Cyber spying is the act of engaging in an attack or series of attacks that let an unauthorized user or users view classified material. These attacks are often subtle, amounting to nothing more than an unnoticed bit of code or process running in the background of a mainframe or personal workstation, and the target is usually a corporate or government entity.
The goal is typically to acquire intellectual property or government secrets. Attacks can be motivated by greed or profit, and can be used in conjunction with a military operation or as an act of terrorism. Consequences can range from loss of competitive advantage to loss of materials, data, infrastructure, or loss of life.
For years, corporations have attempted to seek advantages by prying into the business plans of their competitors. One tactic is to send in “faux” employees who attempt to gain access to data or projects where new technology is being developed. Technology provided an evolutionary path for this activity, and resulted in the birth of cyber spying.
The faux employee is still a useful tactic, but now an unsecured workstation is far more attractive. An individual can use a USB stick to upload a worm or virus in a matter of seconds. The goal might be to identify and open a security portal or find an exploit that can be targeted at a later date.
Business websites can offer the same type of openings, and experienced hackers can use a vulnerable website to execute an attack. Emails that appear to be official may be sent to specific individuals with higher network privileges who could be lured into clicking a link that downloads code to enable later attacks. This type of attack is called spear phishing.
Modern browser software is comprised of thousands of lines of code. New lines of code add new features as the software evolves. Sometimes new code, by chance or oversight (or lack thereof) breaks little-known features or works at-odds with security patches that have previously been effective. When a new feature or a new piece of software hits the market, it’s analyzed, dissected, and backward-engineered by countless individuals and interested parties around the world.
In December of 2009, Google began to notice persistent cyber-attacks aimed at acquiring information specific to Gmail accounts. The accounts were held by Chinese human rights activists, and Google wasn't the only target. To the search engine giant's credit, they quickly informed at least 20 other companies that they too were being targeted through a vulnerability in Microsoft Internet Explorer. Preventive measures were taken, and McAfee Labs identified the problem in early 2010 and code-named it ‘Aurora’.
The Aurora attackers used targeted emails with malware sent to individuals who were judged as good targets because they were likely to have a high level of access to valuable intellectual property. The reaction to this act of cyber espionage varied around the world. Microsoft sent a security breach report and released a security patch. Some companies and governments also switched browsers to help safeguard against future attacks.
Similar acts of cyber espionage are taking place today, all over the world. Corporations and governments are constant targets of attacks. Detecting and preventing vulnerabilities and strikes is the job of specifically trained and skilled Internet information security professionals. Their methods and techniques are discussed in the second installment of this series, “Protecting Yourself Against Cyber Espionage”.
Cyber espionage attacks can result in damaged reputations and stolen data, including personal and private information. Cyber attacks targeted at the government may cause military operations to fail, and can also result in lives lost due to leaked classified information. What exactly is it that cyber-criminals look for when planning an attack?
Common targets include:
Businesses often consider loss of data as a primary concern, but a damaged reputation can be just as troubling. If an organization allows its infrastructure to be used to enable or foster cyber espionage, they can put themselves at risk – not just from the attackers, but from clients and shareholders, as well.
Organizations are responsible for protecting their client’s data. An attack, even a small one, could have a negative impact on future clientele. Did they (the organization) follow the best security practices? Do they have the necessary records to support their claims? If not, there could be legal consequences. They could even become the target of scarring viral social media campaigns.
Damage to a company’s reputation could take years to repair.
While no way is guaranteed to eliminate all attacks, it’s usually recommended to companies and other organizations that they assess current security and procedures, evaluate risks and develop a security policy or policies that help address vulnerabilities. It may also be wise to define daily procedures and establish a response plan when an attack is detected.
Procedures like backups, software and hardware updates, and other security updates should be followed, recorded, verified and audited for compliance. Procedures can also include a mobile device management policy.
Staff and employees are typically the first line of defense, so educating company personnel is typically recommended. Employees should understand the importance of security protection, like rotating passwords and keeping company confidential information safe. They should also understand how to use company-approved virus and malware protection software. Informing personnel about viruses and malware is important and may help limit further breaches. When employees understand the potential for harm, they may be more likely to follow the company security policy, minimizing acts of non-compliance.
Another important tactic to help enforce information security can be using the latest operating system software. Most companies use Windows or MAC platforms, but may not update to run the latest, most secure versions of the software. The latest versions typically offer the most protection, and a 64-bit operating system can represent a difficult target to exploit.
It’s a good idea to use a comprehensive IT security solution that starts with a deep vulnerability assessment. It should manage software upgrades and patches, employ a whitelist of applications that are allowed to run on company workstations and include software that monitors Internet access. Critical files and folders should use the latest encryption and be accessible only through authorized channels. In addition, it may be a good idea to develop a zero-day action plan and test defenses prior to an attack.
Information security professionals usually work with IT departments to build multi-layered security measures into system management. They should also understand that virtual environments are not immune to virus and malware attacks, and cloud software may not be as secure as marketing efforts would lead people to believe.
Information system security specialists are currently in high demand in the public and private sector. According to the U.S. Bureau of Labor Statistics (BLS), the 2016 average annual salary for this profession was $96,040. In addition, the job rate is projected to increase by 18% through 2024, a rate significantly faster than the national average for all other occupations.
If you are a network security professional or work in the information security field, you may be uniquely qualified. A Certificate in IS Security can be essential when seeking career advancement in this field to help yourself stand out from the competition, and it can be obtained 100% online through Villanova University. Professionals can learn the essentials of IS security, among other topics, providing up-to-date training to help an organization combat future cyber-threats.