It's been a little more than three weeks since the revelation of the Global Payments data breach that led to the exposure of about 1.5 million credit card numbers. However, while that high-profile attack generated lots of media attention, some of the most dangerous hackers in the world aren't after your money; they want to steal the way your business makes money.
"What we're actually getting now is that people try to steal intellectual property rights [IPR]," says Sarah Loyd, a director at consulting firm Navigant with deep experience in attack and penetration testing, IT forensics, technical security architecture and information warfare. "The real threat is people trying to steal anything that's got IPR in it. They want to steal how you as a corporation make money."
"They don't want to steal accounting money," she adds. "They want to steal formulas for new drugs. Anything they can use commercially. Organized crime is interested in stealing individuals' credit card details. Nation-states are interested in stealing the things that allow them to progress economically."
Attacks Coming from Chinese and North Korean Internet Space
While data breaches like the one suffered by Global Payments can be costly, breaches that involve intellectual property can potentially destroy a company. They are widely believed to be sponsored by nation-states like China and North Korea. However, Loyd notes that while security experts are certain such attacks come out of China's and North Korea's Internet space, it is difficult to prove the attacks are originating there. And with international politics in the mix, western governments either cant or wont stop it, she says.
"The attacks out of China and North Korea have been going on for 10 or 15 years," Loyd says. "We've seen a total failure of response from western governments. They're playing extremely nice as to how they're responding. Much of the boldness of a lot of the attacks has come out of the lack of response. We've got a joined world electronically, but we've got laws that are 30 years behind the electronic reality, so it's very difficult for governments to respond."
One Chinese company that often winds up in the center of conversations about these issues is networking giant Huawei Technologies, which has long been a lightning rod for controversy. Founded by Communist Party member Ren Zhengfei in 1988—and still run by him—Huawei Technologies was accused by Cisco Systems in 2003 of allegedly stealing source code for its routers and switches. The resulting lawsuit was withdrawn by Cisco in 2004, but some security experts still wonder whether Cisco's technology played a role in Huawei's rise to dominance in networking.
The company has tangled with the security establishment in a number of countries, including the U.S., U.K., India and Australia. In 2008, Huawei dropped its bid to acquire American networking device manufacturer 3Com when regulators made it clear they would block the deal on national security grounds due to the governments extensive use of 3Coms security software.
Later, in 2010, it withdrew a bid to buy the assets of American company 3Leaf Systems following an unfavorable review by the U.S. Committee on Foreign Investment. U.K. security experts took their government to task in 2009 for awarding Huawei a contract in 2005 to replace the core of BTs telecommunications network. Huawei has also been blocked from supplying equipment for Indias cellular phone network and Australias national broadband network.
Huawei has attempted to allay these fears. In 2011, following the failed 3Leaf bid, the company issued an open letter to the U.S. government, inviting a formal investigation that would prove it was a normal commercial institution.
"Unfortunately, over the past 10 years, as we have been investing in the United States, we have encountered a number of misperceptions that some hold about Huawei," wrote Ken Hu, deputy chairman of Huawei Technologies and chairman of Huawei USA. "These include unfounded and unproven claims of "close connections with the Chinese military, disputes over intellectual property rights, allegations of financial support from the Chinese government, and threats to the national security of the United States. "
"These falsehoods have had a significant and negative impact on our business activity and, as such, they must be addressed as part of our effort to correct the record. "
He noted that in 2010, Huawei paid western companies $222 million in licensing fees for intellectual property.
Exploit Frameworks Have Changed the Game
Attacks believed to be sponsored by nation-states have been on the rise over the past 10 to 15 years, and the nature of the tools for penetration testing and hacking have also changed dramatically over the same period with the rise of exploit frameworks. Exploit frameworks, which are available in both basic free versions and more sophisticated commercial versions, provide a consistent environment within which both hostile attackers and penetration testers can create and run exploit code against targets. They utilize code reuse and modularization to streamline and simplify the process of creating and running exploit code.
"Fifteen years ago, if you wanted to do a buffer overflow attack, you needed to know how to code a buffer overflow attack in machine code for the target system," Loyd says. "That's all gone." These days, exploit frameworks make sophisticated hacking into child's play.
Loyd notes that she could teach a rank beginner to use a framework and execute an attack within half an hour. "I guarantee it would get through and you would be able to take over a corporate target," she says. "It's that easy."
Both nation-states and organized crime can easily afford even the most sophisticated exploit frameworks, the most expensive of which cost about $20,000.
Education Is Key to Mitigating Data Breach Risk
There is no magic bullet for defending your business against this form of attack, but there are steps you can take to mitigate the risk.
First and foremost, education is the key. Employees need to understand what risks and attacks look like, from a social engineering attack by a hacker on the phone trying to get an employee to divulge sensitive information to an intriguing link in an unsolicited email.
Second, security specialists and system administrators need time.
"You have to make sure that the staff you have defending you-not just security specialists but system administrators-that they actually have the time to look for signs of attack," she says. "You need people with sufficient spare clock cycles to actually look for signs of attack. It's not about buying new equipment. That's not an answer for this problem. It's not about firewalls and it's not about intrusion prevention systems. It's about human beings properly configuring the systems they've got and looking for the signs on their network. It's about educating staff, because the easiest way to attack is through human beings.
Software that can review logs and send alerts about suspicious activity is also a must, Loyd says, noting that free, open source solutions are available. In many cases, the logging capabilities of servers and network appliances are switched off or never looked at and then overwritten in time.
"Even firewall logs are generally not reviewed," she says. "You need human beings to actually look at logs and look at security incidents and actually review them."
Thor Olavsrud is a senior writer for CIO.com. Follow him @ThorOlavsrud.