Syukurilah setiap benda yang anda miliki! tak terkecuali apapun.

Cybercriminals increasing focus on corporate trade secrets
Tuesday, 05 April 2011 01:37

A subtle shift in online threats targeting the corporate market is taking place, according to McAfee. Cybercriminals have transitioned from stealing personal information to targeting the corporate intellectual capital of organizations, as they perceive there is greater value in selling a corporation's proprietary information and trade secrets, which have little to no protection, and are making intellectual capital their new currency of choice.

"On the consumer side, cybercriminals are going after single users, and there's some financial gain there, but on consumer side, you are talking stealing information for a credit card," said Doug Cooke, director of sales engineering for McAfee Canada. "That's the difference, and what we are trying to do is alert people that there are different types of corporate data that are very interesting to cybercriminals."

Interestingly, its NOT places where PCI compliant data is stored that is most vulnerable, Cooke said.


"Companies do a good job of protecting credit card data," he said. "But they don't do as well in protecting intellectual capital like trade secrets. The result has been attacks, both sophisticated, like Operation Aurora, and unsophisticated, like Night Dragon, targeting this kind of corporate data.

"It's not the high visibility trade secrets, like Coke's formula, that are at risk, but the concern this report shows is for data that isn't as dramatic, but can be very important to the company," Cooke said. "With a mining company, records of their test drilling could be valuable to someone. We often see that with companies, when we ask how important is their data, and the middle managers don't instinctively see the data as being interesting. When it's explained that competitors could use it, the lights go on, but they need to have that reinforced on them. They think well, oil and gas results, that's a lot of data, and someone would have to do through it with a fine tooth comb. But some people will do that."

Cooke said that these types of attacks differ from the old "spray and pray" ones, blasting it out and hoping you get lucky with 1%.

"We think cybercriminals are now researching the companies they want to go after," he said. "We think this has been done with oil and gas companies, who may have already had a buyer for their data. So they devise strategies of spearphishing specific individuals in an organization to get this information."

Cooke said this kind of strategy also has the advantage of being much less likely to get them caught.

"It gets them away from the sophisticated people in the credit card industry industry today who pursue them. It's not just about stealing the money, it's getting away with it."

The report also found that the economic downturn resulted in an increase of organizations reassessing the risks of processing data outside their home country in search of cheaper options, with approximately half of organizations surveyed responding they would do so, an overall increase since 2008. Approximately one third of organizations are looking to increase the amount of sensitive information they store abroad, up from one fifth two years ago.

Cooke didn't say that storing intellectual property abroad is less safe, but companies have to be diligent about checking it all out.

"These days, while there is a lot of discussion of cloud technology, it's blurred because we don't do a great job of defining it. Whereever they store their data, a company still has to do their due diligence, do an audit to make sure it's a secure facility. They think a third party is looking after it, so they don't have to do the same due diligence, and they certainly do."

The report also found that only three in 10 organizations report all data breaches suffered and six in 10 organizations currently "pick and choose" the breaches they report. The report also shows that organizations may seek out countries with more lenient disclosure laws, with eight in 10 organizations that store sensitive information abroad influenced by privacy laws requiring notification of data breaches to customers.

Finally, the report noted that one of the greatest challenges organizations face when managing information security is the proliferation of devices, such as iPads, iPhones and Androids. Securing mobile devices continues to be a pain point for most organizations, with 62 per cent of respondents identifying this as a challenge.

"Some IT organizations are more disciplined, and have a real process for bringing this in," Cooke said. "What we are seeing is that almost every organization is being approached how to being them in. A lot of organizations have been running XP systems, and with Windows 7 coming in, they ask what the endpoint is. It could also be VDI, could be many more tablets. It's not as simple as XP. There are lots of decisions involved in terms of evolving the endpoint. Execs walk in with an iPad and want to use it, and IT can't put them off like with other folks."

The irony is that for the solution provider, all this tends to be good news, Cooke said.

"For the VAR looking after their customers, they can give them expertise," he said. "They understand the kind of pressures they have, can survey the marketplaces, and can educate them."  greathosting.


Share this post