Corporate espionage is a business almost as old as corporations, but thanks to the Internet revolution it has a new business model: cybercrime. A new report from McAfee illustrates how intellectual property and trade secrets are becoming the primary target for hackers, and providing the currency that fuels the cyber underground.
The recent attack against RSA, resulting in the compromise of sensitive data related to the SecurID two factor authentication that many corporations rely on to guard against unauthorised access and protect data, is an example of how even the very companies that we trust to help guard against corporate espionage are not invulnerable themselves. Hacked SecurID tokens could be used as a stepping stone to more serious corporate espionage.
"Cybercriminals have shifted their focus from physical assets to data driven properties, such as trade secrets or product planning documents," said Simon Hunt, vice president and chief technology officer, endpoint security at McAfee. "We've seen significant attacks targeting this type of information. Sophisticated attacks such as Operation Aurora, and even unsophisticated attacks like Night Dragon, have infiltrated some of the of the largest and seemingly most protected corporations in the world. Criminals are targeting corporate intellectual capital and they are often succeeding."
Personal information, names, addresses, birth dates, are still hot commodities for identity theft and financial details such as credit card numbers and bank account passwords are big business as well. Don't hold your breath waiting for botnets and other malware to stop trying to steal those types of data.
But, hacking into corporate networks and stealing intellectual capital is generally safer and more lucrative.
For one thing, financial and healthcare organisations which are frequently the target of such data breaches, are also the most vigilant at detecting them. Combine that with the fact that most states have data breach notification laws requiring companies to disclose when data involving personal details or account information of individuals is involved, and it becomes increasingly difficult to fly under the radar and avoid having law enforcement agencies involved.
But, if a hacker instead steals the marketing plans and financial projections from one company, and sells it on the cyber underground to that company's biggest competitor, there is less risk of alarm bells going off. Organisations don't like to announce publicly that they have been hacked, so if there are no data breach notification laws compelling them to do so, odds are fair that the theft will be kept on the down low even if it is discovered.
Evolving trends such as the migration to the cloud, and the exodus from the internal network to mobile gadgets make the task of protecting corporate intellectual property that much more difficult. Think of a bank. When all of the money is stored in a steel vault inside the building, it is relatively easy to contain and protect it. Now, give that same money to hundreds of people to carry with them as they wander about, and make it accessible digitally from the Internet as well, and you can see that it is a much more complex issue to secure it.
IT admins need to take proactive steps to assess risk and implement appropriate security controls and defences, and be vigilant about monitoring for suspicious and malicious behavior. You may not have the secret recipe for Coca Cola on your company file server (you don't, do you?), but the data you do have is of value to your competitors and could prove lucrative on the cyber underground.