Answered step by step
Verified Expert Solution
Question
1 Approved Answer
Anatomy of an Industrial Espionage Attack By Ira S . Winkler 1 President, Information Security Advisors Group The CEO sat quietly as I showed him
Anatomy of an Industrial Espionage Attack
By Ira S Winkler
President, Information Security Advisors Group
The CEO sat quietly as I showed him the complete manufacturing instructions for his top product in development. He remained expressionless when I placed his company's master development schedule on his desk. He sat back in his chair as I pulled out several documents describing his bargaining position in a multimillion dollar lawsuit. The CEO finally spoke. "I guess we should be happy you're not working for a competitor," he said. I had stolen all this and more posing as a temporary worker. A company with thirdrate security? Hardly. The organization maintains an excellent perimeter security program, including strong access controls and physicalsecurity mechanisms. The security manager suspected, however, that it may be vulnerable to a wellcoordinated attack via insiders. He called upon me to test just how much a dedicated information thief could get. I was there for three days. I got everything they hadl.
The Assignment
At a recent conference I met Henry, the security manager of Zed Technologies, a large hightech firm with annual sales in excess of $ billion. Henry knew of my previous penetration testing and asked if we could meet later to discuss the possibility of testing his own company's security. Note: Company and individual names have been changed. In addition, some identifying details about the company and its systems have been changed. Henry was extremely concerned about the open environment at Zed an openness typical of research and development firms. Like many large companies, Zed Technologies employs a large number of contract and temporary employees onsite. These people have access to various amounts of information and are not thoroughly screened. Henry worried about the potential damage that they could cause. To find out, he asked me to perform a penetration test in which I would be placed inside the company as a temporary employee but would in fact steal as much information as I could. I was given permission to do whatever was required without harming the company or individuals. A member of the company's informationsecurity staff would remain within a reasonable range whenever I was performing any illicit tasks, to provide incident containment in case of a compromise of the effort. Funding also allowed for the use of offsite accomplices. To simulate realworld circumstances, I wanted to perform a fullscale industrial espionage attack against the company, using both technical and nontechnical methods. Specifically, I chose five categories of attack: opensource research, misrepresentation, abuse of access, insider hacking and internal coordination of external accomplices.
Getting to Know You
Prior to my contact with Henry, I knew nothing of Zed Technologies. I had to first become familiar with the company in order to steal any useful information. Internet library resources provided an incredible amount of information. From news databases, I identified the company's top development effort, worth billions of dollars in company effort and potential sales. I also learned the name of the lead researcher working on the project, and I ran across several stories about the company's current products as well as the people involved in their development. Other opensource information identified the names of company executives, the company's financial status and a wide range of general information about the company and its corporate philosophy. Searches of Internet newsgroups for the company name identified dozens of company employees. Employee postings to computerrelated newsgroups told me about the company's hardware and software environment. Postings to nontechnical newsgroups helped me learn the personal interests of the employees posting the messages. Other Internet resources revealed additional employees and their interests. I executed a host command against
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started