integrity and availability of information is paramount to ensure that operators can maintain safe control and visibility of the state of the system. There are particular nuances to be considered in securing industrial systems. These are discussed in a good practice framework published by CPNI in the UK and by the DHS in the USA: https://www.ncsc.gov.uk/guidance/operational- technologies and https://ics-cert.us-cert.gov/Recommended-Practices 27 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information In Digital Media The fact that consumer digital media is virtually identical to business digital media provides huge cost savings for organisations. Moreover, BYOD (bring your own devices) is becoming the rule rather than the exception, allowing for permitted interconnectivity between personal devices and company systems. It is little use banning personal flash drives as today’s smartphones provide identical data-syphoning functionality if connected to an IT system. This enables those with access and malicious intent to copy across to personal media phenomenal amounts of sensitive data. For example, 64 GB of flash memory (typical for smartphones with microSD cards and thumb drives) can store the equivalent of literally millions of pages of documents. Vast quantities of data can be transferred to flash media in the time it takes for a colleague to go and make a cup of coffee. In the Cloud The Cloud has led to a revolution in the way in which companies manage and store data. The ubiquity of the Internet means that vast amounts of data no longer need to be held on fileservers, PCs and laptops owned by the company, as long as users can access the Internet. Instead, data can be stored in virtual cyberspace, which in reality is “someone else’s computer”. Among the most significant security risks associated with Cloud computing is the tendency to bypass information technology departments, and Cloud computing introduces significant new avenues of data attack. Moreover, The Cloud is in parallel a consumer product, allowing those with personal Cloud accounts (and this is increasingly most employees) to upload their organisation’s data to personal accounts out of reach of the organisation. While day-to-day issues of IT security remain unresolved, the introduction of concepts such as BYOD and the Cloud require IT security professionals to consider these new risks and articulate business cases for appropriate and pragmatic controls to enable the organisation to take advantage of Cloud services (which is becoming increasingly mainstream), while making it difficult for the data thieves quietly go about their work and take advantage of the conundrum and confusion. 28 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information In Communication Information in communication has always been at risk. Rooms and telephone sets and lines can be bugged with relative ease by unsophisticated adversaries, and many governments have maintained the ability to intercept long-distance telephone calls since the beginning of the telephone. The huge advances in telecommunications technology in recent years, especially digitisation of communications, have played directly into the hands of countries which have highly developed intelligence collection capabilities. Mobile phones can be specifically targeted and not only intercepted but can also be used as remote listening devices. Computers connected to public networks (Wi-Fi hotspots, including hotels) can be intercepted. Wireless communication should be recognised as inherently less secure than wired communications as the signals are broadcast. Security controls in place should take this into account. Even the communication between a keyboard and its host computer can be intercepted to reveal keystrokes. Countermeasures for this are presented in various sections of this module. 29 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information The Adversaries Overview It is often said that there are four adversary routes to information disclosure: Outsiders. Insiders with malicious intent. Insiders by inadvertent disclosure. Insiders colluding with outsiders. However, these neat categories sometimes oversimplify the adversary landscape. The lines between white-collar information theft, economic espionage and legitimate intelligence gathering are very blurred. In relation to intelligence gathering, for example, Hasheri (2005) notes that intelligence gatherers can be competitors, vendors, investigators, business intelligence consultants, the press, labour negotiators and government agencies. Employees It is a fact that in most companies the security of information depends more on the day-to-day actions of the staff than on technology. In cases where information theft has come to light (and most cases don’t come to light), huge vulnerabilities in the information protection regime have been exposed. Hasheri (2005) cites an ASIS study that reports Historically, the contract between an trusted insiders posing the greatest risk to the employer and employee involved an divulgence of trade secrets. This point is echoed by exchange of “loyalty for security”. Today’s Wilding (2006) who states that information theft is rapidly changing business environment predominantly an insider risk, with vastly more has made the promise of job security a confidential information removed from their thing of the past. This has resulted in a workplace by employees than by hackers. growing lack of loyalty amongst many employees. With a transient workforce Contented employers are far less likely to target and a breakdown in traditional loyalties, information than are disgruntled employees. many employees regard the proprietary However, many contented employees are often data belonging to their employers as looking for the next employment opportunity, and currency with which to barter in the jobs there is a reasonable statistical risk that they will market. target sensitive information on their way out. Source, Wilding (2006) An insider working on behalf of an outside party poses a particularly pernicious threat, as here we see the factors of opportunity and accessibility of the insider combining with the directed targeting (and often pressure, perhaps through bribery, job offer or blackmail) of the outside party. Again, this point is supported by Wilding (2006), who identifies employees as obvious targets for industrial spies, criminals and hackers. It is important here not to overlook contractors, who will have often circumvented your own background screening processes, and may have access to the corporate network. Insiders may be cultivated by outsiders or they may be inserted as a mole. Means of cultivation include 30 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information exploiting a grievance or a moral concern, offer of a new job, bribery, blackmail etc. Moles can be inserted into the company as regular employees, contractors or as temporary employees. There is no shortage of young people, in particular, who will accept an offer of this kind of “James Bond” excitement. Typical target posts for temping (temporary) staff moles include IT administration and secretarial. These are temping positions which are relatively easy to obtain and which allow for significant access to large amounts of sensitive information. Hasheri (2005) notes that there have been cases where foreign intelligence services (FIS) have tried to recruit employees of the same ethnicity, appealing to their love of their native homeland. This problem is echoed by OSAC (1994), which notes that with specific regard to US businesses overseas a local or foreign employee who is otherwise a good corporate citizen may feel the pressure of patriotism or intimidation by an all powerful government agency to provide competitive information belonging to his/her American employer. Former Employees Wilding (2006) emphasises the risk posed by former employees who had trusted access to information systems. A significant number of external attacks against information systems are committed by former employees, contractors or aggrieved parties who formerly had been given authorised access to the systems under attack and thereby gained inside knowledge of the targeted systems and network. Sometimes, departing employees leave virtual back doors through which they can access the system after departure. Additionally, legitimate access of a leaver is often not revoked in a timely manner, giving them ongoing access after their departure. Competitors Hasheri (2005) notes that corporations have been spying on one another for decades. They may use legitimate competitive intelligence techniques (as described in the competitive intelligence description on Page 15) or more covert tactics such as trying to elicit information from employees, former employees, or offering jobs to employees of competitors. Reverse engineering is also another common tactic. The situation is most extreme at the international level, where the state intelligence apparatus of many nations (FIS) aggressively target the commercially secret information of other nations’ competitors. This is relatively common where there is a branch of the target company in the FIS host country, in which case telephone calls and Internet communications are sometimes intercepted. In some cases, offices are bugged, and it is not unknown for listening devices to be placed in vehicles and residences of targets. Sometimes the approach to a competitor comes from the employee, who has, perhaps, amassed sensitive information which they now want to use to their advantage in securing a better job with the competitor. In approaching a competitor, the offer of IP may not be explicit, but assumed. ONCIX has identified JV partnerships as a route through which competitors may seek to obtain sensitive information. Another route is common contractors, or a contractor who is perhaps disaffected at losing a long-term contract with one company and which then approaches a competitor with confidential information. 31 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information From time to time, competitors may use information brokers (described below). Business Partners Business partners can be suppliers, distributors, customers, JV partners, government agencies, etc. It is in our nature to trust business partners as, to all extents and purposes, it appear that we share common goals. For the most part, this trust is not misplaced. However, business partnerships present a perfect opportunity for the adversary to exploit, and as much as we may want to trust the partner as an entity, how much do we know – and how much does it know – about its individual employees to whom our sensitive information is entrusted. In the context of information security, business partners should extend to hotels. Not only do FIS cultivate hotel staff to work on behalf of their national interest in helping to collect intelligence against guests, but they may also seed the staff with their own employees, who trawl through hotel and conference rooms copying laptop data, photocopying sensitive documents and planting listening devices and covert cameras. Foreign Governments It is sometimes said that there aren’t strategic alliances, only strategic interests. A host government that can welcome you into the country with open arms may at the same time be conducting an intensive intelligence operation against your employer’s trade secrets. This may lead to divided loyalties. Many employees of foreign companies, if asked by a member of their domestic intelligence service to collect intelligence against their foreign employer, would acquiesce on the grounds that serving the national interest prevails over serving the interest of the foreign employer. FIS may go to extraordinary lengths to spy on business travellers, and you should be aware that the fact that you may see the destination country as “friendly” is no guarantee that it won’t spy on your travelling executives. Some countries’ FIS intercept 100% of SMS messages and emails transmitted or received over smartphones roaming on their domestic networks. They may also: Plant listening devices in hotel and meeting rooms. Listen in to phone calls. Engineer meetings. Circumvent your laptop security when connected to Wi-Fi networks, such as in a hotel. Access laptops when in hotel safes. Seize laptops and smartphones of travellers at airports, even if in transit. Hack into smartphones and use them as listening devices. Hack into laptops and activate the webcam or microphone. Additional methods of espionage reported by the FBI in its annual report to congress (Wilding, 2006) include: Agent recruitment and the placement of agents within companies. The coercion of current and former employees. Surreptitious entry to offices, laboratories and manufacturing plants. 32 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information Theft of computers. Some FIS will also attempt to hack directly into your corporate network, and many networks of large companies have fallen victim to this. Physical distance is no obstacle, and this can be done by FIS on one side of the world to a company on the other side. Many companies have no idea that they have been penetrated. Companies that make up the nation’s critical national infrastructure (CNI) are particularly at risk. CNI sectors were identified in Module 10. The extent to which FIS will go to obtain specifically desired information knows little bounds. For example, at security trade shows it is reasonable to assume that from time to time there will be exhibitor booths set up by “companies” that are fronting for a FIS. FIS will also set up consulting firms to work with a particular target. Other FIS “overt” tactics, according to Wilding (2006), may include: The aggressive pursuit of joint ventures, mergers and acquisitions. The use of temporary research students with access to the target site’s facilities. Scientific or technological exchanges. Direct requests for information. Contrived visits to sensitive facilities, often on the pretext of potential custom. The acquisition of technology or entire companies (eg. subcontractors, suppliers). The exploitation of overseas distribution agreements. And with the blurring of the boundaries between government employees and contractors, the latter are often subcontracted to perform specific intelligence-gathering roles – sometimes the same international companies that may be employed by you as service providers. In specific regard to FIS recruiting your employees, OSAC (1994) points out that an employee's rank in the company is not necessarily commensurate with the interest of an agent of FIS. Researchers, key business managers, and corporate executives can all be targets, but so can support employees such as secretaries, computer operators, system administrators, technicians, and maintenance people. The latter frequently have good, if not the best, access to competitive information. Additionally, their lower pay and rank may provide fertile ground for manipulation by FIS. Information Brokers Information brokers trade in information. Many operate legitimately. Some don’t. The oil and gas industry is one of a number of sectors which suffers from information brokers seeking to gain information of value to tendering contractors. Methods may range from open-source data gathering, through computer-based data mining, to targeted social engineering (see Page 37) of specific employees. Information brokers generally do not skulk about in the shadows. They often blend in with business settings, and can be found where one would normally expect to encounter fellow professionals. They are usually highly intelligent, articulate, social and adept at networking. They may appear at conferences and seminars networking with delegates, or at exhibitions representing companies which may be a front for another entity, perhaps a foreign government. In terms of tactics and ethicality, information brokers can be viewed on a continuum. At the one end 33 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information are those who work perfectly legitimately, harvesting information from genuine open sources. At the other end are those who may use trickery, deceit and social engineering to ensnare the unsuspecting employee. Wilding (2006) notes that those who exploit regular employees can be insidious and difficult to defeat, as they usually bypass traditional firewall and information security perimeter defences. Journalists Journalists come in many different shades, political allegiances and agendas. Many journalists become journalists not because they like writing but because they seek an outlet to express strong views. In addition to regular journalism, we now have to contend with so-called “citizen journalism” – the ability of regular citizens to reach out to literally millions of readers via the Web or social media (see http://journalism.about.com/od/citizenjournalism/a/whatiscitizen.htm ). A particular characteristic of Web-based journalism is that stories often invite readers to publish comments, meaning that an adverse story about your organisation can gain significant momentum through its readership. Journalists are less interested in the theft of information and more interested in its leakage – placing sensitive information in the public domain, perhaps out of individually subjective views on what constitutes “in the public interest”. As such, they may represent a significant threat to your information, and they may approach your employees. Trade sector journalists are usually those who are most interested in your business, and who probably represent the least threat. However, your contractors, unless bound by a non-disclosure agreement, may use them to publish advertorials, presenting the benefits that they have brought to your operations as a case study. Journalists writing for the “alternative media” (or indie media) usually have an anti-corporate bias and will see a sinister side to almost all business operations, and seek to expose it to their readers via Web-based media. An example from the UK is http://www.corporatewatch.org Regular “mainstream” journalists follow these posts to see if news of “national public interest” breaks. Journalists are adept at getting to the story – even when there is no real story – so their skill set is particularly attractive to intelligence agencies. They are often spied on by intelligence agencies, and may monitor social media feeds to get a scoop on leaked data or hacked sites. Journalists may also be in the pay of FIS or may be undercover FIS agents. Activists Those who may be opposed to the activities of your organisation may seek to gain information by various means. Activists can be within the local community or can belong to broader movements, such as environmentalists, anti-capitalist, anti-vivisection etc. MI5, The UK Security Service (2006) warns that many CNI organisations are familiar with the continuing threat from insiders acting for commercial or personal gain, for the purposes of espionage, or to pursue the aims of single issue groups such as animal rights extremists. Activists may seek to join the workforce to gain information, or may access sensitive information in 34 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information the guise of temporary workers or contractors. Their objectives are usually to place sensitive information into the public domain, or to seek details about forthcoming operations or events so that disruptive protest activities or legal challenges can be organised. They may also try to obtain sensitive personal information about key executives in the organisation. Extremists Extremists and terrorists operate in a similar manner to activists, but are less focussed on placing sensitive The premeditated infiltration of information in the public domain. Instead, they will seek out CNI organisations is a desirable intelligence that they can use when planning violent actions goal for terrorist organisations. against the target organisation. In some cases they will seek to penetrate the target organisation. MI5 (2006) warns in the specific context of critical national infrastructure (CNI) that the premeditated infiltration of CNI organisations is a desirable goal for terrorist organisations, adding that insider threats may be members of terrorist organisations, including extremist groups, or those who have contacts in such organisations. MI5 threat assessments suggest that terrorist groups may seek to exploit employees within a CNI organisation and that a small number of CNI employees have been found to have family ties or other types of affiliation with members of extremist or terrorist groups. These connections did not necessarily imply a threat and the individuals were not in sensitive posts requiring national security vetting. Nonetheless, there was potential for exploitation. Organised Criminal Gangs Organised criminal gangs (OCG) pose a significant threat to personal data as they provide the raw material for identify theft. OCG may penetrate organisations, or more likely coerce an existing employee to spy on their behalf. An underground economy has developed whereby OCG will buy and sell stolen information such as “Customer service is the motto. Hackers credit card details and bank accounts. There is also are now extending their service hours, a service economy aspect whereby OCG may guaranteeing their work, and expanding contract IT specialists to hack into systems, license their offerings to keep customers coming malicious software for use by other criminals and back...” provide tutorials to less experienced criminals. Dell Secureworks 2016 Underground There are even “help-desk” services to support Hacker Marketplace Report victims of crime wishing to get their data back, for a fee of course. (Dell 2016) The above notwithstanding, the overwhelming majority of OCG attempts to get at your organisation’s sensitive data will be by attacking information systems, perhaps directly, or indirectly by socially engineering an unaware employee to click on a weblink in an email, or to insert an infected flash drive into a USB port. Less sophisticated criminal enterprises will not necessarily seek out sensitive data, but 35 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information are more likely to pursue a more immediate payday. Techniques for this are discussed in the next section. Even if no data is stolen, the impact of a criminal intrusion into a corporate system can be significant: a server may have to be rebuilt to ensure that no malicious software remains, a regulator may ask for proof that no data has been stolen (a very difficult and costly exercise) and there may be further integrity and availability impacts. [intentionally blank] 36 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information The Threats Overview For most organisations, the threats to their information assets are greater than the threats to their physical assets in terms of likelihood, impact and vulnerability. There are two primary reasons why the risk is generally underestimated: 1. Information theft is generally invisible. It is happening but for the most part it is invisible to the defender unless it is being specifically looked for. 2. Even when compromised and obtained by an adversary, there is no apparent loss to the owner. There is no crime scene and the asset is still visible, accessible and apparently intact. The insidious, invisible nature of information compromise was graphically illustrated in a 2008 presentation delivered to the UK-based DEMOS think tank by Keith Rhodes, Chief Technologist at the US Government’s General Accounting Office, heading up a team of 16 US government officials with a Congressional mandate to try to break into the SCADA systems of US critical national infrastructure (CNI) to test the adequacy of their security defences. “They (the defending US CNI) have never stopped us, never seen us and never reacted to us,” reported Rhodes. On one occasion Rhodes’ team tricked a US Government department into initiating a self- inflicted DDoS attack. Rhodes’ team tactics include direct logical attacks (eg. hacking, back-door exploitation etc.), social engineering, planting insiders etc. Often, in his intrusion activities, Rhodes has discovered evidence of previous real attacks. Of passwords, Rhodes said: “If you are using user IDs and passwords to protect SCADA you might as well give up using computers. You cannot come up with a password that cannot be broken in 24 hours by freely downloadable software.” Rhodes warned that by connecting SCADA to the Net it is easy to break into. Insiders with flash drives also make the task of attack relatively easy by inadvertently introducing malware. Other vulnerabilities include multi-tenancy buildings with shared Ethernet infrastructure, wireless devices and PDAs, insiders, social engineering and more. Negligence Studies consistently identify negligence – or at very least ignorance – as a primary cause of information loss. Such ignorance may pervade every level of the organisation, and may include ignorance – or denial – of the threats, and ignorance – or even negligence – in the application of safe practices. Ponemon’s 2009 “Trends in Insider Compliance with Data Security Policies Survey Report” reinforces this view, and drew the following conclusions: The majority of respondents admit to serious non-compliant workplace behaviours that place their companies at risk. Such behaviours include the insecure use of USB memory sticks, web- 37 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information based email, social media, mobile devices, and more. The rate of non-compliant employee behaviour appears to be getting worse over time. The most serious examples include the increasing frequency of lost or missing USB memory sticks or other portable data-bearing devices that are not reported to the company (or reported in a timely fashion). Employee attitudes about their employers (ie. favourable vs. unfavourable) appear to temper the level of non-compliant workplace behaviour; that is, favourable perceptions are associated with lower levels of non-compliant behaviour. Employees do not believe their organisations provide ample training or adequate policies to inform them about data protection and security practices in their workplace. Cyberspace – A Shift in Threat Earlier in this module we presented summary findings of an annual report by ONCIX (Page 14) of ten years ago, and it was argued that many, if not all, of the vulnerabilities identified then still exist today, and some are perhaps even greater now than then. The 2011 ONCIX report builds on those findings: FIS have significantly shifted their activities from traditional “human” espionage to cyberspace, where most business activity and development of new ideas takes place. Sensitive US economic information and technology are targeted by FIS, private sector companies, academic and research institutions, and citizens of dozens of countries. The proliferation of portable devices that connect to the Internet (and other networks) will continue to create new opportunities for malicious actors to conduct espionage. Businesses are undergoing a cultural shift that places greater value on access to information and less emphasis on privacy or data protection. Activists may use the tools of economic espionage against companies, agencies, or other entities, with disgruntled insiders leaking information about corporate trade secrets or critical US technology to “hacktivist” groups like WikiLeaks. Ironically, of course, WikiLeaks has revealed detailed reports about US intelligence collection activities. It is reasonable to assume that the FIS of many other major nations have long been engaging in similar activities targeting commercial enterprises. There is no doubt that the revolution in cyberspace has had two major impacts on the security of sensitive information: 1. It is targeted and collected by means of communications intercept (data and telephony) by FIS on an almost unimaginable scale. 38 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information 2. It has greatly facilitated the ability of FIS to penetrate (and remain hidden) inside corporate networks. Further information can be found in the UK Government’s 2013 Information Security Breaches Survey, a summary of which can be downloaded from: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/191671/bis- 13-p184es-2013-information-security-breaches-survey-executive-summary.pdf Inadvertent Disclosure Prior to the cyberspace revolution, inadvertent disclosure probably accounted for the greater volume of information compromise. Employees were, and are still not, given sufficient guidance over what information can be released and what cannot, and this is especially advantageous to adversaries who are adept at practicing social engineering. Inadvertent disclosure is still a significant risk, and the greater use of computers has added to the scale of attack vectors. However, even with the correct guidance employees continue to break organisational rules – or are just plain negligent – in putting company data at risk. A damning 2009 Ponemon study found that: 61% of employees have transferred confidential information to a data stick in contravention of company rules. And 71% report that they have seen others do it. 53% have downloaded unauthorised software onto company computers. 43% have lost mobile data devices (eg. flash drives). 21% admit to turning off security software. 28% claim to have seen others do the same. 47% have shared passwords. 31% are using social media in the workplace contrary to company policy. ASIS (2004) draws attention to the risks of inadvertent disclosure in sales and marketing departments, where this often translates into hinting at or directly describing changes in design, engineering, or formulation to entice customers to buy the products. An untimely disclosure of product changes could provide competitors with the opportunity to make similar changes. In other cases ASIS notes that a sales employee’s knowledge of a particular process or product can enhance job prospects with competitors, and advises using legal notification and the use of non- competitive covenants. However, ASIS suggests that there is really only one reliable solution to the problem of premature disclosure by the sales force—don’t tell the sales force until time of release. Another area of vulnerability highlighted by ASIS is the trade show, where the environment encourages talk about new developments. Most personnel assigned to trade show operations know more than they are officially releasing. The problem is knowing when to stop talking. It is also the case that employees with specialist skills will network with fellow professionals working for other organisations, who they might have known through college, networking etc. Such 39 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information networking, now often carried out in cyberspace, can also lead to inadvertent disclosure. Today, much inadvertent disclosure takes place in cyberspace. People tend to trust without question those whom they encounter in chat rooms, on LinkedIn, Facebook etc. and relationships can be cultivated that facilitate inadvertent disclosure through social engineering. In this regard, you may recall from Page 57 of Module 5 the real-case example of a chat room conversation that revealed sensitive information about a strategically sensitive UK facility. Moreover, it is estimated that at least 1 in 100 Facebook accounts are fakes (http://edition.cnn.com/2012/08/02/tech/social-media/facebook-fake-accounts/index.html). Think how easy it is to create a Facebook account and claim that you are a fellow employee of the target’s employer, perhaps at a different location. Then a quick search and some friend requests (which will be further propagated by new friends) and the adversary can very quickly build up an extensive network of trusting contacts within the target company. Technical Surveillance Technical surveillance can take many forms, including: Listening devices or recording devices concealed in meeting rooms, offices, vehicles, hotel rooms etc. Interception of telephone calls, SMS, smartphone email, or telephone log intercept. This can be a targeted intercept, or blanket mass intercept for later analysis. Long distance microphones, or beams directed at windows. Computer transmission intercept or intercept of the Wi-Fi network. Computer hacking, remote file browsing, keystroke logging. Smartphone hacking and data theft. Video surveillance, including the use of long lenses to see into conference rooms. The threat will very much depend on the circumstances. For example: Some countries routinely intercept the telephone transmissions of foreign business visitors who are network roaming. Some countries will use the opportunity of a foreigner visiting to hack into their computer or smartphone (sometimes via Wi-Fi). This action may leave permanent spyware in place. Many government intelligence agencies then share collected information with their own domestic commercial competitors. Contractors can be used to install listening devices in rooms, and keystroke loggers onto PCs. If the devices can be retrieved after use, the target is unaware of the compromise. Very sophisticated devices can be installed by construction contractors, but equally effective devices that capture computer keystrokes can be installed by cleaners or security officers in seconds, with no technical knowledge needed. Listening devices that operate on the cellphone network using regular SIM cards are particularly difficult to identify in environments where other cellphone signals are present. This is a fast-evolving area of intelligence collection and having security officers sweep offices every few months for devices will do little 40 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information to mitigate the threat from sophisticated adversaries and could lull your organisation into a false sense of security. In some countries hotel rooms are routinely audio and video bugged, so the yardstick advice to give business travellers is never to do anything in their hotel rooms that they wouldn't be prepared to admit to their grandchildren, or else they could expose themselves to blackmail! Pathogens Pathogens include malware such as viruses, Trojans, worms, spyware etc. A basic definition of each can be found at http://www.webopedia.com/DidYouKnow/Internet/2004/virus.asp A typical virus attack on a single workstation will cost an organisation between $100 and $20,000, depending on the severity. Most experts agree on an average impact of about $1,000 per incident/computer. Many virus infections arise out of lack of awareness or negligence. For example: Sharing flash drives with other users. Not keeping anti-virus software up to date. Sharing illegal / unlicensed software and files. Careless web browsing and careless downloading. Clicking on links in emails or opening file attachments. On average, one email carrying an infected attachment or containing a link to an infected website hits every unprotected (no AV or out-of-data AV) inbox every two days, according to Symantec. And having the latest anti-virus update is no guarantee that the virus will be stopped. At this point the strongest defence standing between the virus and infection is user awareness and knowledge. One particular type of pathogen has risen in popularity in recent years, mainly due to its ease of deployment and high chance of a financial return. Ransomware is a form of malicious software that, after infecting a machine, encrypts the files on that machine and demands that the user pays a ransom in order to obtain the key to decrypt their files and make them accessible again. The ransom is typically demanded in “Bitcoin” or another cryptocurrency, that enables the criminal to maintain a degree of anonymity. Particularly pernicious variants of ransomware are able to autonomously connect to other devices on a network and infect these also. The Wannacry global cyberattack is an example of such a ransomware virus. This approach is very lucrative for criminals. Anti-virus vendor Symantec (2017) found 64 percent of Americans are willing to pay a ransom, compared to 34 percent globally, and that on average $1,077 is demanded per victim. If your organisation isn’t constantly making staff aware of the many attack routes for viruses, and how to recognise them, ask your IT department why not. 41 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information Denial of Service Attacks Denial of service attacks (see Background Briefing Note 11.1 in the Extranet Library) are designed to deny users and customers access to target company Web services by flooding the Web servers with useless traffic that causes it to crash. There are two kinds of attack, a standard denial of services (DoS) attack, and a distributed denial of service (DDoS) attack. Further information on DoS and DDoS can be found at http://www.webopedia.com/TERM/D/DoS_attack.html and http://www.webopedia.com/TERM/D/DDoS_attack.html, respectively. Reverse Engineering In reverse engineering an adversary takes a finished product and works backward to establish the processes, specifications and ingredients involved in the product’s manufacture. This is a highly complex legal area of intellectual property protection, but there is no doubt that if an adversary can gain access to sensitive company information, perhaps through an employee, a disgruntled ex-employee, a supplier or on a discarded hard drive, the task can be made much simpler. Social Engineering Social engineering refers to the tactics of deliberately eliciting information from unsuspecting individuals through psychological manipulation and establishing relationships of trust. It preys on the weaknesses of the human link in an organisation’s security system, exploiting our fears or our natural tendency to trust each other and our willingness to help, in order to deceive and manipulate us to provide information to the adversary. It can take the form of: Telephone enquiries. Phoney calls from individuals purporting to be IT helpdesk temps. Approaches at trade shows or conferences. Approaches on the Internet in chat rooms or social networking sites. Approaches by email. Phoney job offers. Establishing relationships. Etc. 42 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information Often the adversary will try to convince the employee that that they are in a formal position of authority and they will “Companies train their people to be helpful, but they rarely train them to be trick the person to reveal sensitive information or carry part of the security process. We use the out an act which is contrary to the organisation’s policies. social connection between people; their Keith Rhodes (in Wilding, 2006), observes that there is desire to be helpful. We call it social always a technical way to break into a network, but engineering; it works every time. Very sometimes it’s easier to go through the people in the few companies are worried about this. company by fooling them into giving up their own security. Every one of them should be.” Sometimes social engineering attacks are speculative; Keith Rhodes, Chief Technologist at the throwing out a hook and seeing who bites. A US General Accounting Office (2006) common trick, for example, is to pose as a temp at the IT helpdesk and call various employees on a Monday morning, apologising for the sluggishness of their IT systems (a common enough perception) and craftily soliciting their username and password to fix the issue. Other times attacks can be targeted. In respect of the latter, NISCC (2006) notes that by collecting readily available information about the user or the organisation, the adversary can then use this basic information to build a profile of the user, organisation, IT systems and if possible the security processes. This information is then used by the attacker to build credible stories or scenarios which will cause the victim to take physical actions, mistakenly give information, or click on a Web address in an email to open a web page that may release malicious code into their computer. Information brokers who come from the more insidious school of operation are avid users of social engineering as a tactic. They exploit the gullibility, vanity, willingness to help, or lack of awareness of regular employees. In this regard Wilding (2006) emphasises that it is essential that employees and others associated with the organisation be on their guard. NISCC (2006) reports that staff targeted by social engineering tend to be those who work in customer- facing roles, especially IT, help desks, receptionists, security guards, cleaning and catering. Wilding (2006) suggests a different angle, in which adversaries deliberately engineer encounters with staff who are discontented, contemptuous, or who feel they are under-appreciated in their organisation. ONCIX (2011) warns of foreign collectors who make unsolicited direct and indirect requests for information via personal contacts, telephone, email, fax, and other forms of communication and often seek classified, sensitive, or export-controlled information. In specific regard to the protection of critical national infrastructure, NISCC (2006) observes that attacks are often closely linked to malicious activities such as: Hacking (remote computer compromise, and possibly insider attack). Identity theft. Phishing (mass emails which try to gain authentication details of customers of financial organisations). Spearphishing (targeted phishing attacks). 43 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 11 – Protection of Information Pharming (phishing attacks which use technical means to direct users to malicious web sites). Industrial espionage and traditional espionage. Phishing Phishing is a type of social engineering attack in which a user receives a fraudulent email purporting to come from a seemingly legitimate source. The reality of course, is that it doesn’t, and the adversary has used one of the multitude of tools available on the Internet to type in the “from” address a name of their own choosing. The email contains a trick to get the recipient to click on a link, which of course is malicious. In some cases, clicking on the link will infect the computer. In other cases the user will be asked to enter confidential log on details, perhaps in an attempt to raid their online banking account. As soon as the person logs in, their account details are compromised. Tricks include: Emails advising recipients that there is something wrong with their bank, or asking them to confirm a payment by logging in. Emails purporting to come from Amazon and advising recipients that an expensive item (such as a TV) that it is claimed they have just paid for is about to be delivered to an unfamiliar address and offering them a hyperlink to click on. Emails purporting to come from couriers advising of an imminent delivery and providing a hyperlink on which to click to track delivery. Emails purporting to come from airlines confirming that they have just booked long distance flights and providing a link to check in. Emails with connection requests purporting to come from LinkedIn, Facebook etc. Emails asking to take part in a survey or make a recommendation and prov