Nissan Hack A Harsh Reminder About Protecting Data Stores From Spies
News of corporate espionage attacks against Nissan offers security practitioners a reminder of the real reason they bring home a paycheck
Nissan's disclosure this week of a malware attack in which attackers stole employee user-account credentials was a chilling reminder of the reality of industrial espionage.
While it may be easy to get caught up in toeing the compliance line and focusing solely on the protection of personally identifiable information (PII), at the end of the day security professionals need to remember that protecting business-critical intellectual property (IP) should be their No. 1 concern, security pundits warn.
"Will I say that every company is at risk? No, not every company. If you’re already open-source or don't possess IP of great value, then there’s not a huge monetary [or] intellectual gain in ripping you off," says Ken Pickering, development manager of security intelligence for Core Security. "But time and time again, we've seen evidence that foreign powers and corporations are finding it's easier to steal information than develop it."
Nissan said in a statement that it believes its "systems are secure and that no customer, employee or program data has been compromised." As of yet it is unclear what the attackers were targeting with the theft of credentials, but it's believed that they likely were seeking information on Nissan's electric vehicle drivetrain.
In many cases, enterprises don't prioritize defense against cyberespionage attacks because they don't view them as a real threat, experts say. That's partially because they're rarely reported from the news and remain hidden from view of decision makers at yet-to-be-hit companies.
"I believe that corporate espionage is a massive threat, but it's something that we really don't hear about because it's typically theft of intellectual property, for which there is no real motivation for a company to disclose," says Josh Shaul, CTO of Application Security, Inc. "And a lot of this corporate espionage is nation-states that are stealing from corporations and bringing that info back to their government. So a lot of it ends up getting dumped into the secret files that the bureaus of our U.S. government need to investigate. So they're not allowed to talk about that."
The initial breach targeting usernames and passwords for more in-depth attacks against IP should be enough to make security pros reach for their pencils to start taking notes, says Adam Bosnian, executive vice president of Americas and corporate development for Cyber-Ark Software. He believes Nissan's woes follow a cookie-cutter script for similar attacks.
"Hackers gain access to administrative and privileged accounts -- once inside, they leverage the privileged account, or elevate privileges associated with the account, to gain access to additional servers, databases, and other high-value systems only a select few people are actually granted permission to access. The result, as demonstrated over the past few weeks, is easy access to millions of sensitive records. Or, in the case of Nissan, it's secret sauce," Bosnian says.
Organizations across all industries need to realize that privileged accounts and passwords are the top target for hackers, he adds. "Controlling these access points needs to be a priority for companies like Nissan and others that put protecting their intellectual property against internal and external threats at the top of their priority list," Bosnian says.
Though Andrew Jaquith, CTO for Perimeter E-Security, agrees that privileged access control may be one important component to staving off corporate spies committed to sniffing out the organization's most valuable IP, he warns that it takes a host of measures to effectively lay out protections. His belief is that organizations need to follow what he calls a three-by-three formulation for security.
"You really need to be good at three sets of things: technology, or stuff you can buy; competencies, or IT skills to develop; and traits, or behaviors you need to be encouraging among your employees," Jaquith says. "You need a little bit of all of those things. It's basically stuff, skills and attitudes."
Within those three categories, he believes there are three top priorities that can achieve the most effective results. Within technology, he believes those that allow you to zone access to data and segment the network, those like IDS and IPS that allow you to track known signatures of attacks and flag suspicious traffic, and those with Web security filtering technologies are the top three types of technology to first invest in.
Within competencies, he names the ability to compartmentalize information on a need-to-know basis, the ability to spot anomalies and aberrations in network traffic and act on those, and the ability to streamline and automate incident response as the most important. And within traits, he names security awareness, phishing resistance, and an attitude of responsible custodianship of data as critical to instill within corporate culture.
Though it may not quite fit within the perfect matrix laid out by Jaquith, both Shaul and Pickering believe there is one other critical ingredient to staving off attacks by corporate spies: Organizations today need to think like a hacker.
"Thinking 'like a hacker' is a serious skill. It requires patience, diligence, and technical aptitude," he says. "Some companies think generic IT staff can handle complex security scenarios, and I'm just not sure that's the case anymore. These people are different ... Skilled hackers need a wide knowledge base on a pretty Swiss army knife array of technologies to penetrate a modern enterprise, and do so without being detected by modern IDS, DLP, [and other] systems."
Organizations also need to remember where the most critical information resides, Shaul says. He says that it depends on the organization, but on the whole it would be safe to say that in spite of plenty of unstructured IP floating around the IT infrastructure, a good two-thirds of it still lives in the database. Whether it is a software company that uses a source control tool to store source code in a database or a manufacturer that depends on CAD tools, which store designs in the database, organizations store more than just Social Security numbers and addresses in databases.
Shaul says he encourages companies that have already bought database activity monitoring tools to satisfy compliance demands on PII protections to "use what they've already paid for" and extend those measures to databases containing critical IP -- though the results of that pitch, he adds, are still mixed.
In the end, beyond the technical details, Shaul says it comes down to applying common sense to risk assessment.
"The first step for everybody is to think, 'If I would steal from my company, what would I want to steal?'" he says. "And then start to protect that. So throw out all the notions of regulations and customer info and everything and just take that few moments to think about what's really the most valuable thing for a thief to take from my business."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like