The threat of cyber espionage used to primarily be the domain of defense officials and writers of pulp fiction. No more.
Today, the most likely victim of a state-sponsored cyber espionage effort is a corporate network:
- Just ask Yahoo, which saw its valuation chopped to $350 million after having 500 million email accounts compromised by hackers employed by the FSB.
- Or talk to Ukrainian power utilities that were forced offline by a remote attack widely attributed to Russian agents and caused more than 230,000 residents to lose power.
- And let’s not forget about the Sony Pictures hack of 2014 that was attributed to North Korea by the FBI.
- Want another example? What about the idea that Russian intelligence agents may have been hoovering up your employees’ entire iPhone backups… complete with any corporate data and, likely as not, access to your networks.
What’s behind this sudden influx of spies hacking into civilian networks and devices? Who’s next? More importantly, how do you protect your organization’s data?
Cyber Espionage is an Issue for Every Company
Why does every CISO have to be concerned about cyber espionage— even if his or her organization is well removed from classified or other obviously strategic information?
The answer lies in the interconnectedness of both the Internet and global commerce.
We all know that there’s no sense in storming a well-fortified front gate, if there’s a barely latched backdoor available. Those backdoors are frequently subcontractors, service providers, vendors, partners, customers, industrial control systems, and even apparently innocuous but Internet-enabled devices.
The interconnectedness of global commerce means that there are more backdoors to check than ever before. Just think about the much-ballyhooed Internet of Things… which sometimes feels as if it might be better described as “The Internet of Barely Latched Backdoors.”.
Ok, Who Left the Backdoor Unlatched?
These backdoors give hackers a quick on-ramp to your network from where they can often quickly do further damage with upgraded privileges.
Access is chained from one network and one privileged account to the next. That’s why password sharing is such a huge liability.
For example, most people don't care if their password for the local delivery service might get hacked, but that becomes problematic when that password combination can then be used to unlock (directly or indirectly by guessing patterns) one person’s personal Gmail account… which happens to be the backup account to his or her corporate email… which in turn provides the keys to an admin account on your corporate database… which, well, that’s the data in your database gone… and that data in turn probably leads to whatever private information your company has left. All because someone used a vulnerable password for his pizza delivery.
You’re vulnerable to cyber espionage whether you’re delivering pizza or protecting the design for next-gen nuclear submarines and have employees who eat pizza.
This interconnectedness is in turn much easier to exploit than in the past, thanks to increasingly user-friendly hacking tools and widely available malware-as-a-service offerings. Cyber espionage is increasingly subcontracted.
The hardest question hackers have to answer is should they get the “pro” or “enterprise” malware-as-a-service package?
With so many cyber weapons lying around, it’s not a surprise that people are getting hurt.
Of course, we shouldn’t let the intelligence arms of western governments, especially those of the United States, off the hook here. While few cyber experts are shocked to hear that the United States has been stockpiling zero-day exploits and other cyber weapons… more than a few expressed consternation that they were apparently careless enough to allow these weapons to escape from their supposedly secure weapons locker in Langley, VA. Nearly than 9,000 exploits, how-to’s, and other classified files were apparently passed around various cybersecurity and hacker communities until finally being revealed by WikiLeaks. They are now effectively in the wild.
Having so many of the CIA’s own tools available to hackers (both state- sponsored and not) just adds fuel to the cyber espionage fire.
How Corporate Security Can Prevent Cyber Espionage
Every CISO’s top concern, right now, should be that his or her organization will be subjected to numerous cyber attacks… including ones by state-supported actors. This ups the defensive ante, but luckily most companies are not targets in and of themselves of state-sponsored actors. They are more likely conduits to a bigger target. So, rather than ensuring that they are able to withstand a direct assault by a full-fledged governmental cyber attack, most companies can get away with ensuring that they are not the proverbial “barely latched backdoor.”
PAM: Your #1 Defense against Cyber Espionage
So, where do you start? Well, this is the WALLIX blog, so you shouldn't be surprised that we’re going to recommend a solid Privileged Access Management (PAM) solution as a good defense. Self-promotion aside, a fully implemented PAM solution would prevent the vast majority of attacks, state-sponsored or not, that we discussed in this article:
- An access manager, combined with an embedded password vault, provides a huge barrier to any espionage attempts in that it assigns a very secure password to every device or application that is approved for every user. Furthermore, password sharing and leapfrogging are prevented because end users never even know the actual password that is used on any given application or device. Admins can easily rotate actual device passwords at whatever frequency they choose—all of which is completely transparent to the end users.
- A session manager adds significant enhancement to this base level of security by providing both an unimpeachable audit trail of every privileged action on your network as well as granular control of what actions are allowed by any given user. Forbidden actions can be blocked and/or trigger session termination and/or have an alert sent to the security admin.
If China, Russia, or the United States really look after your corporate network… they're going to get in. But if you don't make it easy for them… and you’re not in their direct line of fire, they will likely pick on someone else.
The next step to preventing cyber espionage?