Corporate espionage: Not if, but when

• Tags:
• Risks,
• Targeted,
• Source Code,
• Searches

Sally Whittle ZDNet.co.uk

Published: 12 Mar 2008 16:27 GMT

• 
• 
• 
• 
• 

Corporate espionage is defined as the theft of commercially valuable information. This may be the secret formulation of a new product, but equally it could be the names and salaries of senior executives or simply the date of your next marketing initiative.

This type of corporate crime costs the world's 1,000 largest companies in excess of $45bn (£22.4bn) every year, according to research from consulting firm PricewaterhouseCoopers.

Some of the world's largest corporations have been targeted: for example, in 2000, Microsoft fell victim to what the company called "a deplorable act of industrial espionage" when hackers broke into the company's system and accessed Windows and Office source code. Hackers had access to the source code for up to three months.

In the pharmaceutical sector, Proctor & Gamble and Unilever became involved in a dispute over corporate espionage when Fortune magazine reported that P&G had been involved in illegal corporate espionage against its archrival. Agents appointed by P&G were alleged to have misrepresented themselves as market researchers and used various other methods to collect information about its rival.

In 2006, two hackers were extradited from the UK to Israel when it was alleged that they had developed and sold spyware which was used by companies to spy on rivals in their native Israel. Three private investigation companies in Israel were alleged to have sent emails with Trojan horse packages designed to evade detection by security tools.

"What you need to know is that this is happening more than ever before, and on a bigger scale than ever before," warns Toralv Dirro, a security strategist with McAfee. "Any business that derives competitive advantage from information should be concerned about this issue."

Corporate espionage has increased rapidly in the past decade, as more information is put onto corporate networks — and potentially within the reach of hackers, Dirro explains. Certainly, PricewaterhouseCoopers reported that corporate espionage losses doubled between 1990 and 2000.

Knowing whether you're at risk of corporate espionage isn't easy, admits Paul King, a senior security advisor with Cisco UK. In fact, you could be a victim of corporate espionage and never even realise it, King says. "At Cisco, we don't ask ourselves why we might be at risk of this stuff, we ask why not?" he says. The company's security experts constantly scan the internet for reports of attacks on other organisations, and assess their own risk to similar attacks.

It's difficult to know exactly how common corporate espionage is because most victims never report the attack to the police, fearful of the consequences of going public, says King. And is a hacker is sufficiently skilled, many companies won't even realise they've been attacked. "I think the best we can do is monitor our systems carefully and if we hear of an attack on another organisation, ensure that it couldn't affect us," he says.

The question isn't whether you know you're vulnerable to corporate espionage, it's knowing how vulnerable you could be, adds King. "If your chief executive says he's not a victim of this stuff, how confident is he? And the only way to be really confident is to be looking hard for it."

The first step in corporate-espionage protection is to close the most obvious loopholes — those that can be exploited by hackers without even breaking the law. "We're seeing massive growth in something called Google hacking," says Rhodri Davies, a technical architect with security specialist Vistorm. "This is the process of using really smart Google searches to find information left open on web servers. It's unsportsmanlike, but definitely not illegal."

With Google hacking, hackers can routinely find information on projects and personnel, and the file names of confidential documents, even if they cannot access the documents themselves. "You can easily automate searches, so that if a document is online even briefly, you'll be emailed that search result," says Davies. The danger is that this information will then be used as the basis of an illegal attack, enabling a hacker to pretend to be inside the company, or to launch a social-engineering attack.

Security companies have seen a dramatic increase in what's known as "spear phishing", a highly targeted phishing attack where a single executive may receive an email that appears to be from an authorised partner or supplier, relating to a project that isn't widely known outside the company. "The usual trick with this sort of email is to encourage the user to open a file, which will launch a Trojan, potentially giving someone access to the whole network," says Toralv Dirro, a security strategist with McAfee. "We have been seeing an awful lot of these in the last year or so."

How do you know if you have been a victim of corporate espionage? In many cases, you'll never know, says Dirro. "If it's a skilled hacker, they will have used Trojans to ensure the intrusion detection system isn't triggered." Security experts recommend regularly conducting penetration testing (including looking for search vulnerabilities) to protect against this kind of attack. However, to protect against illegal hackers attempting corporate espionage, the best advice is to know your data.

Audit your corporate data and identify what information is potentially sensitive and therefore vulnerable to attack, says Dirro. Next, separate this…

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit