social engineering - human aspects of industrial and economic espionage

Social EngineeringHuman aspects of industrial and economic espionage

Marin IvezicCyber Agency

www.cyberagency.com

October, 2001

Johnson & Johnson vs. Bristol-Myers

Johnson Controls vs. Honeywell

Boeing vs. Airbus

SOME KNOWN CASES

Cyber Agency | www.cyberagency.com2

1. Industrial and economic espionage using Social Engineering

2. Industrial and economic espionage countermeasures

SUBJECTS OF TODAY’S DISCUSSION…

It’s not just smart business!


SOME KNOWN CASES

DEFINITION OF SOCIAL ENGINEERING

“Successful or unsuccessful attempts to influence a person(s) into either revealing information or acting in a manner that would result in; unauthorized access, unauthorized use, or unauthorized disclosure, to an information system, network or data.” (Rogers & Berti, 2001)



EXTENDED DEFINITION OF SOCIAL ENGINEERING

Any kind of psychological manipulation used to obtain private or sensitive information or to force target to perform some action in target’s disadvantage.

(Ivezic, 1998)

Context for Social Engineering

“Competitive intelligence (CI) is the process of monitoring the competitive environment. CI enables senior managers in companies of all sizes to make informed decisions about everything from marketing, R&D, and investing tactics to long-term business strategies. Effective CI is a continuous process involving the legal and ethical collection of information, analysis that doesn't avoid unwelcome conclusions, and controlled dissemination of actionable intelligence to decision makers.”

Source: Society of Competitive Intelligence Professionals

“Competitive intelligence is a systematic program for gathering and analyzing information about your competitors’ activities and general business trends to further your own company’s goal.”

Source: Larry Kahaner, “Competitive Intelligence”

DEFINITION OF COMPETITIVE INTELLIGENCE


White

Black Gray



White - company publications, public records, commercial reporting sources

Gray - Not readily available, but can be obtained without civil/criminal liability

Black - Obtained through unethical or illegal means. Can result in civil and/or criminal sanctions.

Black = Espionage

DEFINITION OF COMPETITIVE INTELLIGENCE



Espionage: Information collection operations performed in unethical and/or unlawful manner

Economic Espionage: Government intelligence operation aimed at acquiring the economic secrets of foreign country, including information about trade policies and the trade secrets for its companies.

Industrial Espionage: Intelligence operations conducted by one corporation against another for the purpose of acquiring a competitive advantage in domestic and global markets.

DEFINITION OF ESPIONAGE

COUNTRIES INFAMOUS FOR ECONOMIC ESPIONAGE

• USA

• Japan

• China

• Russia• Germany

• FranceUK

• Israel

South Korea, India, Pakistan, Argentina and others…


Machinery (1940s)

Capital / Labor (1950-60s)

Information (1980-90s)

Knowledge (Intelligence)

2000s

WHY NOW?


MechanicalTechnology

• The pace of business has and will increase.• Most businesses are now in information overload.• Increased global competition.• Economic competition has become war.• Political changes ripple more quickly than in the past.• Technology changes are more rapid.• Availability of ex cold-war spies.

Investment Computers Intelligence

Modern Business Drivers

Modern Business Eras

Disgruntled Employees

Independent Hackers

Competitors

Foreign Corp.

Foreign Gov.

90%

70%

50%

30%

20%

SECURITY THREATS


TerroristInsider Foreign AgentCompetitor Activist

Most Likely(annoyance)

Least Likely(strategic impact)

Adversary Motivation

Visibility, Publicity, Chaos, Political Change

Information for Political, Military, Economic Advantage

Military Advantage, Chaos, Target Damage

Competitive Advantage, Revenge

Monetary Gain, Revenge

Thrill, Challenge, Prestige

Revenge, Financial Gain, Institutional Change

Who thinks we are important? Or interesting?Competitors, Suppliers, Customers, Investors, Critics, Regulators, Hackers

SECURITY THREATS

National Intelligence

Information Warfare

Terrorists

Industrial Espionage

Organized Crime

Insider

Hacker


13

• “Spies” are putzes that do nothing brilliant

• They take advantage of what they have access to

• They abuse human nature• They luck into it, because there are

no or minimal countermeasures

HOW IS IT DONE?

Cyber Agency | www.cyberagency.com

Reality

• Industrial spies are well trained James Bonds that can get anything they want

• Hackers are geniuses that can look at a computer and take it over

• It takes super advanced methods and a billion dollars in new research to figure out how to stop them

Myths

TechnicalPeople

Physical

WHY IS SE SO EFFECTIVE?

• The Security Field has focused primarily on technical security and protection of physical assets

• Security is only as strong as the weakest link - People are the weakest link

• Why spend time attacking the technology when a person will give you access or information

• Extremely hard to detect as there is no ID’S for “lack of common sense” or more appropriately ignorance



Two Primary Factors: Business Environment and Human Nature

Business Environment Service Oriented Time Crunch Distributed Outsourcing Virtual Offices

Human Nature Helpful Trusting Naive

WHY IS SE SO EFFECTIVE?

Very similar to how intelligence agencies infiltrate their targets. Usually a vey methodical approach. 3-phased approach:


Intelligence gathering

The attack

Step 2

Step 1

Step 3

• Primarily Open Source Information such as: Dumpster diving, Web pages, Ex-employees, Contractors, Vendors, Partners

• Looking for weaknesses in the organization’s personnel: Help desk, Tech support, Reception, Admin. support, Etc.

• Commonly known as the con• Three broad categories of attack: Ego attacks, Sympathy attacks,

Intimidation attacks.• Other elicitation techniques …

Target selection

ANATOMY OF AN SE ATTACK

COMMON SE ATTACKS

1. Ego attacks


Attacker appeals to the vanity, or ego of the victim Usually targets someone they sense is frustrated with their

current job position The victim wants to prove how smart or knowledgeable they

are and provides sensitive information or even access to the systems or data

Attacker may pretend to be law enforcement, the victim feels honored to be helping

Victim usually never realizes

COMMON SE ATTACKS

2. Sympathy attacks


Attack pretends to be a fellow employee (new hire), contractor, employee or a vendor, etc.

There is some urgency to complete some task or obtain some information

Needs assistance or they will be in trouble or lose their job etc. Plays on the empathy & sympathy of the victim Attackers “shop around” until they find someone who will help Very successful attack

COMMON SE ATTACKS

3. Intimidation attacks


Attacker pretends to be someone influential, authority figure, and in some cases law enforcement

Attempts to use their authority to coerce the victim into cooperation

If there is resistance they use intimidation, and threats (e.g., job sanctions, criminal charges etc.)

If they pretend to be Law Enforcement they will claim the investigation is hush hush and not to be discussed etc.

OTHER ELICITATION TECHNIQUES

• Elicitation

• Interview process which avoids direct questions and employ a conversational style to reduce concerns and suspicions…

• Collecting information without asking questions.


ELICITATION - CONVERSATIONAL HOURGLASS

• People remember questions more clearly and longer

• People remember the beginning and end of a conversation

• Concentration is on the “muddle in the middle”

Style

• Innocuous and non-threatening

• Testing of generalizations and presumptions

about human factors in elicitation

• Reading signals from source

• Pleasant and non-confrontational

Elements

• Pre-selected introductory questions about general topics

• Stacking of elicitation techniques

• Attention to details of information being provided

• Additional “cool down’ questions about other general topic

What you already know• personal/professional background• techniques that have worked well before• areas of expertise or knowledge

Macro topics

Macro topics

Micro topics


WHY DOES IT HAPPEN?

A natural tendency• to need recognition (as an expert)• toward self-effacement• to correct, advise, challenge others• to prove others wrong• to discuss things that are not their concern• to gossip• not to be able to keep secrets• to underestimate the value of information• toward indiscretion when not in control of one’s emotions• to show off (professionally)• to complain

Nolan 2000Cyber Agency | www.cyberagency.com22

TYPICAL ELICITATION TOOLS

1. Provocative statements evoking:– quid pro quo– naïveté– disbelief– criticism

2. quid pro quo3. Simple flattery4. Exploiting the instinct to complain5. Word repetition vs. “emphatic loading”6. Quotation of reported facts(?)7. Naïveté 8. Oblique reference9. Criticism10. Bracketing11. Feigned or real disbelief12. Purposely erroneous statementNolan 2000Cyber Agency | www.cyberagency.com23

DEFENSE FRAMEWORK

Attacks

Critical Project

Situational Awareness


Survive

Protect

Detect / RespondDesign Features

Physical

Personnel

Procedures

DEFENSE FRAMEWORK


People

Process

Technology Organization

Effective Policies • Enforcement of effective policies• Staff knowledge and skill development

Secure SystemsTechnology implementationfor end-to-end security

Effective support structure

Managed ProcessesSecurity is not about products - it is the effective management of processes between Policy, Technologyand Support Structure

THERE ARE MANY WAYS TO “BUG” A ROOM

Find professionals!


COUNTERINTELLIGENCE

Measures to prevent a competitor from gaining data or knowledge that could give them competitive advantage over your company.

• What assets, resources & information should be protected?

(e.g., new technologies, new products/services)

• How can you safeguard what might be penetrated?


PROTECTION - DON’T OVERDO IT


▪ What is the cost vs. benefit?▪ Are you creating another vulnerability?▪ How long is the countermeasure needed?

PROTECTION – COST vs. BENEFITS


Cost ofLoses

Cost of Security

Non

-Sys

tem

atic

Thre

ats

Risk Investment

USERHACKER

SoundSecurityPolicy

ImplementationEnforcementAuditing

Total Systematic Risk

Threat Level

Security Engineering and Intelligence Function

COMPETITIONFOREIGN THREATS

Mitigationfor specific threats

Acceptable RiskRegion

PROTECTION – COST vs. BENEFITS


OPERATIONS VULNERABILITIES

Procedures in Practice

• Sales & Marketing• Public Relations• Help Wanted Ads• Internet Usage• Credit Cards and other travel records• Telephone records and conversations• Casual conversations• Supplier records• Personal aggrandizement• Taking work home• Poor incident-reporting procedures• Human weaknesses


OPERATIONS COUNTERMEASURES

1. Awareness Training

2. Classifying Information

3. Security Alert System

4. Reward Programs

5. Callbacks before Disclosing Sensitive Info

– Verifying the Need for Information Access

– Verifying Identities and Purposes

6. Removing Personal Identifiers from Access Badges

7. Nondisclosure/Non-compete Employee Agreements and business partners

8. Prepublication Reviews for Employees

9. Review of Corporate Releases

10. Strict Guidelines for Marketers and Salespeople


It takes only one… Are You The Weakest Link?

Questions? Experiences?

34

Particular expertise in counter HUMINT

Provides training, consulting, metoring, testing and regulasr assessments

100% focused on information protection, counter intelligence, counter espionage

No conflict of interest

We also cover:Penetration testingCyber securityPhysical securityTechnical security

Penetration Testing and Counter Espionage Consulting

WHO ARE WE?

Thank you for your attention!Any Questions?