With any business involving serious research & development, where a new and disruptive technology is at stake or where information could build or destroy a business or a product there is a risk of cyber / conventional economic espionage. Essentially, that is preventing APT (Advanced Persistent Threat) from being a risk for you – or at least decreasing that risk as much as possible.
A few examples
I’ll give you a few examples before proceeding to the practical part of this article – some are relevant to large corporations and other – to small businesses. The purpose of these is to express the fact that cyber/conventional espionage has always been, is and will always be a serious factor in any business endeavor – no matter on which side of it you are.
There are several entities who are potentially after your business secrets: USA, Israel, Russia, China and Corporate (the largest economic espionage corporation – which deals solely with espionage for private or government clients – has more than 200 000 employees worldwide. There are hundreds and thousands of smaller ones, dispersed in every single country).
Unfortunately almost all of the information published publicly regarding cyber / economic espionage is published by western and mostly American media / citizens – there is no surprise that the American espionage efforts are kept under the radar on purpose and the ‘threat’ of cyber espionage is portrayed as coming from outside the United States, where more than half of it actually originates there.
Truth of the matter is, the largest government espionage network worldwide belongs to the United States. Is it a coincidence that they, too, employ close to 200 000 people across the globe (with a total number of employees working for the Department of Defense nearly 3.2 million)?
The simplest example of economic espionage is performed by nearly all businesses all the time – that is researching, what the competition has to offer and at what price, when such information is not readily available. Callers pretending to be potential clients is the most frequently used scenario.
Next up the chain is convincing certain employees to reveal information – either by fake job interviews or in regular conversations – when people are pushed to brag about their accomplishments or when their professionalism is intentionally questioned – at which point they are ready to ‘prove it’ unwillingly revealing confidential information.
So far the risk for the offending organization is low – and such ways of educing information are generally used when the information obtained is not of critical value.
The higher the value goes, the more risks the ‘spies’ are ready to take and the higher is the chance of them obtaining it.
We could move up the chain with bribes, extortion, threats or directly breaching the security of the company to physically steal the information needed – either from their premises or from the home of a valuable employee/director.
There is a good story I read in one information security book long ago – I’ll try to quote it as short and accurate as possible.
A company spent years in developing a game-changing software application – with millions invested in research & development. Months before the application was to be publicly announced, one afternoon a well-dressed man came in the office, looking for the CEO.
The receptionist politely told him that the CEO and all higher management was away on a business trip exactly this day, that he should come later, etc. The man seemed disappointed and told the secretary he is a very important business partner and had a lunch organized with her boss – and since the situation did not allow for that meeting to happen, he offered to take her and some other key employees to lunch – he was paying the bill!
During that lunch, the man explained to everybody he is an investor who will invest a large amount of money into their product – the one they’ve all been working on for years. They all got so excited, spending hours discussing the software application and all its advantages over the competition.
The next day, when the CEO came in the office, everywhere were so excited to tell him about the meeting with their biggest investor!
That moment the CEO understood, that his company is ruined. A month later a competitor presented an application with all of the features described to the ‘investor’ during the aforementioned lunch…
Of course, this is a fictional story – but it serves as a clear example of how easy it is to obtain competitive information using time tested means.
Spies started using cyber tools to get the job done from across the globe
But what if it could be possible to get to the most valuable information you have with almost no risk, no bribes, no meeting of employees, no fake job interviews and practically no human interaction?
You have probably already guessed I am talking about ‘hacking’ in the meaning the media uses it – and you are almost right. Because the media portrays hackers as malicious teenagers – while the reality is much different.
FinFisher & Company
There are dozens of similar tools – and I will only name one for clarity and briefness. You just need to get the idea in order to at least try and counter it.
http://en.wikipedia.org/wiki/FinFisher is so far the most popular commercial cyber espionage tool. More details can be seen on the WikiLeaks site – http://wikileaks.org/spyfiles/files/0/289_GAMMA-201110-FinSpy.pdf
Another really good post on the matter can be found at https://citizenlab.org/2013/04/for-their-eyes-only-2/
When you get back from reading about this ‘tool’, think about the following: if this is public, then what are the capabilities of the software which is kept confidential? Can you fight it? Can you defend from it?
Well, practice says that it is possible to build a defense which would be impenetrable even for such an organization – granted we take away human risks and only trust IT (information technology).
We’ve all heard of the recent breaches of cyber security in Iran – first at their nuclear research facilities which are being governed officially and then in several of their private commercial oil corporations. While the first was clearly an act of cyber warfare, with careful planning and cooperation between certain countries which I don’t even need to name here, the latter was the act of cyber criminals.
What’s common between tem, is that they would not be possible – or significantly more difficult to the point of not happening at all – if certain technical measures were taken in the information infrastructure of the nuclear and oil facilities.
The rumor goes (not really a rumor, I just can’t name my sources) that the Information Security practices at the above organizations were so low, it was a mere joke to get in and compromise them. Unfortunately, I can’t agree more and this article has the purpose to change things. It will most likely be impossible to cover all that needs to be done in one go, so there will probably be a need to write a second and a third one, more technical and to-the-point with exact measures to be taken.
Defending your company and yourself from cyber espionage
As has been known for several years now, layered defense no longer works.
Security software – such as Firewalls and Antivirus are effective only to block the ‘noise’ of security threats – they are absolutely worthless against software written to target and attack as a cyber-weapon or serving as a cyber-espionage tool.
I’ve had a discussion with a certain nation state recently and they asked me ‘can you build an antivirus suite such as Kaspersky to stop these attacks’ – the question itself showed their ignorance to the actual situation – they did not understand that any software selling security or protection is practically worthless if the right measures have not been taken beforehand.
It is also true that if you secure your corporate assets properly, you will not even need Antivirus software, because unauthorized applications and code will simply be unable to run.
Can it be done?
Yes, it can. Why is nobody doing it? I don’t know. Ignorance and laziness come to mind as the two primary reasons, as harsh as it sounds – I am not here to give praise, I’m here to provide solutions.
Practical technical steps to security
Usually all how-to guides begin with the simple steps and go on till they reach the most difficult ones. Not this one!
Your first step should be to protect the computers of your employees, and this is the most difficult task any organization could take on itself – mostly because it takes education as well as technical measures. This step – protecting the user computers – comprises of several sub-steps, which I will describe below.
Leaving education aside, as it’s a topic which could fill an entire book (you should, however, look seriously into the topic of Security Awareness) – we will move on to the technical measures you could take to protect from cyber espionage tools such as FinSpy and its friends.
As I said earlier, un-authorized code should not be even able to run on your computers – especially the ones which have access to confidential information. Yes, that includes the computer of the CEO’s secretary!
- Install and *configure* EMET (http://blogs.technet.com/b/srd/archive/2013/04/18/introducing-emet-v4-beta.aspx ) – it is important to manually apply the configuration for all installed applications, especially Adobe Reader, Firefox, Chrome, Internet Explorer, Outlook and all other applications which will be having access to the Internet. There are Active Directory policies to configure it across the whole company.
- Enable the disabled-by-default security features of Adobe Reader – (Preferences – > Security (enhanced) – > Enable Protected Mode at startup – > for All files and Enable Enhanced Security.
- Set up a schedule to check for new updates for Adobe Flash (the plugin), Acrobat Reader and all available browsers, on every single computer, every day.
- DO NOT ALLOW ANYONE TO RUN THEIR COMPUTER WITH AN ADMINISTRATIVE ACCOUNT! Users and Administrators! – especially Administrators – should run their daily operations with a limited access account and only use Run As Administrator when needed. I cannot stress this enough. It is very important! You should actually disable the Administrator account and create a new one with a different name having the same rights and having a different password on every computer.
- For the Microsoft Windows operating system, there are multiple guides on how to set up Software Restriction Policies – set them to Whitelist mode – meaning, list all applications (and their hashes!) which are allowed to run. Disallow any application which is not in the policy to run. Update your policies regularly to add new trusted and tested applications.
- Once Software Restriction policies are in place and all other steps have been completed – you should really think about implementing a proper sandbox on your computers. I won’t go into details what a sandbox is, and this article is certainly targeted at technical people – but don’t trust Sandboxie as the most popular sandbox out there – and this is my personal opinion, of course. Try the following product – Bufferzone Pro – http://www.trustware.com/BufferZone-Pro/ – and read the manual before installing it! Make sure to test it on a new computer with no AV installed first, as it tends to crash some Antivirus products.
- Antivirus – did I say already that it is not effective? Well, the most popular products are not really effective, at least. My personal preference is Webroot, because it is totally different from most of the market leaders. It also has an awesome sandbox built-in! You might not need another sandbox with this product.
- Firewall… ah, these firewalls! You should not allow external (outgoing) connections to any address but the ones specified in a whitelist. This last advice is only viable for highly sensitive environments and not for regular companies – but you should still think about this measure. Network whitelisting is probably the single, most effective measure in protecting your network from literally any remote cyber threat.
After completing these steps and making no compromise, your user computers will be relatively secure – after all, this is just an article – but if you do at least 7 of the above steps, you will make it nearly impossible for software such as FinFisher to represent any threat to you and your business.