Credit card numbers are small potatoes.
Big-time computer hackers are after proprietary information: source code, pharmaceutical research, legal documents, chemical formulas, blueprints, product designs and other trade secrets that can be sold on the black market for huge profits.
The tactics hackers are using to sneak into business and government networks should curl the hair of any business leader. A few months back, Symantec released a disturbing report on “Butterfly,” a mysterious and sophisticated group of hackers that it described as “highly capable, professional attackers who perform corporate espionage with a laser-like focus on operational security. The team is a major threat to organizations that have large volumes of proprietary intellectual property, all of which is at risk of being stolen by this group for monetary gain.”
Last week, Ron Taton, president of Cleveland-based IntelliNet Corp., told me about a real-life incident he'd learned about from a security-software vendor. Here's a version of how it went down, and it's right out of a spy novel:
You're a chemical engineer at a large company that's working on something special, let's say new battery technology that will triple the range of electric cars. It could mean billions in revenue and freedom from Mideast oil.
You're proud of your work — you should be — and you include your employer info on your Facebook page. And like most guys (yes, it's a man in this example), you're competitive, so you make sure to post photos and updates from your victories at Tuesday night trivia at the local sports bar.
One night, as you wait for a pitcher to be filled at the bar, a beautiful woman two stools down says hello. You look to the left, then the right and realize she is talking to you. You say hello back, and a conversation begins.
She becomes even more attractive when she talks about technology and lets it slip that she works for IBM.
You tell her you're an engineer and love tech. She offers to pay for your pitcher. You forget all about trivia night as she discusses her work and gives you a business card with the iconic blue IBM logo. “I have some swag in my car,” she says. “Give me a second.” As she heads out to the parking lot, you pop a breath mint and pinch yourself.
“Merry Christmas,” she says when she returns, placing on the bar an IBM coffee mug, T-shirt, mouse pad and 8-gig flash drive. The next morning at work, the coffee tastes extra rich in the new mug, the mouse moves so smoothly on the new pad, and with a new confidence, you push the thumb drive into your computer.
Within seconds, the company's entire email network is compromised, and hackers begin work scraping messages, documents, attachments and images.
The most sophisticated hackers may “clean up” after they're done, removing traces of the breach and making it even more difficult for companies to know they've been violated — until a competitor in Russia or China unveils a product developed with stolen intelligence.
“Everything is hackable,” says IntelliNet's Taton. “Assume you are going to be hacked. There is no such thing as a trench around a network. It doesn't exist.” Instead, he says, companies need to be able to be ready to respond, mitigate and play defense. And skip trivia night.
And oh, effective security awareness training would have helped too! Find out how affordable this is and be pleasantly surprised.
Cross posted from John Campanelli
Related Pages: Social Engineering