31/10/2014

By Lior Arbel, CTO, Performanta Ltd


Cybercrime is hitting epidemic proportions. The director of the FBI recently stated that you could divide companies into two types, ones “that have been hacked by the Chinese and ones that do not know that they have been hacked by the Chinese”. And it’s not just nation state hacking that is widespread. A department of Business, Innovation and Skills report on Information Security breaches in 2014 found that 55% of large organisations were attacked by an unauthorised outsider in the past year. All organisations are under fire from modern cyber criminals.

The challenge of how to protect your critical Intellectual Property (IP) from cyber threats is the greatest risk that businesses face in the modern area. Theft of IP is predicated by common attack methods such as bribery of employees, spear phishing of specific executives or whole departments, and Zero-Day exploits. With the most important part of defending against an attack being detection, we have pulled together some recommended steps to ensure a successful approach to data protection of your IP.

1. Handling malicious links
A common method for hacking into a company is the use of malicious links via a spear phishing attack. Spear phishing emails attempt to target a specific organisation or people in an organisation, seeking unlawful access to its confidential data. Spear phishing attackers by-pass defences as they learned that some solutions will only check links inside emails when the email enters into the system; therefore they load the attack on the website later (few minutes or hours) to avoid detection.

Dynamic threats such as spear phishing target the likes of confidential IP data and are an effective tool for hackers. However, this can be proactively prevented by employing real time web analytics, isolating and sandboxing suspicious emails for further analysis and educating employees to spot phishing attacks as they happen.

2. Tracking outgoing data
Far too many companies focus on protecting themselves from incoming malicious attacks and think that makes them secure. Tracking outgoing data is also important, however, it requires the acceptance by the management team that despite your best efforts people will gain access to the network. If a nation state, for example, with its vast resources wanted to access your systems, there is little that any IT team could do to stop them. It is also important to stress that even if an attacker can succeed in getting into the system, when and how they take data out can expose them if the right systems are in place.

It is possible to expose and track data leaving the system and record where it goes, however this requires the implementation of an effective Data Loss Prevention (DLP) system. If data is categorised, and separate networks and levels of access are established, then it is possible to not only track what data is moving where but also who is doing the moving.

3. User profiling
It is often difficult to detect an attack but automated solutions can now be implemented to identify malicious behaviour within the network. Employees ‘typical’ behaviour on the system is analysed and profiles created so that any irregular activity and deviations inside the network can be identified and effectively managed. If a user profile indicates that an employee accesses certain systems and a certain amount of information and suddenly this behaviour changed, then they may have been compromised. This approach can help organisations on detecting activity that can indicate an insider threat or an external attack.

The next step after hacking an initial user’s profile is often to secure access to more privileged accounts. When it comes to accounts like system administrators, or system services more protections need to be in place. Having a system that will manage those accounts, change passwords on a regular basis, provide a full audit of who asks for the password and potentially even a recorded session of what they did, is best security practice for most organisations.

4. An emergency plan
If the management of a company has accepted the realisation that no matter how secure their system is there may be a time when a breach is discovered, it is important they implement a response plan.

A designated response team, which includes management, IT, legal, business, marketing/PR and other critical departments, needs to be set up so that the business can act in a quick and co-ordinated way when dealing with a breach. Predetermined processes and best practice guidelines will have been set in place so that each department can effectively deal with the situation proactively allowing the business to continue functioning and preventing the potential internal ‘blame game’ should the response fail.

After the recent news stories about high profile hacks and flaws in key internet protocols, every company which has sensitive IP information – and all companies have some sensitive information – should take steps to ensure its information is monitored and secured. By implementing some of these guidelines you go from having an intangible potential leak to a measurable threat that can be responded to and dealt with proactively.

Lior Arbel is the CTO of Performanta Ltd. Performanta is a specialist information security firm, securing enterprise clients from the latest modern security threats