Upload
marin-ivezic
View
5.854
Download
2
Embed Size (px)
DESCRIPTION
Social Engineering - Human aspects of grey and black competitive intelligence. What is social engineering? How it is used in the context of competitive intelligence and industrial espionage? How to recognize HUMINT / social engineering attacks? Which governments are known to use it?
Citation preview
Social EngineeringHuman aspects of competitive intelligence
Marin IvezicCyber Agency
www.cyberagency.com
Johnson & Johnson vs. Bristol-Myers
Johnson Controls vs. Honeywell
Boeing vs. Airbus
SOME KNOWN CASES
Cyber Agency | www.cyberagency.com2
1. Competitive Intelligence using Social Engineering
2. Competitive Intelligence Countermeasures
SUBJECTS OF TODAY’S DISCUSSION…
It’s not just smart business!
Cyber Agency | www.cyberagency.com3
SOME KNOWN CASES
DEFINITION OF SOCIAL ENGINEERING
“Successful or unsuccessful attempts to influence a person(s) into either revealing information or acting in a manner that would result in; unauthorized access, unauthorized use, or unauthorized disclosure, to an information system, network or data.” (Rogers & Berti, 2001)
Cyber Agency | www.cyberagency.com4
Cyber Agency | www.cyberagency.com5
Any kind of psychological manipulation used to obtain private or sensitive information or to force target to perform some action in target’s disadvantage. (Ivezich, 1998)
EXTENDED DEFINITION OF SOCIAL ENGINEERING
Context for Social Engineering
“Competitive intelligence (CI) is the process of monitoring the competitive environment. CI enables senior managers in companies of all sizes to make informed decisions about everything from marketing, R&D, and investing tactics to long-term business strategies. Effective CI is a continuous process involving the legal and ethical collection of information, analysis that doesn't avoid unwelcome conclusions, and controlled dissemination of actionable intelligence to decision makers.” Source: Society of Competitive Intelligence Professionals
“Competitive intelligence is a systematic program for gathering and analyzing information about your competitors’ activities and general business trends to further your own company’s goal.” Source: Larry Kahaner, “Competitive Intelligence”
DEFINITION OF COMPETITIVE INTELLIGENCE
Cyber Agency | www.cyberagency.com6
White
Black Gray
Context for Social Engineering
Cyber Agency | www.cyberagency.com7
White - company publications, public records, commercial reporting sources
Gray - Not readily available, but can be obtained without civil/criminal liability
Black - Obtained through unethical or illegal means. Can result in civil and/or criminal sanctions.
Black = Espionage
DEFINITION OF COMPETITIVE INTELLIGENCE
Cyber Agency | www.cyberagency.com8
Context for Social Engineering
Espionage: Information collection operations performed in unethical and/or unlawful manner
Economic Espionage: Government intelligence operation aimed at acquiring the economic secrets of foreign country, including information about trade policies and the trade secrets for its companies.
Industrial Espionage: Intelligence operations conducted by one corporation against another for the purpose of acquiring a competitive advantage in domestic and global markets.
DEFINITION OF ESPIONAGE
Healthcare
Utilities
Industrial
Defense / Aerospace
Banking / Financial
Computers
Information
Communications
Chem / Pharma
Consulting
0 2 4 6 8 10 12 14 16
4
4
4
4
5
5
7
11
13
16
WHO’S DOING COMPETITIVE INTELLIGENCE?
Cyber Agency | www.cyberagency.com9
▪ 90% of Fortune 500 firms
▪ Firms with high R&D expenditures
▪ Firms that own many patents
▪ 2-3% of German firms
▪ U.S. & U.K. firms mostly
Motorola, Bell Atlantic, Xerox, Eastman Kodak, Skandia, Ford, SDG, Merck, Amoco, Pacific Enterprises, Sequent, American Express, Boehringer Ingelheim, Procter & Gamble, Dow Chemical, MetLife, IBM, Johnson & Johnson…
COUNTRIES INFAMOUS FOR ECONOMIC ESPIONAGE
• USA
• Japan
• China
• Russia• Germany
• France
UK
• Israel
South Korea, India, Pakistan, Argentina and others…
Cyber Agency | www.cyberagency.com10
Machinery (1940s)
Capital / Labor (1950-60s)
Information (1980-90s)
Knowledge (Intelligence)
2000s
WHY NOW?
Cyber Agency | www.cyberagency.com11
MechanicalTechnology
• The pace of business has and will increase.
• Most businesses are now in information overload.
• Increased global competition.
• Economic competition has become war.
• Political changes ripple more quickly than in the past.
• Technology changes are more rapid.
• Availability of ex cold-war spies.
Investment Computers
Competitive IntelligenceSystems
Modern Business Drivers
Modern Business Eras
Disgruntled Employees
Independent Hackers
Competitors
Foreign Corp.
Foreign Gov.
90%
70%
50%
30%
20%
SECURITY THREATS
Cyber Agency | www.cyberagency.com12
TerroristInsider Foreign AgentCompetitor Activist
Most Likely(annoyance)
Least Likely(strategic impact)
Adversary Motivation
Visibility, Publicity, Chaos, Political Change
Information for Political, Military, Economic Advantage
Military Advantage, Chaos, Target Damage
Competitive Advantage, Revenge
Monetary Gain, Revenge
Thrill, Challenge, Prestige
Revenge, Financial Gain, Institutional Change
Who thinks we are important? Or interesting?Competitors, Suppliers, Customers, Investors, Critics, Regulators, Hackers
SECURITY THREATS
National Intelligence
Information Warfare
Terrorists
Industrial Espionage
Organized Crime
Insider
Hacker
Cyber Agency | www.cyberagency.com13
14
• “Spies” are putzes that do nothing brilliant
• They take advantage of what they have access to
• They abuse human nature• They luck into it, because there are
no or minimal countermeasures
HOW IS IT DONE?
Cyber Agency | www.cyberagency.com
Reality
• Industrial spies are well trained James Bonds that can get anything they want
• Hackers are geniuses that can look at a computer and take it over
• It takes super advanced methods and a billion dollars in new research to figure out how to stop them
Myths
TechnicalPeople
Physical
WHY IS SE SO EFFECTIVE?
• The Security Field has focused primarily on technical security and protection of physical assets
• Security is only as strong as the weakest link - People are the weakest link
• Why spend time attacking the technology when a person will give you access or information
• Extremely hard to detect as there is no ID’S for “lack of common sense” or more appropriately ignorance
Cyber Agency | www.cyberagency.com15
Cyber Agency | www.cyberagency.com16
Two Primary Factors: Business Environment and Human Nature
Business Environment Service Oriented Time Crunch Distributed Outsourcing Virtual Offices
Human Nature Helpful Trusting Naive
WHY IS SE SO EFFECTIVE?
Very similar to how intelligence agencies infiltrate their targets. Usually a vey methodical approach. 3-phased approach:
Cyber Agency | www.cyberagency.com17
Intelligence gathering
The attack
Step 2
Step 1
Step 3
• Primarily Open Source Information such as: Dumpster diving, Web pages, Ex-employees, Contractors, Vendors, Partners
• Looking for weaknesses in the organization’s personnel: Help desk, Tech support, Reception, Admin. support, Etc.
• Commonly known as the con• Three broad categories of attack: Ego attacks, Sympathy attacks,
Intimidation attacks.• Other elicitation techniques …
Target selection
ANATOMY OF AN SE ATTACK
COMMON SE ATTACKS
1. Ego attacks
Cyber Agency | www.cyberagency.com18
Attacker appeals to the vanity, or ego of the victim Usually targets someone they sense is frustrated with their
current job position The victim wants to prove how smart or knowledgeable they
are and provides sensitive information or even access to the systems or data
Attacker may pretend to be law enforcement, the victim feels honored to be helping
Victim usually never realizes
COMMON SE ATTACKS
2. Sympathy attacks
Cyber Agency | www.cyberagency.com19
Attack pretends to be a fellow employee (new hire), contractor, employee or a vendor, etc.
There is some urgency to complete some task or obtain some information
Needs assistance or they will be in trouble or lose their job etc. Plays on the empathy & sympathy of the victim Attackers “shop around” until they find someone who will help Very successful attack
COMMON SE ATTACKS
3. Intimidation attacks
Cyber Agency | www.cyberagency.com20
Attacker pretends to be someone influential, authority figure, and in some cases law enforcement
Attempts to use their authority to coerce the victim into cooperation
If there is resistance they use intimidation, and threats (e.g., job sanctions, criminal charges etc.)
If they pretend to be Law Enforcement they will claim the investigation is hush hush and not to be discussed etc.
OTHER ELICITATION TECHNIQUES
• Elicitation
• Interview process which avoids direct questions and employ a conversational style to reduce concerns and suspicions…
• Collecting information without asking questions.
Cyber Agency | www.cyberagency.com21
ELICITATION - CONVERSATIONAL HOURGLASS
• People remember questions more clearly and longer
• People remember the beginning and end of a conversation
• Concentration is on the “muddle in the middle”
Style
• Innocuous and non-threatening
• Testing of generalizations and presumptions
about human factors in elicitation
• Reading signals from source
• Pleasant and non-confrontational
Elements
• Pre-selected introductory questions about general topics
• Stacking of elicitation techniques
• Attention to details of information being provided
• Additional “cool down’ questions about other general topic
What you already know• personal/professional background• techniques that have worked well before• areas of expertise or knowledge
Macro topics
Macro topics
Micro topics
Cyber Agency | www.cyberagency.com22
WHY DOES IT HAPPEN?
A natural tendency• to need recognition (as an expert)• toward self-effacement• to correct, advise, challenge others• to prove others wrong• to discuss things that are not their concern• to gossip• not to be able to keep secrets• to underestimate the value of information• toward indiscretion when not in control of one’s
emotions• to show off (professionally)• to complainNolan 2000Cyber Agency | www.cyberagency.com23
TYPICAL ELICITATION TOOLS
1. Provocative statements evoking:– quid pro quo– naïveté– disbelief– criticism
2. quid pro quo3. Simple flattery4. Exploiting the instinct to complain5. Word repetition vs. “emphatic loading”6. Quotation of reported facts(?)7. Naïveté 8. Oblique reference9. Criticism10. Bracketing11. Feigned or real disbelief12. Purposely erroneous statement
Nolan 2000Cyber Agency | www.cyberagency.com24
DEFENSE FRAMEWORK
Protect
Detect/Respond
Survive
Physical
Personnel
Procedures
Design Features
Attacks
Critical Project
Situational Awareness
Nolan 2000Cyber Agency | www.cyberagency.com25
DEFENSE FRAMEWORK
Nolan 2000Cyber Agency | www.cyberagency.com26
People
Process
Technology Organization
Effective Policies • Enforcement of effective policies• Staff knowledge and skill development
Secure SystemsTechnology implementationfor end-to-end security
Effective support structure
Managed ProcessesSecurity is not about products - it is the effective management of processes between Policy, Technologyand Support Structure
THERE ARE MANY WAYS TO “BUG” A ROOM
Find professionals!Nolan 2000Cyber Agency | www.cyberagency.com27
COUNTERINTELLIGENCE
Measures to prevent a competitor from gaining data or knowledge that could give them competitive advantage over your company.
• What assets, resources & information should be protected?
(e.g., new technologies, new products/services)
• How can you safeguard what might be penetrated?
Nolan 2000Cyber Agency | www.cyberagency.com28
PROTECTION - DON’T OVERDO IT
Nolan 2000Cyber Agency | www.cyberagency.com29
▪ What is the cost vs. benefit?▪ Are you creating another vulnerability?▪ How long is the countermeasure needed?
PROTECTION – COST vs. BENEFITS
Nolan 2000Cyber Agency | www.cyberagency.com30
Cost ofLoses
Cost of Security
Non
-Sys
tem
atic
Thre
ats
Risk Investment
USER
HACKER
SoundSecurityPolicy
ImplementationEnforcementAuditing
Total Systematic Risk
Threat Level
Security Engineering and Intelligence Function
COMPETITION
FOREIGN THREATS
Mitigationfor specific threats
Acceptable RiskRegion
PROTECTION – COST vs. BENEFITS
Nolan 2000Cyber Agency | www.cyberagency.com31
OPERATIONS VULNERABILITIES
Procedures in Practice
• Sales & Marketing• Public Relations• Help Wanted Ads• Internet Usage• Credit Cards and other travel records• Telephone records and conversations• Casual conversations• Supplier records• Personal aggrandizement• Taking work home• Poor incident-reporting procedures• Human weaknesses
Nolan 2000Cyber Agency | www.cyberagency.com32
OPERATIONS COUNTERMEASURES
1. Awareness Training
2. Classifying Information
3. Security Alert System
4. Reward Programs
5. Callbacks before Disclosing Sensitive Info
– Verifying the Need for Information Access
– Verifying Identities and Purposes
6. Removing Personal Identifiers from Access Badges
7. Nondisclosure/Non-compete Employee Agreements and business partners
8. Prepublication Reviews for Employees
9. Review of Corporate Releases
10. Strict Guidelines for Marketers and Salespeople
Nolan 2000Cyber Agency | www.cyberagency.com33
It takes only one… Are You The Weakest Link?
Questions? Experiences?
France: Generale de la Securite Exterieure (DGSE). Service 7 seems to have responsibility for this function. Typical activities include: Bugging hotels, airlines, conferences, etc;
Black bag operation in French hotels to photograph and download information from laptops; Bribes and prostitutes; Business infiltration; Eavesdropping of telephone and electronic communications.
The French are very open about their operations and seem to take a great deal of national pride in this area.
Germany: Bundesnachrichtendienst (BND). Division II seems to have prime responsibility for technical information. Typical activities include: Telephone monitoring; Establishing
"agents of influence“; Business infiltration; Active hacking function; Seduction, Blackmail, Bribery.
MAJOR FOREIGN AGENCIES
Russia: External Intelligence Service of Russia (EISAR) formerly the First Directorate of the KGB. Section T specifically targets foreign Technology. Typical operations include: A well-established network of moles
and operatives; Indications are that every major US company has at last one mole; Primary targets are approached indirectly through suppliers, etc; Bugging, monitor truck/railroad lines; Spy satellites, sensors on Aeroflot airplanes, etc; Joint ventures.
Israel: Scientific Affairs Liaison Bureau (LAKAM). Typical operations include: Business Infiltration; Ethnic Targeting; Believed to have moles in major technology industries; Bugging hotel rooms, monitor telephone lines, etc; Extensive support for hacker activity. Israel, man for man, is reputed to have the best intelligence
capability in the world.
MAJOR FOREIGN AGENCIES
China: Guojia Anguan Bu, or Ministry of State Security (MSS). Qing Bao offices are scattered throughout China with responsibility for assuring that economic intelligence flows to the factories. Typical operations include: Ethnic targeting; Business fronts in
third countries to purchase sensitive business technology; Open sources (China has the largest foreign presence in US); Import and Export companies; University students; University graduates become moles in high technology companies; Bait and switch, make a scene, etc; Wiretaps, satellites, spy ships, etc.
MAJOR FOREIGN AGENCIES
38
Particular expertise in counter HUMINT
Provides training, consulting, metoring, testing and regulasr assessments
100% focused on information protection, counter intelligence, counter espionage
No conflict of interest
We also cover:Penetration testingCyber securityPhysical securityTechnical security
Penetration Testing and Counter Espionage Consulting
WHO ARE WE?
Thank you for your attention!
Any Questions?