Theft by Hacking: Three of the Top Six Threats (Part I)

Security12 minutes readSep 13th, 2011

In my last post, I explained why no organization is safe from hackers. Hackers are successful because most IT organizations still rely on traditional perimeter security—VPNs, firewalls, IDSes, IPSes—to protect the network’s borders. If perimeter security actually still worked, well, you wouldn’t be seeing government, military, and corporate sites “pwned” and in the news with such regularity.

So how do you stop hackers from getting past ineffective legacy barriers and pwning your organization’s sensitive data? You need to identify the threats, understand how hackers exploit the existing perimeter and device security model, and then introduce contemporary technology that can protect data wherever it moves or resides.

There are six principal threats IT faces from hackers. In my next post, I’ll tackle Denial of Service attacks, Organizational Embarrassment, and Hacker Notoriety. But today I want to kick-off with the first three, all of which relate to thievery:

1. Identity Theft
2. Financial Organization Theft
3. Theft of Intellectual Property

Let’s examine why they’re a threat, how hackers do it, why your current IT security model can fail, and how you can change the dynamic to protect your organization’s information assets. I’ll also cover the role that Unisys Stealth Solution for Network and the Unisys Stealth Solution for Secure Virtual Terminal (SSVT) device, announced last week, can play.


Why this is a threat?

Identity theft occurs one of two ways: on a personal level, where individual private identification information (social security, credit card) is stolen; or on an organizational level, where customers’ credit card, contact, or other private data are stolen by a dedicated hack against a company housing such information.

When either hack occurs, the consequences to an organization are often loss of money, loss of reputation and loss of customer confidence. The consequences are pretty far-reaching. Use of smartphones for banking, for example, has stalled, because people lack confidence in the security of the transaction.

How hackers pull off identity theft

Hackers usually try to steal identity information using spam, spoofing, phishing, and malware tools. Generally, these make use of social engineering approaches that fool users into thinking that the malicious e-mail, document or website they are opening is legitimate. Once a user is tricked into viewing what they think is a new set of photos from a friend or an e-mail from their bank, the attack begins.

There are also more sophisticated attacks, where hackers use technology to break directly into a network. One well-known example of this sort of theft: a ring of hackers sat in cars parked outside major retailers. They eavesdropped on network traffic using rogue wireless monitoring tools to capture credit card numbers passed in plain text every time a sale was transacted. Then they sold the numbers to organized crime.

Why the current IT security model fails

On a personal level, I believe we all need to be educated on how hackers spam, spoof, phish, and scam their way to successful identity theft. For example, you and everyone you know should be careful about what websites or e-mails you open.

My wife and kids hear this all the time from me: if you’re on your computer and you get an e-mail from someone you don’t know, and you don’t know what it is, don’t open it. Toss it. Delete it. Shred it. Spam filter it. Get rid of it. But don’t open it, because as soon as you do, you might have opened our network to malware.

Education alone is not enough, unfortunately. There is simply too much social engineering going on—some of it so convincing that it fools even experts—that even alert users will make a mistake sometime. How many requests do you get from your system to update your Adobe software? Are you careful about evaluating each and every request, or do you just click “Install”? And how can you even tell if that pop-up message is legitimate?

It’s easy for me to say that everyone should be careful about sites they visit or apps they open. But what happens when it’s Google or Microsoft that is serving up the malware? There’s an Achilles’ heel to every policy and methodology that involves personal diligence.

How you can change the dynamic

On an organizational level, Unisys Stealth can stop that problem—and I mean stop it dead in its tracks. Unisys Stealth sets up “communities of interest.” The information within that community of interest is completely invisible to anyone outside that community, because it is both encrypted and parsed. If you’re not a member of that community, you simply can’t get access to that community’s data, even if you somehow gained root (or superuser or admin, etc.) rights to their network.

The new SSVT lets you to extend your communities of interest to any computer, no matter where it’s located, onsite or off. Once plugged into a device, SSVT allows users to securely communicate from their current location to a targeted destination.

For example, a bank could use SSVT to the user to securely access a sensitive banking application. But while doing so, they would not be able to do anything insecure, such as surf the web, read their e-mail, or run other apps. When they’re done their banking, they remove their SSVT USB stick, and can return to their usual computing. Even if their PC was already infected with a virus, once they insert the SSVT USB stick, only the approved banking application is accessible.


Why this is a threat?

Financial organization theft is flat-out stealing of cash resources. It is distinct from identity theft in that it is targeted at commercial banking and financial institutions. In doing so, the hackers might target customers and employees. But make no mistake: the end game is digital bank robbery.

How hackers pull off financial organization theft

The most frequent avenue of attack is malware, which spoofs the unsuspecting bank’s customers. The malware hijacks user web sessions, so customers think they are executing a transaction on their bank’s website. In truth, they are on the hacker’s site, which simulates—often expertly—the look and feel of the actual bank’s site.

Today this hack is done so frequently that the entire process, from delivering the malware to cashing out the victims’ bank accounts, is completely automated. Moreover, these attacks are very difficult to detect, because users have no idea that their deposit or transfer was conducted on a fake site. It can take days or weeks before the account transactions are reconciled by customers, or their checks start bouncing. By then, it’s too late.

Why the current IT security model fails

The common approach to preventing this sort of hack is to scan the computer to scrub any known malware before allowing access to the banking website. That, sadly, is inadequate, because the scanning and scrubbing are performed by so-called signature-based anti-malware tools. Indeed, nearly all of today’s intrusion detection and data loss prevention depend on this approach.

Signature-based anti-malware solutions—which can be deployed as software, services, hardware, or a combination thereof—respond to a known set of recognizable threats. And that, my friends, is their Achilles’ heel; the principal weakness that hackers exploit. Key word: “known.”

When a new and unknown threat emerges, the anti-malware vendor has to hear about it, capture it, reverse engineer it, identify a “signature” that will let their software or service recognize it, and then develop a way to neutralize it. And then they need to update their software or system and get it deployed to all of their users.

We’re all familiar with this process, because we all sit through so-called signature updates. The result is something like the feud between the Hatfields and the McCoys, where one side wins this week and the other side wins the next. Signature-based protection is a hit-or-miss proposition; a perpetual game of leapfrog between the anti-malware camp and the hacking camp.

If the signatures exist on the protected device, the anti-malware solution can stop the exploit. But if the signatures are out of date or the hack is new, the malware will come right in and do its dirty deeds without so much as an eyebrow raised. Hackers actually love signature-based solutions, because they give organizations a false sense of security. Hackers exploit the lag time between when an attack is released, and when it is discovered and neutralized.

How you can change the dynamic

Using Unisys Stealth and the new SSVT solution, a bank could give its customers a branded USB stick. When customers want to do their banking, they simply plug the Stealth SSVT USB stick into their computer. This establishes a secure  point-to-point connection between the customer’s PC and the bank.

Each Stealth SSVT stick is powered by a completely separate Windows or Linux operating system, embedded on the USB device itself. Again, it doesn’t matter if the PC is brimming with malware. Once the SSVT is inserted, the PC is under Stealth’s control. Only a secure, direct connection to the targeted network and application is permitted. And this connection can’t be spoofed.


Why this is a threat?

Theft of IP threatens a huge array of businesses and industries. Most organizations have proprietary or secret information about new products, practices and methods, technologies, innovations, R&D, or evidence in lawsuits. These hold great value to digital thieves as well, who are constantly on the hunt for such information.

In the pharmaceutical industry, for example, they are working on new formulas and new compounds for drugs every day. This information is prized by cyberbandits, who can earn big bucks for it through corporate or state-sponsored espionage or by working for organized crime. This is an area where both allies and enemies are suspect, and where the FBI has tracked down and arrested a number of violators.

Regrettably, most companies underestimate how valuable their intellectual property is, and how poorly protected that IP is within their IT environment.

How hackers pull off theft of intellectual property

While identity theft and financial organization theft are akin to a smash-and-grab jewelry store robbery—get in, get gold, get out—theft of intellectual property takes careful, long-term planning. Hackers target specific companies, specific departments, and even specific people in those companies.

Once they have gained access to the network (often through the same venues as the other threats we’ve discussed), they set up shop for the long haul, spending time probing, researching, and gathering the information they need. Cybersleuths refer to this as advanced persistent threats (APTs).They are attacking deliberately and will keep at it until they are successful or caught.

As Roger Grimes of Infoworld describes it: “APTs are professionally run attacks, managed just like legitimate corporations … Many APT companies work in skyscrapers; have CEOs, recruiters, and payrolls; and pay taxes. APT hackers work in eight-hour shifts and take off holidays …”

Think of APTs as hired guns: assassins who want to take down your organization’s most valuable IP.

Why the current IT security model fails

Nowhere is it more apparent that traditional perimeter security is failing than in dealing with APTs and theft of intellectual property. By and large, organizations are not protecting their intellectual property and don’t have a strong sense of what they have that hackers and other rogue actors would consider valuable.

Organizations with IP to protect should operate under the assumption that their “secure” networks are completely open to the outside world, and that hackers can access virtually anything on it. Your perimeter and device security serve only to keep the honest people or unsophisticated hackers out, and can prevent only the known malware threats.

How you can change the dynamic

Unisys Stealth can help prevent intellectual property from being compromised. The SSVT USB device is especially useful in circumstances where you have people are working remotely. You want to make absolutely certain that the point from which you send information to the point that receives it is secure, end to end.

SSVT, due to its embedded secure Windows or Linux operating systems, will let you do that with confidence. Using the pharma example again, imagine a research scientist developing formulas for new drugs. Before he sends e-mail or models or what have you over the Internet, he first inserts his SSVT stick into his computer. Then he connects to his organization’s network. The connection established is directly between the SSVT stick and the company’s network. Nothing else on the researcher’s computer can access it. When he’s done transferring his IP, he removes the SSVT stick out and returns to normal (i.e., insecure) computing.

As you can see, all three of these threats are becoming more sophisticated and specific in their aims. Identity theft targets people—any person who happens to make the mistake of clicking the wrong link or launching the wrong document. Financial organization theft targets commercial banking customers, and often targets a specific institution. Intellectual property theft is highly targeted at a specific company, group, or person.

The threats are evolving. So too must the security model. We need to respond proactively with a more sophisticated approach that goes beyond traditional perimeter security, and even beyond just encryption. In my next post, I’ll cover the remaining three major threats to IT in the same manner as I have covered these today. Stay tuned.

Tags-   Financial organization theft Hackers Identity theft Intellectual property theft