While we can generally conceptualize that our businesses and organizations have information that may be the target of rivals, criminals, activists and general troublemakers – we sometimes forget that the tools of our trade can just as readily be the target as well.
These “tools” could literally be the tools that serve your business (computer controlled manufacturing devices), or they could be more abstract, such as:
- The engines that drive the information of your business (database servers, application servers, middleware, etc)
- End-user information systems/applications – including your desktop suite
- Core infrastructure – such as network switches, routers, firewalls and VPN gateways
To understand the threat, let’s look at the types of attack and their potential motives. The motives for attacking an organization (short of general mischief) may include:
- “Stealing” information/company secrets, competitive information, etc.
- Entering new or corrupting information
- Access with the intent of influencing the organization or individuals
- Creating a stepping off point into another system/organization
One of the oldest motivations for getting “into” an organization (or at least their information systems), theft of data and key information still remains a popular driver today. The kinds of information, and reasons for going after it, include:
- Trade secrets – the how and why a given product or service is different from competitors, perhaps showing innovative processes, dramatic cost saving techniques, or just plain old “secrets” that are the key differentiators from similar products and services (like just what are those 11 secret herbs and spices)
- Customer data – which, while difficult to use directly (ie- someone reaching out to all your customers directly to sell them a competing service) other information can be derived from this data – such as better understanding your target market and perhaps what motivates those customers to use your product over that of a competitor. The customer information could also just be leveraged for outright theft – if, for instance, you happen to have customer credit card information.
- Strategic information – such as business strategy, which may allow a 3rd party to block or leverage your plans (insider trading anyone?) or marketing strategy/campaign information – which could allow a competitor to develop a competing strategy that may take the wind out of your sails before the launch of your new product.
This is by no means an exhaustive list, and identifying what may be “valuable” within your information assets may require some out of the box thinking and war gaming within the organization.
Sometimes even reverse analysis can help in these evaluation sessions; instead of what can I do to improve customer satisfaction, what can I do to make it worse? What information or systems could I sabotage to ensure the customer is unhappy? Believe it or not – sometimes looking at the problem from a negative angle can reveal interesting insights.
NEW OR CORRUPTING INFORMATION
While a lot of effort is put into protecting information from theft, it’s not often protected from unauthorized changes or corruption.
Sometimes the corruption can be massive, as seen with recent ransomware applications that can encrypt information systems and data and then demand payment in exchange for the decryption key.
In other cases the corruption may be relatively minor however, at least initially, and may not even be directly attributable to an information system based attack.
Imagine attempting to undermine a military operation by corrupting weapon targeting systems – perhaps increasing the probability of collateral damage.
Such constant errors may result in public demand at home that a campaign come to an early close, or Commander’s may become hesitant to engage some of their assets due to a lack of faith in their effectiveness or reliability.
The attack could also be highly focused – perhaps at the customer credit card information. In this scenario the objective isn’t to steal the credit card database, but to make it useless.
Imagine the impact on an online news or other subscription-based service if it couldn’t reliably bill its customers at the start of a new month?
How would the company explain to its customers that your credit card information is safe… it hasn’t been stolen… it’s just corrupted. Please share your card number with us again…
The corruption isn’t just limited to data. With increased use of automation in manufacturing and industrial processes, more attacks are being directed to the core of the business and its production vs. just the information.
This was particularly the case in 2010 with the STUXNET worm that was targeted at the Iranian nuclear weapons development program – destroying a significant number of centrifuges being used to refine nuclear fuel into weapons grade material.
The worm is believed to have been introduced to the region via multiple corrupted USB flash drives carrying the payload. The actual computer system serving the centrifuges was on an “isolated” network, but eventually one of these USB keys was connected to this isolated system.
The STUXNET worm was looking for a specific programmable logic controller (PLC) known to be tied to the centrifuges. When it encountered a system without such a PLC, it simply went inert (after propagating to other devices and media). Upon discovering of being put onto the system with the target PLC, it modified the code within the unit and started giving commands that corrupted the centrifuges operation – while still reporting “normal” operating information to the users. As a result, it took months for the Iranian scientists to figure out why their centrifuges were failing, while creating an extensive delay in their weapons program.
While this is a particularly advanced scenario, now that the world has seen what can be done, its not a difficult leap to see how other industries such as the pharma or high-tech manufacturing could now (and have been) targeted for such an attack.
It may not even be destructive in nature; with today’s oil fields being heavily reliant on automated network control systems (through Supervisory control and data acquisition, or SCADA systems) its not a huge leap to envision oilfield production being shut down by at the press of a few keys. Homeland security organizations throughout the Western world are equally concerned for automated controls within key utilities and services such as our power grid, water purification and distribution systems, or even just the traffic lights (a 4-way flashing green on every block could lead to some interesting problems during rush-hour).
INFLUENCING THE INFORMATION/INDIVIDUALS
Data or information system corruption can also be the tool to help motivate changes in individuals and their decision cycles.
As we saw in our earlier military scenario, a commander may be less prone to using his artillery if he knows there is a good chance it will be off target – perhaps pushing the commander to use “boots on the ground” instead, which may be more prone to counter attack and ambush by the enemy (a desirable outcome for those who took away the Commander’s faith in his other systems).
Similarly data-driven businesses could be the target for data-corrupting attacks in order to change the nature of their business; imaging an investment firm being given false or corrupted information to redirect investments away from good prospects, or alternatively have them directed to poor or false ones in order to gain capital for future fraud and insider trading.
Sometimes the targets may be more personal – such as embedding information on someone’s computer that could lead to dismissal or at least public embarrassment.
Targeting information at key individuals may also influence decision makers, or even facilitate identity theft or spear-phishing attacks designed to get information valuable for other illegal activities and intrusion into more sensitive systems.
STEP OFF POINT TO OTHER ORGANIZATIONS AND SYSTEMS
Sometimes your organization isn’t the real objective of the attack, as seen with the retail chain Target, and the loss of their customer credit card database.
Like many organizations, Target had invested significant resources into their defenses – with all the state of the art firewalls and other protective measures used by many organizations today.
As a result, attackers will rarely go for the frontal attack unless they know of a specific weakness or vulnerability they can exploit.
Instead, significant time and research is put into finding an alternate route. This is where the proverbial “back door” in comes to play.
In the case of Target, a 3rd party vendor for their Heating, Ventilation and Air Conditioning (HVAC) systems were piggybacking on the Target network – so they could maintain control over their appliances within the Target stores.
This vendor did not have significant IT defenses (who wants to attack an air conditioning company?) – and attackers gained access relatively easily and then used that access to jump into Target’s network where they could explore and eventually find the credit card database.
Needless to say, Target should never have allowed a 3rd party into their core network; while it made sense to let 3rd parties like this HVAC vendor leverage inter-store connections through Target’s network, it should NEVER have been an isolated network segment – and not the same one that core business applications resided on.
Protecting your information technology and information systems isn’t just about protecting your data; a holistic “whole system” approach is necessary that looks at not just what you need to know to run your business (the information) but also the tools used to engage in your core business processes.
Considerations in establishing your defense includes:
- A broad based threat/risk analysis that looks at the core of what your business does (its processes and tools) and determines what is essential to the business
- A whole-network analysis that looks at all entry points within your system and looks to provide least privilege for access to all systems and services (in particular 3rd parties)
- A look at key partners and service providers – and their level of security and assurance; do you fully trust that vendor to come in and install patches on your infrastructure or install a new technology, or do you need to run a vulnerability analysis on the software and hardware before allowing it on your network?
Oddly enough, in many ways this still comes down to an information game. While your core business information may not be the direct target for theft, information about your architecture, what operating systems and applications you are using, types of firewalls and what patches you’ve applied, etc may just be the key information an adversary is looking for in order to attack your organization as a whole.
Protecting your internal architecture and configuration information, the “tools” behind your information systems, may be just as critical as protecting the information and business processes they serve.