Sony's highly visible data breach has once again pushed cyber crime into the spotlight across the country, sparking heated discussions about the company's disclosure of irregularities and public information
The private sector has communicated about these costly leaks.
2014 of the violations exposed Sony movies, corporate mail, and employee pay, one of the most public violations in recent memory.
But many times, online violations are not so obvious. before management makes an unfortunate discovery, it may cause damage to a company for months or even years. In 2013, 1.
There were 5 million monitored cyber attacks in the United States, and according to research, organizations received nearly 17,000 attacks a year, many of which led to quantifiable data breaches.
For modern companies, the most effective way to avoid being vulnerable to cyber crimes and corporate espionage is to develop appropriate safeguards and prepare response plans in the event of cyber violations.
Don Ulsch, general manager of PwC, said the timeline for cyber attacks averaged an intrusion discovery date of about 300 days, focusing on cyber crime and responding to violations.
This could translate into many lost intellectual property, trade secrets, and other proprietary competitive information.
"Some violations may not have been discovered for years," Ulsch said . ".
"Default is directly related to the time span between detection and cost, and undiscovered defaults are sure to have a devastating competitive impact.
"Ulsch said that the board and management should also assume that their company has been breached until it turns out it is not.
"The first step is to be aware of the potential risks that cyber security threats can pose to the value of businesses and shareholders," he said . ".
"We 've seen smart board members start asking the right questions about cyber security preparedness measures for their businesses, asking about policies and procedures for cyber risk.
William Gragido, director of threat intelligence at Bit9 CarbonBlack, said it was also important to understand why a broken organization was initially targeted and recognized the difference between the two categories.
"In fact, every organization should consider this a goal.
However, some are just goals of opportunity, not goals of intent, "he said.
"Organizations that are compromised and/or violated need to understand their target role in the threat environment ecosystem and understand what this means for their business partners, customers, providers/suppliers, peers and competitors
"Once a company has suffered a breach of contract, they should have a pre-
According to senior lawyer Sidley Austin LLP, former general counsel and acting secretary of the US Department of Commerce, Cameron Kerry, the outline of the steps to be followed was identified. “[Companies]
"I need to have a set of understanding of what is being upgraded in the organization and be familiar with what you have to know and the basic framework for the phases," Kerry said . ".
Ulsch said that when a company makes a response plan, a series of issues must be considered: It is also important for the company not to consider information technology (IT)
To be golden-
Ticket solution for network intrusion.
According to Ulsch, a common public misconception is that since the violation is unique to it, the solution must also be it.
"Network Security is not just a technical problem, but a business problem.
Legal, regulatory, financial, reputation and brand risk exist . "
"These are areas of the board of directors and senior management.
It is a tool for attack and a tool for network defense.
But it's just a tool.
"Ulsch said that management and the board need to weigh the risks of the network while taking into account other factors, such as the cost of oil, the impact of natural disasters, and the cost of funds.
The industrial and government public sectors have addressed cyber crime and corporate disclosure in a number of ways.
On 2011, the finance department of the Securities and Exchange Commission company developed a set of guidelines outlining cyber security disclosure obligations requiring registrants to share their loopholes and cyber incidents, and what form of insurance is included in their cybersecurity plan.
According to the regulation, SEC registrants need to do more to inform investors and potential investors about the network risks of registrants, and according to Ulsch, its potential impact and what measures are being taken to mitigate the risks. “[The guidance]
"This involves not only the disclosure of personal information, but also any cyber attacks that may affect the holding of shares in the company by investors or shareholders," he said . ".
"Many SEC registrants have just begun to consider how they should respond to network risks when analyzing the overall corporate risk of incorporating public documents (such as the company's 10 k or 8 k, if the disclosure of 8 k is violated.
On February 2013, President Obama authorized the development of a national cybersecurity framework and plan to encourage voluntary adoption of the framework: Executive Order 13636, "Improving Critical Infrastructure Cybersecurity ".
The order requires the National Institute of Standards and Technology (NIST)
Work with the private sector to incorporate existing industry best practices into the cybersecurity framework.
On January 2015, the White House proposed a federal data disclosure notice law called "protecting American consumers and families.
According to the press release language, the proposal is intended to "clarify and strengthen the company's obligation to notify the customer when the customer's personal information is disclosed ".
A month later, an executive order to promote private and public-sector cybersecurity information sharing was signed in February 2015 to supplement the White House's January proposal.
Kerry said a key point in the January 2015 proposal was to ask the company to notify the data breach within 30 days.
The proposal consists of a set of requirements applicable to the United States, and disclosure depends on the nature of the violation.
Overall, Mr. Kerry said he believed the proposal was a useful and "significant step ".
"The idea will be done by simplifying the data leakage response and applying it to everyone, regardless of what the state law is, or what the state law is authorizing," Kerry said . ".
Ulsch said that when disclosing violations, investors may ask the registrant about the nature and duration of the attack (
Companies that have officially reported violations)
The cost and consequences of a breach, the risks associated with outsourcing, and what aspects of the business or operation can lead to significant cybersecurity risks.
"For a long time, registrants have been asked to address other types of risks that may affect the company and its performance," Ulsch said . ".
One of the more challenging debates surrounding the disclosure of corporate violations is the relationship between the government and the industry, and how closely they are intertwined in the disclosure of violations.
Kerry insisted that there was a need for a clear partnership between the two sides to fully address cyberattacks, saying that the union was critical to the idea of developing a business framework.
"The core part [
Proposal of January 2015]
Is to create more powerful information sharing.
The president's executive order has done a lot [put]
He referred to the executive order of February 2015.
"But Congress needs to really make it possible for information sharing to provide some responsibility to make it easier for companies to share information with the government and to set up privacy protection to reassure relevant people that they will be protected.
"Ulsch said that in terms of protecting personal information, some states have stronger regulations than some federal requirements, adding that neither the industry nor the government will independently address cyber threats.
"The Abacus did not go back.
In today's digital age
In an interconnected business environment, we use technology to develop and manage almost all aspects of what we do . . . . . . Technology is vulnerable to attack, and there is almost nothing that will change that fact.
The key, therefore, is to be more successful in managing the vulnerability that is easily exploited and leads to risk, "he said.
"Government and industry must be partners in combating and defending cyber threats.
Not just in America.
This is a global problem.
Although there is no silver bullet to eliminate the threat, we can do more.
"Another aspect of cyber crime: on 2007, Han Juan Jin conducted a random security search at O'Hare International Airport before boarding the plane to China. Jin, a Chinese-
American software engineer at Motorola
According to prosecutors, Motorola has been found carrying $31,000 and hundreds of confidential documents stored on various devices for nine years.
Although this is certainly not the first corporate espionage case in the United States. S.
It soon became one of the most notorious cities.
With the occurrence of crimes, corporate espionage and economic espionage are comparable, with the ultimate goal of secretly stealing tangible property and intellectual property.
However, there is more research and knowledge about economic espionage, which is planned by the government with the aim of undermining national security.
In contrast, corporate espionage is less understood as a crime because the company is not willing to disclose information to shareholders on its own initiative.
This is a unique challenge for professionals whose livelihood depends on their ability to anticipate and protect corporate espionage.
John Pirc, chief strategy officer at Bricata, said the company has been spying.
Because of modern innovation, it has recently fallen into the forefront of dialogue because it has begun to take on different forms.
"With the development of technology, the media format for conducting corporate espionage has also changed," Pirc said . ".
"I think it's much easier [
Engaged in corporate espionage
Thanks to technology and mobility. ”Gragido, co-
In 2011 book "cyber crime and espionage: more disruptive
The "vector threat" said that the idea of corporate espionage was not fresh about four years ago.
The new situation is that the increased visibility provided through survey methods and tools makes these compromises better --known.
"Fast forward to today, we live in a world that is more connected than before, and we get better equipment through information and intelligence sharing in the public and private sectors, you get to a given location for more visibility and notoriety, "said Gragido.
He added that this does not mean that all compromises are communicated to the public, especially in the case of "real national state espionage", but more cases are generally open
This is often due to regulatory decisions or driven demand to share data with the world.
The image of a "corporate spy" may methodically comb the romantic image of a federal agent into the trash of a criminal --
It is a valid assumption in some cases.
But ironically, many people who are engaged in corporate espionage do so in error.
"You 've always seen people work for other companies and they may have roadmaps, intellectual property, etc," Pirc said . ".
"They will put this information on [
Online storage site
They may not realize that they own it when they leave the company.
So this is an unintentional espionage.
Pirc said: "But there are still quite a few cases of intent in which individuals are well aware of their actions.
He added that the case that attracted public attention was the theft of intellectual property by federal contractors.
Similar to Ulsch, Pirc said that most of the companies that have been violated for several years, but have not yet been aware of this, which greatly increases the chances of criminals getting away with punishment.
"If you look at this situation, if someone uses the same type of strategy for corporate espionage, then the chances of them being caught are very small," he said . ".
The efforts and resources invested in research, design and manufacturing of cars or space shuttles have cost companies and countries billions of dollars and increased the motivation for simple theft, Pirc said.
In these cases, according to Pirc, the competitive advantage is driving motivation, such as the theft of car designs, or even the Chinese version of the space shuttle, which looks "strikingly similar to what we have ".
"The most insidious factor in corporate espionage is the fact that these criminals strike from the heart of the company after being found to be qualified and credible, raises a problem: how can companies successfully review these people?
Especially in a rapidly globalized world?
When companies outsource their jobs, these problems often surface, says Pirc.
"Most of the companies I 've worked with outsource code development for our products.
"You 've reviewed the offshore company, but you don't know who they're hiring," he said . ".
"If you outsource to Bangalore, Hyderabad, or somewhere in India, you don't know who they hire in the background, who has access to the source code and everything else.
"Pirc, who previously worked at the CIA, said that the depth reached in screening individuals for government work should apply to companies to help avoid opportunities for corporate espionage.
"If you pull someone into a key project, I think the background check is the same as all the other reviews of people entering the federal government . . . . . . You have to understand.
"You need to know who you are hiring and what their background is," he said . ".
"You want to believe that people are trustworthy, but you don't end up knowing until they make mistakes and your intellectual property is out of the door.
Gragido said that over time, the review of individuals by organizations outside the intelligence and defense departments is slowly evolving because, in addition to background checks, ordinary companies have little resources to investigate people whose government agencies may be able to investigate to the same extent.
"It is a difficult task to review humanity.
Over time, even the best and brightest organizations have been fooled by their own people in some cases, "said Gragido.
One of the most common ways these criminals are caught is when they start downloading or printing large amounts of data and documents, someone will monitor their access to the data, Pirc said.
If people who often start working at 8 in the morningm. to 5 p. m.
Suddenly start to download content late at night, the change of mode is a direct danger signal.
"You can handle this in a different way, and I think it has a lot to do with access.
Who can access this data? ” he said.
"I think there's a lot more going on with corporate espionage than people are willing to admit, or because they don't understand [it’s occurring]
People will do something stupid.
They will be caught by something on the disk or hard drive, or they will try to take out the data under proper control.
He said that there are some security measures in companies that address this issue, such as data loss prevention solutions that can protect information if information is spread outside the designated infrastructure.
In addition to these measures, there is also passive monitoring technology that can prohibit criminals from using thumb drives or restricting them from sending content.
A special tool to watermark a document, if the employee tries to steal the content, the watermark either prevents the document from being sent or marks it as intellectual property.
Coming back from a BreachOnce company that is not prepared to default, they know that they have been attacked by a company, whether it is cyber crime or corporate espionage, ulsch urges prompt response and the search for external resources are steps that must be taken.
"Most violations have potential regulatory and litigation components.
"Managing supervision and litigation defense requires legal and forensic analysis from experts," he said . ".
"In no formal and good
Tested plan with on-
Call legal and forensics experts and hire the best people you can. Gragido agreed.
"Forensics and incident response have played a huge role in how companies deal with violations --
No matter whether there is any espionage. "He said. “Why?
Because they allow the responder to draw pictures of the activity of the threat participant within the enterprise until the host level.
If the organization had the tools to provide them with visibility on their hosts and networks, their work on achieving this critical advantage would not be that daunting.
"Ulsch said it is important to note that there is a difference in responsibility between the security team and the forensics team, both of which are valuable introduced by the company's board of directors or the legal office to help calm the crisis
"From this perspective, consider the following points.
There are locked doors and windows in your house, and maybe a security system.
The lock is selected by the security provider.
"The security department monitors the environment every night by checking the doors and windows," he said . ".
"That's what security does.
But if someone breaks into a family and commits a serious crime, the forensics team will appear and start working.
There are special skills, special tools and experience, the difference between these two groups.
Both are important and have a role, but they are different roles.
Gragido said his advice to those who were hurt was "first breath ".
"Take the time to think about what has happened, take stock of what has happened and lead to compromise," Gragido said, agreeing with Ulsch and Pirc, the breach of contract may have happened unconsciously for many years-a disturbing discovery.
"In fact, these organizations should be involved in accident response --
Led by internal or external sources in order to better understand the nature, depth and breadth of the compromise.
Gragido said he would also recommend a broken organization to thoroughly review the processes and procedures they had previously approved as they would be reviewed by default in the investigation.
"For an organization, it is important to understand whether the root cause of the violation or compromise is through targeted phishing attacks, or by exploiting loopholes on the internet --
Facing the server, "he said.
"Knowing their processes and procedures and being able to talk to them with confidence and fluency will help to seek respondents who identify the chain of attackers killing.
According to Ulsch, "companies that have been violated should first focus on solving the problem at hand and then consider how to prevent potential crimes, who compares it with steps taken in medical situations.
"If you have a medical emergency that needs immediate attention, it doesn't make much sense to focus on long-term treatment --
"The semester is planned to go on a diet and eat more healthy food," he said . ".
"You need to deal with the crisis at hand.
Then consider plans such as exercise and weight loss.
"Preventing further attacks is the second step in resolving the violation, but it is also the most effective way to completely avoid attacks.
Gragido said the first action to prepare for potential violations was to have the right internal resources, a powerful chief information security officer.
"I would say that the first order of the business is to build a strong CISO that understands the dynamics of the threat environment and can use this understanding to guide the formulation of policies and plans," he said: "Just like the event response, in order to reduce the risk and reduce the attack surface. ".
According to Gragido, organizations may want to invest in all-weather monitoring of their environment through internal means or services provided by third parties, and invest heavily in red team exercises, to test their risk profile for exploitable bugs.
"Doing so will provide a keen understanding of organizational attack, while providing relevant organizations with the most important information related to issues that need to be addressed to mitigate risks," he said . ".
Organizations should also consider investing in technologies for two functions: providing protection and mitigation capabilities while providing visibility and responsiveness, Gragido said.
"Most organizations already have some form of mitigation technology today, such as firewalls or IDS/IPS [
Intrusion detection and defense services,” he said.
"However, many people, if not most, do not have the technology to provide them unparalleled visibility at the network and host levels.
This visibility is critical and over time it will prove to be a rescue of default or compromise.
"While mitigation technology can ensure some peace of mind, it can't guarantee that companies are completely immune to all deceptive forms of cyber crime.
Kerry said that as a result, when a company is attacked, they need to identify key data assets.
The next step is to understand the threat list and help companies prioritize their assets.
Kerry quoted the famous George Bondi as saying: "If you protect your diamonds and toothbrushes as well, you will save more toothbrushes, but you will lose more diamonds.