Professional Documents
Culture Documents
E hi l HHacking
ki and
d
Countermeasures
V i 6
Version
Module XLVIII
Corporate Espionage by
Insiders
News
Source: http://business.timesonline.co.uk/
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
News
Source: http://blogs.barrons.com/
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
Information Corporate
p Spies
p Seek
Tools
Countermeasures
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Common Attacks
Corporate Espionage
carried out by Insiders
Different Categories of
Tools
Insider Threat
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Introduction To Corporate
Espionage
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Information Corporate Spies Seek
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Different Categories of Insider
Threat
Pure Insider
Insider Associate
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Different Categories of Insider
Threat (cont
(cont’d)
d)
Insider Affiliate
Outside Affiliates
Access to Facilities
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Driving Force behind Insider
Attack
Financial gain
Challenge
Curiosity
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Common Attacks carried out by
Insiders
Sabotage of information/systems
Viruses
Installation of unauthorized
software/hardware
Social engineering
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Techniques Used for Corporate
Espionage
Social Engineering
• Social engineering is defined as a non-technical kind of
intrusion that relies heavily on human interaction and
often involves
in ol es tricking other people to break normal
security procedures
Dumpster Diving
•D
Dumpstert di
diving
i iis llooking
ki ffor ttreasure iin someone else's
l '
trash. (A dumpster is a large trash container.) In the world
of information technology, dumpster diving is a technique
used to retrieve information that could be used to carry
out an attack on a computer network
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Techniques Used for Corporate
Espionage (cont
(cont’d)
d)
Information extraction
• The information can be extracted through:
• Hidden files
• Removable media
• Wi l
Wireless exfiltration
filt ti
• Laptops
• PDAs/Blackberrys
Network leakage
• The network traffic that are allowed in an organization is
Web and email
• Insiders can use these techniques to disclose the
organization’s
g information
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Techniques Used for Corporate
Espionage (cont
(cont’d)
d)
Cryptography
• Cryptography garbles a message in such a way that its
meaning is concealed
• It starts off with a plaintext message and then an
encryption algorithm is used to garble a message which
creates cipher text
Steganography
• Steganography is data hiding
hiding, and is meant to conceal
the true meaning of a message
• It is referred to as a secret communication and covert
communication
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Techniques Used for Corporate
Espionage (cont
(cont’d)
d)
Malicious attacks
• Malicious attacks are used to gain additional access or elevated
privileges
• These attacks usually involve running exploit code against a system
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Process of Hacking
Hacker following
the 7 habits to
attack the
target organization
Plants
6 Malicious 5 Exploits
E l i System
S 4 Breaks Network
Resources Defense using
programs for
exploits for known
backdoor
vulnerabilities
access
7 Clears
Evidence by
erasing tracks
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Process of Hacking (cont’d)
Target Organization’s
Internal Network
Internet
Launches an attack
8 from the Organization’s
Internal Network Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Case Study : Disgruntled System
Administrator
A system administrator, angered by his diminished
role in a thriving defense manufacturing firm whose
computer network he alone had developed and
managed, centralized the software that supported the
company’s manufacturing processes on a single
server, andd then
th i ti id t d a coworker
intimidated k into
i t giving
i i
him the only backup tapes for that software.
Following the system administrator’s termination for
inappropriate and abusive treatment of his
coworkers, a logic bomb previously planted by the
insider detonated, deleting the only remaining copy
of the critical software from the company’s server.
The company estimated the cost of damage in excess
of $10 million, which led to the layoff of some 80
employees.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Former Forbes Employee Pleads
Guilty
In 1997, George Parente was arrested for causing five
network servers at the publishing company Forbes, Inc.,
to crash.
crash Parente was a former Forbes computer
technician who had been terminated from temporary
employment.
In what appears
pp to
o have b
been a vengeful
g act against
g the
company and his supervisors, Parente dialed into the
Forbes computer system from his residence and gained
access through a co-worker's log-in and password. Once
online,
li h caused
he d five
fi off the
th eight
i ht Forbes
F b computer t
network servers to crash, and erased all of the server
volume on each of the affected servers. No data could be
restored.
Parente's sabotage resulted in a two day shut down in
Forbes' New York operations with losses exceeding
$100,000.
Parente pleaded guilty to one count of violating Source:
http://www.usdoj.gov/criminal/cybercrime/v
Computer Fraud and Abuse Act, Title 18 U.S.C. 1030 atis.htm
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Former Employees Abet Stealing
Trade Secrets
Source: http://www.usdoj.gov/
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
California Man Sentenced For
Hacking
Source: http://www.usdoj.gov/
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Federal Employee Sentenced for
Hacking
Source: http://www.usdoj.gov/
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Facts
IInternal
t l breaches
b h
included:
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Key Findings from U.S Secret Service and
CERT Coordination Center/SEI study on
Insider Threat
A negative work
work-related
related event triggered most insiders
insiders’ actions
R
Remote
t access was used
d tto carry outt th
the majority
j it off th
the attacks
tt k
The majority of the insider attacks were only detected once there was a
noticeable irregularity in the information system or a system became
unavailable
The majority
j y of attacks were accomplished
p using
g company’s
p y computer
p
equipment
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tools
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
NetVizor
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
NetVizor: Screenshot
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Privatefirewall w/Pest Patrol
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Privatefirewall w/Pest Patrol:
Screenshot
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Countermeasures
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Best Practices against Insider
Threat
Monitor employee’s behavior
Lock the wire closets, server rooms, phone closets, and other sensitive
equipments
Never leave a voice mail message
g or e-mail broadcast message
g that g
gives
an exact business itinerary
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Countermeasures
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Countermeasures (cont’d)
Defining
g Acceptable
p Level of Loss
• The possibility for loss is all around and risk management
will determine what efforts should be focused on by an
organization and what can be ignored
• Cost-benefit analysis is a typical method of determining
acceptable level of risk
• The two methods to deal with p potential loss are:
prevention and detection
Loss
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Countermeasures (cont’d)
C t lli A
Controlling Access
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Countermeasures (cont’d)
Bait: Honeypots
yp and Honeytokens
y
• Catching the insiders when they are stealing
the information is called honeypots and
honeytokens
• Honeypots and Honeytokens are traps which
are set at the system level and file level
respectively
• Honeypot on the h network k looks
l k attractive to
attackers and lures them in
• It is used when someone wanders around the
network looking for something of interest
• Honeytoken is done at a directory or file level
instead of the entire system
• Display an attractive file on a legitimate server
used d to trap the
h iinsider
id
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Countermeasures (cont’d)
Mole detection
Profiling
Monitoring
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Countermeasures (cont’d)
Si
Signature
t A
Analysis
l i
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Summary
C t
Cryptography
h garbles
bl a message iin such
h a way th
thatt it
its meaning
i iis concealed
l d
M k sure that
Make th t unnecessary accountt privileges
i il are nott allotted
ll tt d tto normall users
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited