16. January 2010 · Comments Off on Google discloses breach and new threat type from China – Advanced Persistent Threats · Categories: Advanced Persistent Threat (APT), Books, Botnets, Breaches, Malware, Phishing, Privacy, Risk Management, Security Management, Trade Secrets Theft · Tags: , , , ,

Earlier this week Google took the unprecedented step of disclosing a breach which does not legally require disclosure. Google's reasons for the disclosure are tightly linked to its concerns about human rights in China and its views on China's reasons for breaching Google's email systems. These last two points are well worth discussing and are being discussed at length all over the blogosphere. However, I am going to focus on the security and disclosure issues.

First regarding disclosure, IT risk reduction strategies greatly benefit from public breach disclosure information. In other words, organizations learn best what to do and avoid overreacting to vendor scare tactics by understanding the threats that actually result in breaches. This position is best articulated by Adam Shostack and Andrew Stewart in their book, "The New School of Information Security."

I blogged about Verizon Business's forensic team's empirical 2009 Data Breach Investigations Supplemental Report here. This report shows cause-and-effect between threat types and breaches. You could not ask for better data to guide your IT risk reduction strategies.

Organizations have been so reluctant to publicly admit they suffered breaches, the Federal and many state governments had to pass laws to force organizations to disclose breaches when customer or employee personal information was stolen.

Regarding the attack itself, it represents a type of attack that is relatively new called "advanced persistent threats" (APT) which in the past had primarily been focused on governments. Now they are targeting companies to steal intellectual property. McAfee describes the combination of spear fishing, zero-day threats, and crafted malware here. The implications:

The world has changed. Everyone’s threat model now needs to be adapted
to the new reality of these advanced persistent threats. In addition to
worrying about Eastern European cybercriminals trying to siphon off
credit card databases, you have to focus on protecting all of your core
intellectual property, private nonfinancial customer information and
anything else of intangible value. 

Gunter Ollman, VP of Research at Damballa, discusses APT's further here, focusing on detecting these attacks by detecting and breaking the Command and Control (CnC) component of the threat. The key point he makes is:

Malware is just a tool. The fundamental element to these (and
any espionage attack) lies with the tether that connects the victim
with the attacker. Advanced Persistent Threats (APT), like their bigger
and more visible brother “botnets”, are meaningless without that tether
– which is more often labeled as Command and Control (CnC).

Jeremiah Grossman points out the implications of Google's breach disclosure for all cloud-based product offerings here, countering Google's announcement of Default https access for Gmail.

Indeed, the threat landscape has changed.

24. November 2009 · Comments Off on Massive T-Mobile UK trade secret theft perpetrated by insider · Categories: Breaches, Data Loss Prevention, Trade Secrets Theft · Tags: , , ,

Last week T-Mobile UK admitted to the theft of millions of customer records by one or more insiders. These customer records which included contract expiration dates were sold to T-Mobile competitors or third party brokers who "cold called" the T-Mobile customers when their contracts were about to expire to get them to convert.

While this is a privacy issue from the customer perspective, from T-Mobile's perspective it's also theft of trade secrets.

And this is about as basic as theft of trade secrets gets. According to the article in the Guardian, in the UK this type of crime is only punishable by fine, not jail time, although the Information Commissioner's Office "is pushing for stronger powers to halt the unlawful trade in personal data…"

So if you steal a car, you can go to jail, but if you steal millions of customer records, you can't. Clearly the laws must be changed. Or, not being a lawyer, I am missing something.

Based on some research I've done, the same is true in the United States, i.e. no jail time. Here are some good links that cover trade secret law in the US:

Regardless of the laws and their need for change, organizations must invest in trade secret theft prevention appropriate to the associated level of risk.

Let's take a look at the components of Risk – Threat, Asset Value, Likelihood and Economic Loss -  in the context of trade secret theft.

The overall Threat is increasing as the specific methods of theft of digital Assets constantly evolve. Economic loss, depending on the Value of the trade secret Asset, can range from
significant to devastating, i.e. wiping out much or all of an organization's value.

It's hard to imagine the Likelihood of theft of any trade secret in digital form could ever be rated as low. Unfortunately we do not have well accepted quantitative metrics for measuring the degree to which administrative and technical controls can reduce Likelihood.

Therefore trade secret theft risk
mitigation is really a continuous process rather than a one time effort. New threats are always appearing. New administrative and technical controls must constantly be reviewed and where appropriate implemented in order to minimize the risk of trade secret theft.