Dripping Data: Understanding and Reducing Insider Threat (Part V)

image I've done a lot of work in the past few weeks trying to get you to truly understand the person we've dubbed "The Insider". We've discussed who they are, and why they do what they do. Today I'm going to be looking at exactly what it is these insiders are trying to take. What are the targets?

Intellectual Pursuits

Intellectual Property. Trade Secrets. It's all the same. Property that your company has invested a large amount of money in developing and producing.  One of the key points that I try to drive at every security presentation I deliver is the importance of doing asset valuation and data classification. It's right about now that you should be asking yourself, "What do I have within my org that someone would want?" That's a really good question....how do we determine that? The beauty of this, is that for once, you are not alone. It's not just up to the security guys to determine what is/is not valuable to the organization. It's a collaborative effort between you and the business owners to determine the key data. It's anything that gives your business competitive advantage. Some are fairly obvious. If you're Coca-Cola or Kentucky Fried Chicken , then it's their secret formulas (Mmmm.....extra crispy and an ice cold Coke. Yummy). But what about the other stuff?

Here are some items that your competition will be targeting, along with a brief explanation:

  • Access Card Control Information - We're talking about access to the physical premises here. If I can figure out or bypass your physical security, I get a greater level of access. If I get greater access, then it makes the juicy secrets even easier to get.
  • Project Information - Beating your competition to market. Yep, that's important. Just like in poker, we want to keep our cards close, and not reveal our hand until the last moment. You may also want to think about how much that project overrun is going to cost you. Are you just a nice person who'd like to simply assist your competition by showing them how to avoid the hurdles it cost you lots of money to figure out? Of course not. This is why we protect data that relates to projects.
  • Pricing Info /Sales Forecasts - If I know how much your new Widget 2008 is going to cost, or how many you are estimating to sell...I can use this information to undercut your prices and to hit markets you're not in (or strengthen those you are). Thank goodness (for the attacker) that this info usually just sits on someone's laptop in a secure Excel spreadsheet usually entitled "Widget 2008 Pricing and Sales Forecasts.xls". Lock it down!!
  • Financial Information - The power of the dollar. Want to see chaos? Watch the stock markets after your company announces their Yearly Earnings. Your stock is either going to climb or sink. Never fails. Now imagine what would happen to the stock if info leaked out early? Think Jim Cramer from Mad Money is going to say, "Well...your company didn't plan on announcing this early....so we'll add them to our Buy list out of sympathy." I'm guessing no. Info is power on The Street and that equates to dollars. A leak is a very bad thing.
  • Computer Source Code - As you can probably guess, this is a HUGE one for software development companies, like Microsoft. If we lose it...it's "Game Over". We spend a significant amount of budget towards protecting this data and take access to it very seriously.
  • Research and Test material - See the item related to Project Information above. If I can get the results of your tests, then I save money by not having to do them myself.
  • Prototypes - So the Widget 2008 Model X, Model Y, and Model Z all failed horribly. Good to know.
  • Blueprints, Diagrams, and Design specifications - If I can get the "how" then I can probably figure out your "why". Why do the design specs for your new automobile have a location and technical data for what looks like Bluetooth? I bet your next automobile has it built in! Think simpler....like marketing or advertising logos. Maybe I could roll out a similar design faster, to add confusion to your product.
  • Customer business info - Your customers are your lifeblood. If that info gets public, they're going to be furious. They expect confidentiality when they sign with you. "But Kai, we never agreed to that." Doesn't matter...perception is reality. Losing contact info, amounts, products purchased, etc. from your company actually jeopardizes their business. No surprise they get angry.
  • Engineering plans and drawings - See Design Specs
  • Formulas - What source code is to Microsoft, formulas are to pharmaceutical and chemical companies. It represents millions (and often, billions) of dollars in research, development, and "sweat equity". Let's not just talk about outright theft of the data....let's also discuss the integrity of the data. What is someone were able to alter your company's formula for their #1 pharmaceutical, and remove a key ingredient? Bad things, and the negative PR fallout would be immense.
  • Confidential documents - First, how do we know what's confidential? What sort of data classification program do you have where you are? What makes a document rank as confidential or even higher? For this discussion, it doesn't matter....someone, somewhere thought it was important enough to be classified. If you're not going to adequately protect it, then why'd you bother classifying it?
  • Software - This is not source code, but rather things like your Volume License Keys. (Yes, we do track them.)
  • Technical records - These are things that pertain the the infrastructure of your business.
  • Executive email and voicemail - A new one, that's gaining some value with the whole move to VoIP. Same deal as the financial statements. If I can get these items out to the press, I can make life very difficult for your PR Dept.

Bonus Material

If the above items weren't enough, then there even a few bonus targets that the insiders may try and acquire. Here's a brief list:

  • Street address of your facilities
  • System configuration info
  • Router and firewall info
  • Access to mission critical areas

I think we understand the data that's being targeted inside your organization. This is not an exhaustive list! You need to use this as a starting point, and take it from there!! Remember to do the proper risk assessment, and assign appropriate valuation to assets. These examples should be a good starting point.

Next time, we're going to get into discussing the way the bad guys are getting the info when they don't have access, and we'll end with a discussion of various tradecraft they use to exfiltrate the data from your company. Gear up, we're about to learn the how of spycraft.

NEXT TIME: Insider Threat continues with: "Getting Your Data Through Social Engineering "