Corporate espionage: Not if, but when

• Tags:
• Risks,
• Targeted,
• Source Code,
• Searches

Sally Whittle ZDNet.co.uk

Published: 12 Mar 2008 16:27 GMT

• 
• 
• 
• 
• 

…information into dedicated areas of the network, and consider separating highly sensitive information entirely. "If you have a highly confidential R&D project, I would consider putting it on its own network, with no external links whatsoever," says Dirro. "Regardless, you should have a clear idea of your data structure, so you know who is accessing sensitive data and what they're able to do with it."

There isn't a single technical solution to corporate espionage, adds Cisco's King. "If there was, we'd be selling it," he says. However, companies can take steps to minimise the risks it poses. King's key advice is not to rely on reactive security systems, which will warn you only when something specific happens. Although a good intrusion detection system and firewall are essential, they aren't enough. "If you're waiting for an alarm to go off, that's not good enough, and it won't alert you to most corporate espionage," King says.

For example, you may want to investigate the latest data log protection systems. These software tools can "mark" confidential data with a virtual watermark, which prevents it from being copied to a mobile device or distributed via email. "The technology is relatively new, and can be quite difficult to get up and running, but once you've done the upfront work they're highly effective," Dirro says.

In addition, King recommends routinely checking through IDS log files and access logs looking for attacks or patterns of unusual activity. "We have a product that monitors all our log files from routers and firewalls and looks for anomalous behaviour," says King. "It's different from only reacting to something you know has happened."

It's also important to pay attention to less sophisticated forms of information theft. "Educate people on risks that may seem small, like using a laptop on a plane," advises King. Cisco executives are routinely provided with plastic privacy shields that prevent so-called shoulder surfing, and the IT department provides training videos that help make people more aware of the risks in discussing confidential projects in public.

"Sometimes you can be at risk in the most public places," says King. "For example, someone at a trade show might ask you a question that is designed to help them later to do some kind of social engineering." Since producing videos on this topic for the corporate intranet, King's team has received many more calls from employees who say they have received suspicious telephone enquiries.

The vast majority of corporate espionage attacks have the involvement of someone inside the company, argues Mark Schettenhelm, a security consultant with Compuware and a Certified Information Privacy Professional (CIPP). "We've done such a good job of blocking hackers and spam from outside that it's easy to forget the threat from people inside the company who have all the authority and access."

However, King believes it's important to keep corporate espionage in perspective. "We want security to enable the business, and we're not going to lock down systems and stop people doing business," he says. For this reason, Cisco does allow employees to use memory sticks and mobile devices, but with appropriate encryption and other security measures.

The best approach is to accept that providing employees with access to sensitive information will always carry some risk, but to mitigate that risk as far as possible, says Schettenhelm. Compuware provides a range of tools designed for "application auditing", which basically means monitoring who uses software, and what they do with it. One of the biggest challenges of any company that has been hacked is knowing the extent of the breach, and application auditing can also help in this respect, showing which screens and fields of data were viewed by an individual user.

"It means if there is a breach, you can easily see where it happened, who did it, and what was breached," says Schettenhelm. "It also protects employees from false accusations, because it shows where there was no inappropriate action."

Application auditing can be combined with data mining tools to reveal patterns of usage and alert managers to anomalous activities. For example, you could monitor the activity level in a customer service centre to show that a typical agent accessed 100 records per day, while one employee is regularly accessing 500 records. "That type of spike might indicate a problem, and further investigation may show which sort of records he is accessing, and whether it tallies with the number of inbound calls they were handling," says Schettenhelm. "You can then ask, why did you need that screen for that call?"

This type of technology works best when sensitive data is held on separate screens, Schettenhelm adds, so that you can track exactly who is accessing information such as credit-card details or medical records. It will also help in preventing future problems, because auditing will show which screens really are needed to do a specific job — allowing access to be restricted to any information that isn't strictly needed.

Of course, an organisation can't simply block access to all confidential data — developing new products is difficult if the engineers can't access the plans, after all. But analysing network traffic can show who is downloading information and at what times. "A common trigger which might indicate a problem or a hacker is someone accessing files outside office hours, when they can't be seen by colleagues," says Schettenhelm.

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit